A global telecommunications company engaged in a comprehensive Security Operations Centre (SOC) transformation initiative by migrating its systems to Google SecOps. This move was intended to upgrade its threat detection and response capabilities.
However, despite the advanced analytics and detection tools of the new platform, the company faced challenges due to manual, inconsistent, and difficult-to-govern processes.
Challenges in threat detection
Initially, YARA-L detection rules needed manual deployment through the console, complicating governance and version control. This led to issues like inconsistent logic across environments and delays in rolling out new detections.
Moreover, essential reference data, crucial for detection logic, was isolated in spreadsheets and local repositories, leading to data variations, duplications, and false positives. Additionally, configuring log forwarders involved repetitive, manual work, demanding unique setups and permissions for each new data source, ultimately resulting in delays and errors.
Introducing DevOps discipline into SecOps
RiverSafe utilised its expertise in SOC, SIEM, and DevSecOps to create an automation framework
In response, RiverSafe utilised its expertise in SOC, Security Information and Event Management (SIEM), and DevSecOps to create an automation framework based on Terraform.
This marked one of the first large-scale deployments using Google SecOps' official Terraform provider. The framework helped establish a Detection-as-Code model, enabling fully governed, version-controlled, and repeatable detections, data, and log ingestion.
Detection-as-Code
This approach involved developing Terraform modules to define, validate, and deploy YARA-L rules straight from version-controlled YAML manifests. Automated validation pipelines were integrated using GitHub Actions to ensure compliance with rule syntax and prevent invalid logic deployment. The system also supported Git tag–based versioning for traceability and rollback, with environment-based branching allowing controlled detection validation before deployment.
Outcome: Detection logic deployment time reduced significantly to minutes, enhancing the SOC's ability to address emerging threats with assured accuracy and speed.
Automating Reference Data
RiverSafe then created Terraform resources for defining and managing shared reference lists, such as IP, domain, and hash intelligence. By implementing efficient delta updates, they ensured that only modified entries were updated in Google SecOps, thus improving accuracy and auditability. Schema validation was introduced to maintain consistency across detection dependencies.
Outcome: Reference data became a singularly reliable source, ensuring accuracy and reducing false positives, thus enhancing alert reliability and decreasing noise.
Forwarder and Log Ingestion Automation
The automation also extended to configuring Google SecOps forwarders for pivotal data sources, including firewall, proxy, and endpoint logs. This standardisation of IAM setup, service accounts, and routing configuration ensured secure, repeatable onboarding of new data feeds.
Outcome: The onboarding process was greatly expedited, reducing setup time from hours to mere minutes, which facilitated quicker access to vital telemetry across the organisation.
Impact on Operations
By integrating DevOps practices into the SOC, the organisation noted substantial improvements in efficiency, governance, and resilience. Manual configuration efforts were cut by 80%, allowing analysts to concentrate on threat hunting. Near-zero configuration drift ensured consistent operational coverage worldwide. Moreover, the SOC benefited from an accelerated threat response capability, with more rapid rule deployment and a strengthened governance framework that guaranteed tracked, tested, and trusted changes.
Overall, the operational agility and confidence of the SOC were enhanced, setting a precedent for enterprises transitioning from traditional operations to automated, code-driven security practices.
As part of a major SOC transformation programme, the customer, a global telco, was migrating to Google SecOps to modernise its threat detection and response capabilities.
But while the new platform offered world-class analytics and detection tools, the supporting processes were manual, inconsistent, and hard to govern.
- YARA-L detection rules were deployed manually via the console, making governance and version control difficult. This made it hard to maintain consistent logic across environments and slowed the rollout of new detections.
- Reference data, the shared intelligence that detection logic depends on, was stored in spreadsheets and local repositories. Analysts worked from their own versions, causing data drift, duplication, and false positives.
- And configuring log forwarders was a repetitive, manual task. Every new data source required unique setup and permissions, creating delays, errors, and gaps in visibility.
The result was a SOC that had the right tools, but lacked the agility and assurance to use them effectively. Changes took too long, governance was reactive, and visibility was inconsistent.
The approach: Embedding DevOps discipline into SecOps
RiverSafe combined its SOC, SIEM, and DevSecOps expertise to design a Terraform-based automation framework, one of the first enterprise-scale deployments using the official Google SecOps Terraform provider.
This became the foundation for a Detection-as-Code model that made detections, data, and log ingestion fully version-controlled, governed, and repeatable.
What they did:
1. Detection-as-Code
- Built Terraform modules to define, validate, and deploy YARA-L rules directly from version-controlled YAML manifests.
- Integrated automated validation pipelines via GitHub Actions to ensure rule syntax compliance and prevent deployment of invalid logic.
- Implemented Git tag–based versioning, ensuring each deployment of detection rules was tied to a specific, immutable version for traceability and rollback.
- Supported environment-based branching (pre-production and production), enabling controlled promotion of validated detections.
Outcome: Detection logic could now be deployed in minutes, not days, with full traceability and rollback. The SOC gained the ability to respond to emerging threats faster, with total confidence in what was running in each environment.
2. Reference Data Automation
- Created Terraform resources for defining and maintaining shared reference lists (e.g., IP, domain, and hash intelligence).
- Implemented efficient delta updates, ensuring only modified entries were applied to Google SecOps, improving accuracy and auditability.
- Introduced schema validation and consistency enforcement across multiple detection dependencies.
Outcome: Reference data became a single source of truth – consistent, accurate, and always up to date. This eliminated conflicting detections and false positives, improving the reliability of alerts and reducing noise in the SOC.
3. Forwarder and Log Ingestion Automation
- Automated configuration of Google SecOps forwarders for key data sources such as firewall, proxy, and endpoint logs.
- Standardised IAM setup, service accounts, and routing configuration to ensure secure and repeatable onboarding of new feeds.
Outcome: Reduced onboarding time from hours to minutes, ensuring secure, consistent ingestion of new log sources and faster access to critical telemetry across the enterprise
The impact: Faster, stronger, more secure operations
By embedding automation and DevOps practices into its SOC, the organisation achieved measurable improvements in efficiency, governance, and resilience:
- 80% reduction in manual configuration, freeing analysts to focus on threat hunting, not maintenance.
- Near-zero configuration drift between environments, delivering consistent coverage across global operations.
- Faster rule deployment, from hours or days to minutes, accelerating the SOC’s ability to respond to threats.
- Clear governance and rollback capability, ensuring every change was tracked, tested, and trusted.
The SOC is now faster, leaner, and more confident and able to operate at enterprise scale with automation as its foundation. It’s a model for how modern enterprises can evolve from traditional operations to automated, code-driven security at scale.
