{"id":34890,"date":"2025-11-23T09:01:23","date_gmt":"2025-11-23T06:01:23","guid":{"rendered":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/"},"modified":"2025-11-23T09:01:23","modified_gmt":"2025-11-23T06:01:23","slug":"bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti","status":"publish","type":"post","link":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/","title":{"rendered":"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti"},"content":{"rendered":"<p><body><\/p>\n<style>\n        \/* Bu stil blo\u011fu, mobil uyumluluk ve okunabilirlik i\u00e7in genel bir \u00e7er\u00e7eve sunar.\n           Ger\u00e7ek bir \u00fcretim ortam\u0131nda daha kapsaml\u0131 CSS ve medya sorgular\u0131 gerekir. *\/\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            line-height: 1.6;\n            color: #333;\n            max-width: 1000px;\n            margin: 20px auto;\n            padding: 0 15px;\n            background-color: #f9f9f9;\n        }\n        h2 {\n            color: #2c3e50;\n            border-bottom: 2px solid #3498db;\n            padding-bottom: 10px;\n            margin-top: 40px;\n            font-size: 1.8em;\n        }\n        h3 {\n            color: #34495e;\n            margin-top: 30px;\n            font-size: 1.4em;\n        }\n        p {\n            margin-bottom: 15px;\n            text-align: justify;\n        }\n        ul {\n            list-style-type: disc;\n            margin-left: 20px;\n            margin-bottom: 15px;\n        }\n        ol {\n            list-style-type: decimal;\n            margin-left: 20px;\n            margin-bottom: 15px;\n        }\n        li {\n            margin-bottom: 8px;\n        }\n        pre {\n            background-color: #ecf0f1;\n            padding: 15px;\n            border-radius: 5px;\n            overflow-x: auto;\n            margin-bottom: 20px;\n            font-family: 'Consolas', 'Monaco', monospace;\n            font-size: 0.9em;\n        }\n        code {\n            background-color: #e0e6e8;\n            padding: 2px 4px;\n            border-radius: 3px;\n        }\n        .tip-box {\n            background-color: #e8f5e9; \/* Light green for tips *\/\n            border-left: 5px solid #4caf50; \/* Green border *\/\n            padding: 15px;\n            margin: 20px 0;\n            border-radius: 5px;\n            font-style: italic;\n            color: #388e3c; \/* Darker green text *\/\n        }\n        table {\n            width: 100%;\n            border-collapse: collapse;\n            margin-bottom: 20px;\n        }\n        th, td {\n            border: 1px solid #ddd;\n            padding: 8px;\n            text-align: left;\n        }\n        th {\n            background-color: #f2f2f2;\n            color: #555;\n        }\n        \/* Mobil uyumluluk i\u00e7in medya sorgular\u0131 *\/\n        @media (max-width: 768px) {\n            body {\n                margin: 10px auto;\n                padding: 0 10px;\n            }\n            h2 {\n                font-size: 1.5em;\n            }\n            h3 {\n                font-size: 1.2em;\n            }\n            table, thead, tbody, th, td, tr {\n                display: block;\n            }\n            thead tr {\n                position: absolute;\n                top: -9999px;\n                left: -9999px;\n            }\n            tr {\n                border: 1px solid #ccc;\n                margin-bottom: 10px;\n            }\n            td {\n                border: none;\n                border-bottom: 1px solid #eee;\n                position: relative;\n                padding-left: 50%;\n                text-align: right;\n            }\n            td:before {\n                position: absolute;\n                top: 6px;\n                left: 6px;\n                width: 45%;\n                padding-right: 10px;\n                white-space: nowrap;\n                content: attr(data-label);\n                font-weight: bold;\n                text-align: left;\n            }\n        }\n    <\/style>\n<p>Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform&#8217;daki denetim kay\u0131tlar\u0131n\u0131 BigQuery ile analiz ederek ve Chronicle SIEM ile ger\u00e7ek zamanl\u0131 tehdit tespiti yaparak g\u00fcvenlik duru\u015funuzu nas\u0131l g\u00fc\u00e7lendirebilece\u011finizi ad\u0131m ad\u0131m a\u00e7\u0131kl\u0131yor. B\u00f6ylece, anormallikleri h\u0131zla belirleyip m\u00fcdahale edebilirsiniz.<\/p>\n<p>Bulut bili\u015fim, i\u015fletmelerin \u00e7evikli\u011fini ve \u00f6l\u00e7eklenebilirli\u011fini art\u0131r\u0131rken, siber g\u00fcvenlik cephesinde yeni ve karma\u015f\u0131k zorluklar\u0131 da beraberinde getirmektedir. Geleneksel g\u00fcvenlik duvarlar\u0131 ve u\u00e7 nokta koruma sistemleri, art\u0131k dinamik ve da\u011f\u0131t\u0131k bulut ortamlar\u0131ndaki t\u00fcm tehdit vekt\u00f6rlerini kapsamakta yetersiz kalmaktad\u0131r. Peki, bu u\u00e7suz bucaks\u0131z dijital evrende g\u00fcvenlik nas\u0131l sa\u011flanacak? \u0130\u015fte tam da bu noktada, bulut denetim kay\u0131tlar\u0131 devreye giriyor. Denetim kay\u0131tlar\u0131, bulut kaynaklar\u0131n\u0131z \u00fczerinde ger\u00e7ekle\u015fen her t\u00fcrl\u00fc aktivitenin, bir nevi &#8220;kara kutu&#8221; kayd\u0131 gibidir.<\/p>\n<p>Bir sistem y\u00f6neticisinin kimlik do\u011frulama giri\u015fimi, bir kullan\u0131c\u0131n\u0131n veri indirme i\u015flemi, bir servisin yap\u0131land\u0131rma de\u011fi\u015fikli\u011fi veya \u015f\u00fcpheli bir IP adresinden gelen ba\u011flant\u0131 denemeleri&#8230; T\u00fcm bu olaylar, denetim kay\u0131tlar\u0131na i\u015flenir. Bu kay\u0131tlar, sadece yasal uyumluluk gereksinimlerini kar\u015f\u0131lamakla kalmaz, ayn\u0131 zamanda potansiyel g\u00fcvenlik ihlallerini, i\u00e7eriden gelen tehditleri veya hatal\u0131 yap\u0131land\u0131rmalar\u0131 ortaya \u00e7\u0131karmak i\u00e7in paha bi\u00e7ilmez birer veri kayna\u011f\u0131d\u0131r. Ancak bu kay\u0131tlar\u0131n hacmi, \u00f6zellikle b\u00fcy\u00fck \u00f6l\u00e7ekli bulut da\u011f\u0131t\u0131mlar\u0131nda, h\u0131zla petabayt seviyelerine ula\u015fabilir. Bu kadar b\u00fcy\u00fck bir veri y\u0131\u011f\u0131n\u0131n\u0131 manuel olarak incelemek veya geleneksel ara\u00e7larla anlaml\u0131 i\u00e7g\u00f6r\u00fcler elde etmek neredeyse imkans\u0131zd\u0131r. Bu durum, bizi daha geli\u015fmi\u015f ve otomatikle\u015ftirilmi\u015f \u00e7\u00f6z\u00fcmlere itiyor.<\/p>\n<p>G\u00fcvenlik ekipleri, bulut ortamlar\u0131ndaki her an\u0131 g\u00f6zlemleyebilmek, anormallikleri ger\u00e7ek zamanl\u0131 olarak tespit edebilmek ve proaktif \u00f6nlemler alabilmek i\u00e7in g\u00fc\u00e7l\u00fc analitik yeteneklere ihtiya\u00e7 duyarlar. Aksi takdirde, kritik bir olay, fark edilmeden saatler, g\u00fcnler hatta haftalarca sistemde kalabilir ve geri d\u00f6nd\u00fcr\u00fclemez zararlara yol a\u00e7abilir. \u00d6rne\u011fin, yetkisiz bir kullan\u0131c\u0131n\u0131n ayr\u0131cal\u0131klar\u0131n\u0131 y\u00fckseltmesi veya kritik bir veri taban\u0131na eri\u015fmesi gibi olaylar, genellikle denetim kay\u0131tlar\u0131nda gizli kal\u0131r. Bu olaylar\u0131 h\u0131zla tespit etmek, bir siber sald\u0131r\u0131n\u0131n yay\u0131lmas\u0131n\u0131 durdurmak ve potansiyel veri ihlallerini \u00f6nlemek i\u00e7in kritik \u00f6neme sahiptir. \u0130\u015fte bu nedenle, bulut denetim kay\u0131tlar\u0131n\u0131n toplanmas\u0131, depolanmas\u0131, analiz edilmesi ve bunlardan anlaml\u0131 g\u00fcvenlik i\u00e7g\u00f6r\u00fclerinin \u00e7\u0131kar\u0131lmas\u0131, modern siber g\u00fcvenlik stratejisinin temel ta\u015flar\u0131ndan biridir. Google Cloud ekosisteminde BigQuery ve Chronicle SIEM gibi ara\u00e7lar, bu zorlu g\u00f6revi kolayla\u015ft\u0131rmak i\u00e7in bir araya gelerek, siber g\u00fcvenlik ekiplerine s\u00fcper g\u00fc\u00e7ler kazand\u0131r\u0131r.<\/p>\n<h2>Temel Ta\u015flar: BigQuery ve Chronicle SIEM Nedir ve Neden Birlikte G\u00fc\u00e7l\u00fcler?<\/h2>\n<p>Bulut g\u00fcvenli\u011fi yolculu\u011fumuzda, denetim kay\u0131tlar\u0131n\u0131 anlaml\u0131 i\u00e7g\u00f6r\u00fclere d\u00f6n\u00fc\u015ft\u00fcrmek i\u00e7in iki temel araca g\u00fcvenece\u011fiz: Google Cloud&#8217;un g\u00fc\u00e7l\u00fc veri analizi platformu BigQuery ve geli\u015fmi\u015f g\u00fcvenlik bilgi ve olay y\u00f6netimi (SIEM) \u00e7\u00f6z\u00fcm\u00fc Chronicle SIEM. Bu iki \u00e7\u00f6z\u00fcm, bir araya geldi\u011finde, bulut ortam\u0131n\u0131zdaki siber tehditlere kar\u015f\u0131 e\u015fsiz bir g\u00f6r\u00fcn\u00fcrl\u00fck ve tepki yetene\u011fi sunar. \u015eimdi bu temel ta\u015flar\u0131 daha yak\u0131ndan inceleyelim.<\/p>\n<h3>Google Cloud Audit Logs: G\u00fcvenlik Hikayenizin Ba\u015flang\u0131c\u0131<\/h3>\n<p>Google Cloud Audit Logs (Denetim Kay\u0131tlar\u0131), GCP ortam\u0131n\u0131zda ger\u00e7ekle\u015fen hemen her etkile\u015fimin kapsaml\u0131, denetlenebilir ve de\u011fi\u015fmez bir kayd\u0131n\u0131 sunar. Bu kay\u0131tlar, kimin, ne zaman, nerede ve hangi kaynaktan ne t\u00fcr bir i\u015flem yapt\u0131\u011f\u0131n\u0131 g\u00f6steren kritik bilgiler i\u00e7erir. GCP, d\u00f6rt ana denetim kayd\u0131 t\u00fcr\u00fc sunar:<\/p>\n<ul>\n<li><strong>Y\u00f6netici Etkinli\u011fi Denetim Kay\u0131tlar\u0131 (Admin Activity Audit Logs):<\/strong> Y\u00f6neticiler taraf\u0131ndan yap\u0131lan yap\u0131land\u0131rma de\u011fi\u015fiklikleri, kaynak olu\u015fturma veya silme gibi t\u00fcm y\u00f6netimsel i\u015flemleri kaydeder. \u00d6rne\u011fin, bir sanal makinenin olu\u015fturulmas\u0131 veya bir IAM politikas\u0131n\u0131n de\u011fi\u015ftirilmesi. Bu kay\u0131tlar, varsay\u0131lan olarak etkinle\u015ftirilmi\u015ftir ve \u00fccret talep edilmez.<\/li>\n<li><strong>Veri Eri\u015fimi Denetim Kay\u0131tlar\u0131 (Data Access Audit Logs):<\/strong> Kullan\u0131c\u0131lar\u0131n ve hizmet hesaplar\u0131n\u0131n verilerinize nas\u0131l eri\u015fti\u011fini ve bunlar\u0131 de\u011fi\u015ftirdi\u011fini g\u00f6sterir. \u00d6rne\u011fin, BigQuery tablolar\u0131na yap\u0131lan sorgular veya Cloud Storage nesnelerine eri\u015fimler. Bu kay\u0131tlar varsay\u0131lan olarak kapal\u0131d\u0131r ve etkinle\u015ftirilmesi gerekebilir; baz\u0131lar\u0131 \u00fccretli olabilir.<\/li>\n<li><strong>Sistem Olaylar\u0131 Denetim Kay\u0131tlar\u0131 (System Event Audit Logs):<\/strong> Google&#8217;\u0131n kendi sistemleri taraf\u0131ndan GCP kaynaklar\u0131nda yap\u0131lan de\u011fi\u015fiklikleri kaydeder. \u00d6rne\u011fin, Compute Engine&#8217;deki bir sanal makinenin otomatik olarak yeniden ba\u015flat\u0131lmas\u0131.<\/li>\n<li><strong>Politika Reddi Denetim Kay\u0131tlar\u0131 (Policy Denied Audit Logs):<\/strong> Bir kullan\u0131c\u0131n\u0131n veya hizmet hesab\u0131n\u0131n, g\u00fcvenlik politikalar\u0131 nedeniyle bir eylemi ger\u00e7ekle\u015ftiremedi\u011fi durumlarda olu\u015fur. Bu, yetkisiz eri\u015fim denemelerini tespit etmek i\u00e7in \u00e7ok de\u011ferlidir.<\/li>\n<\/ul>\n<p>Bu kay\u0131tlar, bulut ortam\u0131n\u0131zdaki t\u00fcm olaylar\u0131n ayr\u0131nt\u0131l\u0131 bir kronolojisini sa\u011flayarak, g\u00fcvenlik analistlerinin &#8220;ne oldu, ne zaman oldu ve kim yapt\u0131?&#8221; sorular\u0131na yan\u0131t bulmalar\u0131na olanak tan\u0131r. Olay m\u00fcdahalesi, adli analiz ve uyumluluk denetimleri i\u00e7in vazge\u00e7ilmez birer kaynakt\u0131r.<\/p>\n<h3>B\u00fcy\u00fck Veri Analizinde Yeni Nesil: BigQuery&#8217;nin G\u00fcc\u00fc Nedir?<\/h3>\n<p>Bulut denetim kay\u0131tlar\u0131n\u0131n hacmi ak\u0131l almaz boyutlara ula\u015ft\u0131\u011f\u0131nda, geleneksel veri tabanlar\u0131 veya analitik ara\u00e7lar yetersiz kal\u0131r. \u0130\u015fte tam bu noktada Google Cloud&#8217;un tam olarak y\u00f6netilen, sunucusuz ve son derece \u00f6l\u00e7eklenebilir veri ambar\u0131 BigQuery sahneye \u00e7\u0131kar. BigQuery, petabaytlarca veriyi saniyeler i\u00e7inde analiz edebilme yetene\u011fiyle \u00f6ne \u00e7\u0131kar.<\/p>\n<p>BigQuery&#8217;nin temel \u00f6zellikleri ve g\u00fcvenlik operasyonlar\u0131 i\u00e7in sa\u011flad\u0131\u011f\u0131 faydalar \u015funlard\u0131r:<\/p>\n<ul>\n<li><strong>Sunucusuz Mimari:<\/strong> Altyap\u0131 y\u00f6netimi endi\u015fesi olmadan veri analizi yapman\u0131z\u0131 sa\u011flar. \u00d6l\u00e7eklendirme Google taraf\u0131ndan otomatik olarak y\u00f6netilir.<\/li>\n<li><strong>Y\u00fcksek \u00d6l\u00e7eklenebilirlik:<\/strong> Onlarca terabayt veya petabayt boyutundaki veri k\u00fcmelerini kolayca i\u015fleyebilir. Bu, uzun vadeli denetim kay\u0131tlar\u0131n\u0131 saklamak ve analiz etmek i\u00e7in idealdir.<\/li>\n<li><strong>SQL Deste\u011fi:<\/strong> Standart SQL s\u00f6zdizimini kullanarak karma\u015f\u0131k sorgular yazabilir, bu da veri analistlerinin ve g\u00fcvenlik uzmanlar\u0131n\u0131n kolayca adapte olmas\u0131n\u0131 sa\u011flar.<\/li>\n<li><strong>Ger\u00e7ek Zamanl\u0131 Analiz:<\/strong> Ak\u0131\u015f API&#8217;si sayesinde verileri ger\u00e7ek zamanl\u0131 olarak alabilir ve neredeyse an\u0131nda sorgulayabilirsiniz. Bu, anomali tespiti ve h\u0131zl\u0131 olay m\u00fcdahalesi i\u00e7in kritiktir.<\/li>\n<li><strong>BigQuery ML:<\/strong> Makine \u00f6\u011frenimi modellerini SQL kullanarak do\u011frudan BigQuery i\u00e7inde olu\u015fturman\u0131za ve \u00e7al\u0131\u015ft\u0131rman\u0131za olanak tan\u0131r. Bu, anormal davran\u0131\u015flar\u0131 ve bilinmeyen tehditleri tespit etmek i\u00e7in g\u00fc\u00e7l\u00fc bir ara\u00e7t\u0131r.<\/li>\n<\/ul>\n<p>BigQuery, g\u00fcvenlik analistlerinin milyonlarca log kayd\u0131 aras\u0131nda i\u011fne aramak yerine, belirli tehdit g\u00f6stergelerini h\u0131zla bulmalar\u0131na, korelasyonlar kurmalar\u0131na ve karma\u015f\u0131k sald\u0131r\u0131 senaryolar\u0131n\u0131 ayd\u0131nlatmalar\u0131na yard\u0131mc\u0131 olur.<\/p>\n<h3>G\u00fcvenlik Operasyonlar\u0131n\u0131n Merkezi: Chronicle SIEM Neden \u00d6nemli?<\/h3>\n<p>Chronicle SIEM (Security Information and Event Management), Google Cloud&#8217;un siber g\u00fcvenlik veri platformudur. Temel amac\u0131, i\u015fletmelerin g\u00fcvenlik verilerini petabayt \u00f6l\u00e7e\u011finde ve uygun maliyetle toplamas\u0131na, saklamas\u0131na ve analiz etmesine olanak tan\u0131makt\u0131r. Geleneksel SIEM \u00e7\u00f6z\u00fcmlerinin kar\u015f\u0131la\u015ft\u0131\u011f\u0131 \u00f6l\u00e7ek, maliyet ve performans sorunlar\u0131na \u00e7\u00f6z\u00fcm sunar.<\/p>\n<p>Chronicle SIEM&#8217;in g\u00fcvenlik operasyonlar\u0131 i\u00e7in kilit avantajlar\u0131:<\/p>\n<ul>\n<li><strong>Petabayt \u00d6l\u00e7e\u011finde Veri Al\u0131m\u0131 ve Saklama:<\/strong> T\u00fcm g\u00fcvenlik telemetrinizi (a\u011f ak\u0131\u015flar\u0131, DNS kay\u0131tlar\u0131, u\u00e7 nokta loglar\u0131, bulut denetim kay\u0131tlar\u0131 vb.) maliyet etkin bir \u015fekilde toplayabilir ve saklayabilir. Bu, &#8220;kaynak k\u0131s\u0131tlamalar\u0131 nedeniyle loglar\u0131 atmak&#8221; gibi k\u00f6t\u00fc uygulamalar\u0131 ortadan kald\u0131r\u0131r.<\/li>\n<li><strong>Y\u00fcksek H\u0131zl\u0131 Arama:<\/strong> B\u00fcy\u00fck veri hacimlerinde bile saniyeler i\u00e7inde arama yapabilmenizi sa\u011flar, bu da olay m\u00fcdahale s\u00fcrelerini \u00f6nemli \u00f6l\u00e7\u00fcde k\u0131salt\u0131r.<\/li>\n<li><strong>Geli\u015fmi\u015f Tehdit Alg\u0131lama Motoru (YARA-L):<\/strong> Esnek YARA-L dilini kullanarak kendi \u00f6zel alg\u0131lama kurallar\u0131n\u0131z\u0131 yazman\u0131za olanak tan\u0131r. Bu sayede, bilinen ve bilinmeyen tehditleri proaktif olarak tespit edebilirsiniz.<\/li>\n<li><strong>Tehdit \u0130stihbarat\u0131 Entegrasyonu:<\/strong> Google&#8217;\u0131n ve di\u011fer \u00fc\u00e7\u00fcnc\u00fc taraf tehdit istihbarat\u0131 kaynaklar\u0131yla entegre olarak, \u015f\u00fcpheli IP adreslerini, alan adlar\u0131n\u0131 ve dosya hash&#8217;lerini otomatik olarak i\u015faretler.<\/li>\n<li><strong>\u0130li\u015fkilendirme ve Korelasyon:<\/strong> Farkl\u0131 kaynaklardan gelen olaylar\u0131 otomatik olarak ili\u015fkilendirerek, bir sald\u0131r\u0131n\u0131n t\u00fcm a\u015famalar\u0131n\u0131 bir arada g\u00f6rmenizi sa\u011flar.<\/li>\n<\/ul>\n<p>BigQuery, derinlemesine analitik yetenekleriyle bir &#8220;veri laboratuvar\u0131&#8221; g\u00f6revi g\u00f6r\u00fcrken, Chronicle SIEM, t\u00fcm g\u00fcvenlik verilerinizin topland\u0131\u011f\u0131, analiz edildi\u011fi ve tehditlerin ger\u00e7ek zamanl\u0131 olarak tespit edildi\u011fi &#8220;operasyonel g\u00fcvenlik merkezi&#8221;dir. Bu iki ara\u00e7, birle\u015ferek, denetim kay\u0131tlar\u0131ndan ger\u00e7ek zamanl\u0131 tehdit tespiti i\u00e7in sa\u011flam ve \u00f6l\u00e7eklenebilir bir omurga olu\u015fturur. Bir sonraki b\u00f6l\u00fcmde, bu entegrasyonun ad\u0131m ad\u0131m nas\u0131l kurulaca\u011f\u0131n\u0131 inceleyece\u011fiz.<\/p>\n<div class=\"tip-box\">\n      Uzman \u0130pucu: Chronicle SIEM, log verilerini ayr\u0131\u015ft\u0131r\u0131rken Unified Data Model (UDM) kullan\u0131r. Bu model, farkl\u0131 kaynaklardan gelen loglar\u0131 standart bir formata d\u00f6n\u00fc\u015ft\u00fcrerek, korelasyon ve arama s\u00fcre\u00e7lerini b\u00fcy\u00fck \u00f6l\u00e7\u00fcde basitle\u015ftirir. BigQuery&#8217;den ald\u0131\u011f\u0131n\u0131z verileri Chronicle&#8217;a beslerken UDM format\u0131na d\u00f6n\u00fc\u015ft\u00fcrmek, entegrasyonu daha verimli hale getirir.\n    <\/div>\n<h2>Ad\u0131m Ad\u0131m Entegrasyon: Denetim Kay\u0131tlar\u0131n\u0131 BigQuery&#8217;ye Nas\u0131l Aktar\u0131rs\u0131n\u0131z?<\/h2>\n<p>G\u00fcvenlik verilerinin analiz edilebilmesi i\u00e7in \u00f6ncelikle merkezi bir depoya aktar\u0131lmas\u0131 gerekir. Google Cloud Platform&#8217;da (GCP), denetim kay\u0131tlar\u0131n\u0131 BigQuery&#8217;ye aktarman\u0131n en etkili yolu, Log Router&#8217;\u0131 kullanmakt\u0131r. Log Router, GCP&#8217;deki \u00e7e\u015fitli kaynaklardan gelen loglar\u0131 (denetim kay\u0131tlar\u0131 dahil) filtrelemenizi, y\u00f6nlendirmenizi ve depolaman\u0131z\u0131 sa\u011flayan merkezi bir hizmettir. Bu b\u00f6l\u00fcmde, denetim kay\u0131tlar\u0131n\u0131z\u0131 BigQuery&#8217;ye nas\u0131l aktaraca\u011f\u0131n\u0131z\u0131 ad\u0131m ad\u0131m inceleyece\u011fiz.<\/p>\n<h3>Log Router ile BigQuery Veri K\u00fcmesi Olu\u015fturma<\/h3>\n<p>Log Router (eski ad\u0131yla Log Sinks), belirli kriterlere uyan loglar\u0131 se\u00e7menize ve bunlar\u0131 bir hedefe (\u00f6rne\u011fin BigQuery, Cloud Storage veya Pub\/Sub) g\u00f6ndermenize olanak tan\u0131r. \u0130\u015fte ad\u0131m ad\u0131m s\u00fcre\u00e7:<\/p>\n<ol>\n<li><strong>BigQuery Veri K\u00fcmesi Olu\u015fturma:<\/strong> \u00d6ncelikle, denetim kay\u0131tlar\u0131n\u0131z\u0131 depolayaca\u011f\u0131n\u0131z bir BigQuery veri k\u00fcmesine ihtiyac\u0131n\u0131z var. Google Cloud Console&#8217;da BigQuery&#8217;ye gidin, projenizi se\u00e7in ve ard\u0131ndan &#8220;Veri K\u00fcmesi Olu\u015ftur&#8221; butonuna t\u0131klay\u0131n. Veri k\u00fcmenize anlaml\u0131 bir ad verin (\u00f6rne\u011fin, <code>audit_logs<\/code>), co\u011frafi konumunu se\u00e7in ve veri k\u00fcmesinin \u00f6mr\u00fcn\u00fc belirleyebilirsiniz.<\/li>\n<li><strong>Log Router Sink Olu\u015fturma:<\/strong> Google Cloud Console&#8217;da &#8220;Logging&#8221; > &#8220;Log Router&#8221; b\u00f6l\u00fcm\u00fcne gidin. Burada, &#8220;Sink Olu\u015ftur&#8221; (Create Sink) butonuna t\u0131klay\u0131n.<\/li>\n<li><strong>Sink Ad\u0131 ve A\u00e7\u0131klama:<\/strong> Sink&#8217;inize benzersiz bir ad verin (\u00f6rne\u011fin, <code>audit-logs-to-bigquery<\/code>) ve iste\u011fe ba\u011fl\u0131 bir a\u00e7\u0131klama ekleyin.<\/li>\n<li><strong>Sink Hedefi:<\/strong> &#8220;Sink Hedefi&#8221; olarak &#8220;BigQuery veri k\u00fcmesi&#8221; se\u00e7ene\u011fini i\u015faretleyin. Daha sonra, a\u00e7\u0131l\u0131r men\u00fcden daha \u00f6nce olu\u015fturdu\u011funuz <code>audit_logs<\/code> veri k\u00fcmesini se\u00e7in.<\/li>\n<li><strong>Filtreleme:<\/strong> Bu ad\u0131m kritik \u00f6neme sahiptir. Hangi loglar\u0131n BigQuery&#8217;ye g\u00f6nderilece\u011fini burada belirlersiniz. T\u00fcm denetim kay\u0131tlar\u0131n\u0131 g\u00f6ndermek isteyebilirsiniz veya sadece belirli t\u00fcrdeki kay\u0131tlar\u0131 (\u00f6rne\u011fin, y\u00f6netici etkinli\u011fi veya belirli bir hizmete ait kay\u0131tlar) se\u00e7ebilirsiniz. \u0130\u015fte baz\u0131 \u00f6rnek filtreler:<\/li>\n<ul>\n<li><strong>T\u00fcm Denetim Kay\u0131tlar\u0131n\u0131 \u0130\u00e7eren Temel Filtre:<\/strong>\n<pre><code>\nlogName:\"cloudaudit.googleapis.com\"\n                    <\/pre>\n<p><\/code>\n                <\/li>\n<li><strong>Y\u00f6netici Etkinli\u011fi ve Veri Eri\u015fimi Denetim Kay\u0131tlar\u0131n\u0131 \u0130\u00e7eren Filtre:<\/strong>\n<pre><code>\nlogName:\"cloudaudit.googleapis.com\/activity\" OR logName:\"cloudaudit.googleapis.com\/data_access\"\n                    <\/pre>\n<p><\/code>\n                <\/li>\n<li><strong>Belirli Bir Projeden ve Belirli Bir Hizmetten Gelen Kay\u0131tlar\u0131 Filtreleme (\u00d6rnek: Compute Engine):<\/strong>\n<pre><code>\nresource.type=\"gce_instance\" AND protoPayload.serviceName=\"compute.googleapis.com\"\n                    <\/pre>\n<p><\/code>\n                <\/li>\n<li><strong>\u015e\u00fcpheli Y\u00f6ntem \u00c7a\u011fr\u0131lar\u0131n\u0131 Tespit Etmek \u0130\u00e7in Geli\u015fmi\u015f Filtre (\u00d6rnek: IAM politikas\u0131 de\u011fi\u015fikli\u011fi):<\/strong>\n<pre><code>\nprotoPayload.methodName=\"google.iam.admin.v1.IAM.SetIAMPolicy\" OR\nprotoPayload.methodName=\"google.cloud.resourcemanager.v1.Projects.setIamPolicy\"\n                    <\/pre>\n<p><\/code>\n                <\/li>\n<\/ul>\n<li><strong>Sink Olu\u015fturma:<\/strong> Son olarak, \"Sink Olu\u015ftur\" butonuna t\u0131klayarak i\u015flemi tamamlay\u0131n. Bu i\u015flemden sonra, belirlenen filtreye uyan t\u00fcm yeni denetim kay\u0131tlar\u0131 otomatik olarak BigQuery veri k\u00fcmenize akmaya ba\u015flayacakt\u0131r.<\/li>\n<\/ol>\n<div class=\"tip-box\">\n        Uzman \u0130pucu: Log Router sink'leri i\u00e7in filtreleri test etmek isterseniz, Logging > Log Explorer b\u00f6l\u00fcm\u00fcnde filtreleri deneyebilir ve sonu\u00e7lar\u0131 ger\u00e7ek zamanl\u0131 olarak g\u00f6rebilirsiniz. Bu, do\u011fru loglar\u0131 BigQuery'ye aktard\u0131\u011f\u0131n\u0131zdan emin olman\u0131z\u0131 sa\u011flar.\n    <\/div>\n<h3>BigQuery'de Veri Yap\u0131s\u0131 ve Optimizasyon \u0130pu\u00e7lar\u0131<\/h3>\n<p>Denetim kay\u0131tlar\u0131n\u0131z BigQuery'ye aktar\u0131ld\u0131\u011f\u0131nda, her bir log kayd\u0131 bir JSON nesnesi olarak depolan\u0131r ve BigQuery, bu JSON verilerini otomatik olarak \u015femaland\u0131r\u0131r. Ancak, verimlilik ve maliyet a\u00e7\u0131s\u0131ndan baz\u0131 optimizasyonlar yapman\u0131z faydal\u0131 olacakt\u0131r:<\/p>\n<ul>\n<li><strong>Partitioning (B\u00f6l\u00fcmleme):<\/strong> Log verileri genellikle zaman damgas\u0131na (timestamp) g\u00f6re sorgulan\u0131r. BigQuery tablolar\u0131n\u0131 bir zaman damgas\u0131 s\u00fctununa g\u00f6re b\u00f6l\u00fcmlemek, sorgu performans\u0131n\u0131 art\u0131r\u0131r ve sorgulanan veri miktar\u0131n\u0131 azaltarak maliyetleri d\u00fc\u015f\u00fcr\u00fcr. \u00d6rne\u011fin, <code>timestamp<\/code> s\u00fctununu kullanarak g\u00fcnl\u00fck veya saatlik b\u00f6l\u00fcmlemeler olu\u015fturabilirsiniz.<\/li>\n<li><strong>Clustering (K\u00fcmeleme):<\/strong> B\u00f6l\u00fcmleme ile birlikte k\u00fcmeleme kullanmak, sorgular\u0131n daha da optimize edilmesine yard\u0131mc\u0131 olur. Genellikle, <code>resource.type<\/code>, <code>protoPayload.methodName<\/code> veya <code>principalEmail<\/code> gibi s\u0131k\u00e7a filtreledi\u011finiz s\u00fctunlara g\u00f6re k\u00fcmeleme yapabilirsiniz.<\/li>\n<li><strong>Maliyet Optimizasyonu:<\/strong> BigQuery, sorgulanan veri miktar\u0131na g\u00f6re \u00fccretlendirildi\u011finden, verimli sorgular yazmak \u00e7ok \u00f6nemlidir. Sadece ihtiyac\u0131n\u0131z olan s\u00fctunlar\u0131 se\u00e7in (<code>SELECT *<\/code> kullanmaktan ka\u00e7\u0131n\u0131n) ve sorgular\u0131n\u0131z\u0131 b\u00f6l\u00fcmleme ve k\u00fcmeleme anahtarlar\u0131n\u0131 i\u00e7erecek \u015fekilde optimize edin.<\/li>\n<\/ul>\n<p>\u00d6rne\u011fin, BigQuery'de denetim kay\u0131tlar\u0131n\u0131z\u0131n nas\u0131l g\u00f6r\u00fcnebilece\u011fine dair basitle\u015ftirilmi\u015f bir SQL sorgusu:<\/p>\n<pre><code>\nSELECT\n    timestamp,\n    protoPayload.authenticationInfo.principalEmail AS user_email,\n    protoPayload.methodName AS action,\n    protoPayload.resourceName AS resource,\n    resource.type AS resource_type,\n    resource.labels.project_id AS project_id\nFROM\n    <code>your_project_id.audit_logs.cloudaudit_googleapis_com_activity_*<\/code> -- B\u00f6l\u00fcmlenmi\u015f tablo i\u00e7in joker karakter\nWHERE\n    _PARTITIONTIME BETWEEN TIMESTAMP('2023-10-01') AND TIMESTAMP('2023-10-02')\n    AND protoPayload.methodName = 'v1.compute.instances.insert'\nLIMIT 100;\n    <\/pre>\n<p><\/code><\/p>\n<p>Bu sorgu, belirli bir tarih aral\u0131\u011f\u0131nda Compute Engine \u00f6rne\u011fi olu\u015fturma eylemlerini listeler. <code>protoPayload<\/code> alan\u0131, denetim kay\u0131tlar\u0131n\u0131n temel bilgi y\u00fck\u00fcn\u00fc i\u00e7erir ve genellikle derinlemesine analiz i\u00e7in en zengin veriyi bar\u0131nd\u0131r\u0131r.<\/p>\n<h2>Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti \u0130\u00e7in BigQuery'de Analizler Nas\u0131l Geli\u015ftirilir?<\/h2>\n<p>Denetim kay\u0131tlar\u0131n\u0131z\u0131 BigQuery'ye ba\u015far\u0131yla aktard\u0131ktan sonra, s\u0131ra bu b\u00fcy\u00fck veri havuzunu aktif bir tehdit av\u0131 ve tespit arac\u0131na d\u00f6n\u00fc\u015ft\u00fcrmeye geliyor. BigQuery'nin g\u00fc\u00e7l\u00fc SQL yetenekleri ve makine \u00f6\u011frenimi entegrasyonu (BigQuery ML), potansiyel g\u00fcvenlik olaylar\u0131n\u0131 ortaya \u00e7\u0131karmak i\u00e7in ola\u011fan\u00fcst\u00fc f\u0131rsatlar sunar. Bu b\u00f6l\u00fcmde, BigQuery'de \u015f\u00fcpheli aktiviteleri tespit etmek i\u00e7in nas\u0131l sorgular ve analizler geli\u015ftirebilece\u011finizi inceleyece\u011fiz.<\/p>\n<h3>\u015e\u00fcpheli Aktiviteleri Tespit Etmeye Y\u00f6nelik SQL Sorgular\u0131<\/h3>\n<p>BigQuery'de tehdit tespiti, genellikle belirli kal\u0131plar\u0131, e\u015fikleri veya anormallikleri arayan iyi tan\u0131mlanm\u0131\u015f SQL sorgular\u0131yla ba\u015flar. \u0130\u015fte yayg\u0131n g\u00fcvenlik senaryolar\u0131n\u0131 tespit etmek i\u00e7in kullanabilece\u011finiz baz\u0131 \u00f6rnek sorgular:<\/p>\n<ol>\n<li><strong>Al\u0131\u015f\u0131lmad\u0131k Konumdan Y\u00f6netici Etkinli\u011fi Tespiti:<\/strong> Bir y\u00f6neticinin genellikle oturum a\u00e7mad\u0131\u011f\u0131 veya kaynak olu\u015fturmad\u0131\u011f\u0131 bir co\u011frafi konumdan gelen etkinlikler, hesap ele ge\u00e7irme belirtisi olabilir.<\/li>\n<pre><code>\nSELECT\n    timestamp,\n    protoPayload.authenticationInfo.principalEmail AS user_email,\n    protoPayload.methodName AS action,\n    protoPayload.resourceName AS resource,\n    jsonPayload.metadata.request.callerIp AS caller_ip,\n    net.IP_TO_STRING(NET.IP_FROM_STRING(jsonPayload.metadata.request.callerIp)) AS caller_ip_string,\n    FROM <code>your_project_id.audit_logs.cloudaudit_googleapis_com_activity_*<\/code>\nWHERE\n    _PARTITIONTIME BETWEEN TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 7 DAY) AND CURRENT_TIMESTAMP()\n    AND protoPayload.authenticationInfo.principalEmail IN ('admin@example.com', 'security@example.com') -- Hedef y\u00f6neticiler\n    AND NOT REGEXP_CONTAINS(jsonPayload.metadata.request.callerIp, '^(192\\\\.168\\\\.|10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[0-1])\\\\.)') -- \u0130\u00e7 IP'leri filtrele\n    AND NOT EXISTS (\n        SELECT 1\n        FROM <code>your_project_id.trusted_ips.admin_allowed_ips<\/code> AS trusted -- G\u00fcvenilir IP'lerin oldu\u011fu bir tablo varsayal\u0131m\n        WHERE trusted.ip = NET.IP_FROM_STRING(jsonPayload.metadata.request.callerIp)\n    )\nORDER BY\n    timestamp DESC;\n        <\/pre>\n<p><\/code><\/p>\n<p><em>A\u00e7\u0131klama:<\/em> Bu sorgu, son 7 g\u00fcn i\u00e7inde belirli y\u00f6netici e-postalar\u0131ndan gelen ve \u00f6nceden tan\u0131mlanm\u0131\u015f g\u00fcvenilir IP adresleri listesinde bulunmayan IP'lerden kaynaklanan etkinlikleri arar. \u0130\u00e7 a\u011f IP aral\u0131klar\u0131n\u0131 da filtreleyerek d\u0131\u015far\u0131dan gelen anormal ba\u011flant\u0131lar\u0131 hedefler.<\/p>\n<li><strong>K\u0131sa S\u00fcrede \u00c7ok Say\u0131da Ba\u015far\u0131s\u0131z Oturum A\u00e7ma Denemesi (Brute-Force Tespiti):<\/strong> Belirli bir kullan\u0131c\u0131 veya hizmet hesab\u0131 i\u00e7in k\u0131sa bir zaman diliminde \u00e7ok say\u0131da ba\u015far\u0131s\u0131z oturum a\u00e7ma giri\u015fimi, bir kaba kuvvet sald\u0131r\u0131s\u0131n\u0131n g\u00f6stergesi olabilir.<\/li>\n<pre><code>\nSELECT\n    timestamp,\n    protoPayload.authenticationInfo.principalEmail AS user_email,\n    count(*) AS failed_attempts\nFROM\n    <code>your_project_id.audit_logs.cloudaudit_googleapis_com_activity_*<\/code>\nWHERE\n    _PARTITIONTIME BETWEEN TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 1 HOUR) AND CURRENT_TIMESTAMP()\n    AND protoPayload.methodName = 'google.cloud.iam.v1.IAM.CheckPolicy' -- veya di\u011fer kimlik do\u011frulama metodlar\u0131\n    AND protoPayload.status.code = 'PERMISSION_DENIED'\nGROUP BY\n    user_email, TIMESTAMP_TRUNC(timestamp, MINUTE)\nHAVING\n    failed_attempts > 5 -- 1 dakika i\u00e7inde 5'ten fazla ba\u015far\u0131s\u0131z deneme\nORDER BY\n    failed_attempts DESC;\n        <\/pre>\n<p><\/code><\/p>\n<p><em>A\u00e7\u0131klama:<\/em> Bu sorgu, son bir saat i\u00e7inde, her bir dakika diliminde 5'ten fazla ba\u015far\u0131s\u0131z izin denemesi olan kullan\u0131c\u0131lar\u0131 bulur. Bu, bir hizmet hesab\u0131 veya kullan\u0131c\u0131 hesab\u0131na y\u00f6nelik kaba kuvvet sald\u0131r\u0131lar\u0131n\u0131 tespit edebilir.<\/p>\n<li><strong>B\u00fcy\u00fck \u00d6l\u00e7ekli Kaynak Olu\u015fturma veya Silme (Anormal Davran\u0131\u015f Tespiti):<\/strong> Normal operasyonel kal\u0131plar\u0131n d\u0131\u015f\u0131nda ani ve b\u00fcy\u00fck \u00f6l\u00e7ekli sanal makine, depolama kovas\u0131 veya di\u011fer kaynaklar\u0131n olu\u015fturulmas\u0131\/silinmesi, \u015f\u00fcpheli aktiviteyi g\u00f6sterebilir (\u00f6rn. fidye yaz\u0131l\u0131m\u0131 veya kaynak s\u00f6m\u00fcr\u00fcs\u00fc).<\/li>\n<pre><code>\nSELECT\n    timestamp,\n    protoPayload.authenticationInfo.principalEmail AS user_email,\n    protoPayload.methodName AS action,\n    COUNT(DISTINCT protoPayload.resourceName) AS distinct_resources_affected\nFROM\n    <code>your_project_id.audit_logs.cloudaudit_googleapis_com_activity_*<\/code>\nWHERE\n    _PARTITIONTIME BETWEEN TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 MINUTE) AND CURRENT_TIMESTAMP()\n    AND protoPayload.methodName IN (\n        'v1.compute.instances.insert',\n        'v1.compute.disks.insert',\n        'google.storage.v1.storage.objects.delete',\n        'google.storage.v1.storage.buckets.delete'\n    )\nGROUP BY\n    user_email, action, TIMESTAMP_TRUNC(timestamp, MINUTE)\nHAVING\n    distinct_resources_affected > 10 -- 30 dakika i\u00e7inde 10'dan fazla farkl\u0131 kaynak \u00fczerinde i\u015flem\nORDER BY\n    distinct_resources_affected DESC;\n        <\/pre>\n<p><\/code><\/p>\n<p><em>A\u00e7\u0131klama:<\/em> Bu sorgu, son 30 dakika i\u00e7inde 10'dan fazla farkl\u0131 kayna\u011f\u0131 etkileyen b\u00fcy\u00fck \u00f6l\u00e7ekli olu\u015fturma veya silme i\u015flemlerini arar. Bu, bir fidye yaz\u0131l\u0131m\u0131n\u0131n veri silmesi veya kripto madencili\u011fi i\u00e7in yeni VM'ler olu\u015fturulmas\u0131 gibi senaryolar\u0131 i\u015faret edebilir.<\/p>\n<h3>BigQuery ML ile Anormal Davran\u0131\u015f Tespiti<\/h3>\n<p>Yukar\u0131daki SQL sorgular\u0131 belirli kal\u0131plara dayan\u0131rken, BigQuery ML (Makine \u00d6\u011frenimi), verilerdeki gizli anomalileri ve normalden sapmalar\u0131 tespit etmek i\u00e7in daha geli\u015fmi\u015f bir yakla\u015f\u0131m sunar. Kullan\u0131c\u0131 davran\u0131\u015f analizi veya zaman serisi anomalisi gibi senaryolarda BigQuery ML olduk\u00e7a etkilidir.<\/p>\n<p>\u00d6rne\u011fin, bir kullan\u0131c\u0131n\u0131n BigQuery'de sorgulad\u0131\u011f\u0131 veri miktar\u0131n\u0131n normalden fazla olup olmad\u0131\u011f\u0131n\u0131 tespit edebiliriz:<\/p>\n<pre><code>\n-- 1. Kullan\u0131c\u0131 ba\u015f\u0131na g\u00fcnl\u00fck sorgulanan bayt miktar\u0131n\u0131 hesapla\nCREATE OR REPLACE MODEL <code>your_project_id.bqml_models.user_query_anomaly_model<\/code>\nOPTIONS(model_type='KMEANS', num_clusters=5, standardize_features=TRUE) AS\nSELECT\n    user_email,\n    SUM(total_bytes_processed) AS total_bytes_queried_daily\nFROM\n    <code>your_project_id.audit_logs.cloudaudit_googleapis_com_activity_*<\/code>\nWHERE\n    _PARTITIONTIME BETWEEN TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 DAY) AND CURRENT_TIMESTAMP()\n    AND protoPayload.serviceName = 'bigquery.googleapis.com'\n    AND protoPayload.methodName = 'google.cloud.bigquery.v2.JobService.Query'\nGROUP BY\n    user_email, DATE(timestamp);\n\n-- 2. Yeni verilerle anomali tespiti yap (hangi k\u00fcmeye ait oldu\u011funu bul)\nSELECT\n    ML.PREDICT(\n        (SELECT * FROM <code>your_project_id.bqml_models.user_query_anomaly_model<\/code>),\n        (SELECT\n            protoPayload.authenticationInfo.principalEmail AS user_email,\n            SUM(total_bytes_processed) AS total_bytes_queried_daily\n        FROM\n            <code>your_project_id.audit_logs.cloudaudit_googleapis_com_activity_*<\/code>\n        WHERE\n            _PARTITIONTIME BETWEEN TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 1 DAY) AND CURRENT_TIMESTAMP()\n            AND protoPayload.serviceName = 'bigquery.googleapis.com'\n            AND protoPayload.methodName = 'google.cloud.bigquery.v2.JobService.Query'\n        GROUP BY\n            user_email, DATE(timestamp)\n        )\n    ) AS predicted_cluster,\n    user_email,\n    total_bytes_queried_daily\nFROM\n    (SELECT\n        protoPayload.authenticationInfo.principalEmail AS user_email,\n        SUM(total_bytes_processed) AS total_bytes_queried_daily\n    FROM\n        <code>your_project_id.audit_logs.cloudaudit_googleapis_com_activity_*<\/code>\n    WHERE\n        _PARTITIONTIME BETWEEN TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 1 DAY) AND CURRENT_TIMESTAMP()\n        AND protoPayload.serviceName = 'bigquery.googleapis.com'\n        AND protoPayload.methodName = 'google.cloud.bigquery.v2.JobService.Query'\n    GROUP BY\n        user_email, DATE(timestamp)\n    ) AS daily_data\nORDER BY\n    total_bytes_queried_daily DESC;\n    <\/pre>\n<p><\/code><\/p>\n<p><em>A\u00e7\u0131klama:<\/em> Bu \u00f6rnek, K-Means k\u00fcmeleme modelini kullanarak, kullan\u0131c\u0131lar\u0131n BigQuery'de g\u00fcnl\u00fck olarak sorgulad\u0131\u011f\u0131 veri miktar\u0131ndaki anormallikleri tespit etmeye \u00e7al\u0131\u015f\u0131r. Bir kullan\u0131c\u0131n\u0131n al\u0131\u015f\u0131lmad\u0131k bir k\u00fcmeye d\u00fc\u015fmesi, potansiyel bir veri s\u00f6m\u00fcr\u00fcs\u00fcn\u00fc veya yetkisiz eri\u015fimi i\u015faret edebilir. BigQuery ML, makine \u00f6\u011frenimi modelleme s\u00fcrecini basitle\u015ftirerek g\u00fcvenlik analistlerinin daha derinlemesine ve otomatik anomali tespiti yapmas\u0131na olanak tan\u0131r.<\/p>\n<h2>BigQuery'den Chronicle SIEM'e Veri Ak\u0131\u015f\u0131 ve YARA-L Kurallar\u0131 Olu\u015fturma<\/h2>\n<p>\u015eimdiye kadar denetim kay\u0131tlar\u0131n\u0131 BigQuery'ye aktarmay\u0131 ve burada derinlemesine analizler yapmay\u0131 \u00f6\u011frendik. Ancak ger\u00e7ek zamanl\u0131 tehdit tespiti ve olay m\u00fcdahalesi i\u00e7in bu i\u00e7g\u00f6r\u00fclerin bir g\u00fcvenlik operasyonlar\u0131 merkezinde (SOC) h\u0131zl\u0131ca kullan\u0131labilir olmas\u0131 gerekir. \u0130\u015fte burada Chronicle SIEM devreye girer. Genellikle Google Cloud Audit Logs, BigQuery'ye ek olarak do\u011frudan Chronicle SIEM'e de ak\u0131t\u0131l\u0131r. BigQuery ise daha \u00e7ok derinlemesine avc\u0131l\u0131k, tarihi analiz ve kompleks korelasyonlar i\u00e7in kullan\u0131l\u0131r. Bu b\u00f6l\u00fcmde, BigQuery'den elde edilen analitik i\u00e7g\u00f6r\u00fcleri Chronicle SIEM'de nas\u0131l de\u011ferlendirece\u011fimizi ve YARA-L kurallar\u0131 ile bu i\u00e7g\u00f6r\u00fcleri ger\u00e7ek zamanl\u0131 alg\u0131lamalara nas\u0131l d\u00f6n\u00fc\u015ft\u00fcrece\u011fimizi inceleyece\u011fiz.<\/p>\n<h3>Verileri Chronicle SIEM'e Nas\u0131l Aktar\u0131rs\u0131n\u0131z veya De\u011ferlendirirsiniz?<\/h3>\n<p>GCP Audit Logs'\u0131n do\u011frudan Chronicle SIEM'e g\u00f6nderilmesi en yayg\u0131n ve \u00f6nerilen y\u00f6ntemdir. Bu sayede, loglar UDM (Unified Data Model) format\u0131na d\u00f6n\u00fc\u015ft\u00fcr\u00fcl\u00fcr ve Chronicle'\u0131n y\u00fcksek h\u0131zl\u0131 arama ve alg\u0131lama yetenekleriyle hemen kullan\u0131labilir hale gelir. Log Router kullanarak Audit Logs'\u0131 BigQuery'ye aktard\u0131\u011f\u0131n\u0131z gibi, ayn\u0131 zamanda bir Pub\/Sub konusuna da y\u00f6nlendirebilir ve bu Pub\/Sub konusunu Chronicle'a ba\u011flayabilirsiniz. Ancak, \u00e7o\u011fu durumda, GCP Audit Logs'\u0131 Chronicle'a do\u011frudan bir kaynak olarak ekleyebilirsiniz.<\/p>\n<p>Peki BigQuery'nin rol\u00fc ne? BigQuery, \u015funlar i\u00e7in kritik \u00f6neme sahiptir:<\/p>\n<ul>\n<li><strong>Derinlemesine Tehdit Avc\u0131l\u0131\u011f\u0131:<\/strong> BigQuery'deki petabayt \u00f6l\u00e7ekli veriler \u00fczerinde karma\u015f\u0131k SQL sorgular\u0131 \u00e7al\u0131\u015ft\u0131rarak, Chronicle'\u0131n ger\u00e7ek zamanl\u0131 alg\u0131lama kurallar\u0131n\u0131n hen\u00fcz kapsamad\u0131\u011f\u0131 yeni veya geli\u015fmekte olan tehditleri tespit edebilirsiniz.<\/li>\n<li><strong>Anomali Tespiti ve Temel \u00c7izgi Olu\u015fturma:<\/strong> BigQuery ML kullanarak kullan\u0131c\u0131lar\u0131n, hizmet hesaplar\u0131n\u0131n veya kaynaklar\u0131n normal davran\u0131\u015f kal\u0131plar\u0131n\u0131 belirleyebilir, bu da Chronicle'da daha hassas anomali tabanl\u0131 kurallar yazmak i\u00e7in temel olu\u015fturur.<\/li>\n<li><strong>Olay M\u00fcdahalesi ve Adli Analiz:<\/strong> Bir g\u00fcvenlik olay\u0131 meydana geldi\u011finde, BigQuery'deki kapsaml\u0131 log ar\u015fivi, olay\u0131n k\u00f6k nedenini bulmak, yay\u0131l\u0131m\u0131n\u0131 anlamak ve adli kan\u0131t toplamak i\u00e7in paha bi\u00e7ilmezdir.<\/li>\n<li><strong>Chronicle Kurallar\u0131n\u0131 Geli\u015ftirme:<\/strong> BigQuery'de ke\u015ffetti\u011finiz yeni sald\u0131r\u0131 desenlerini veya IOC'leri (Indicator of Compromise), Chronicle SIEM'in alg\u0131lama motorunda YARA-L kurallar\u0131 olarak uygulayabilirsiniz.<\/li>\n<\/ul>\n<p>Yani, BigQuery, Chronicle'a do\u011frudan anl\u0131k \"alert\" g\u00f6ndermekten ziyade, Chronicle'\u0131n alg\u0131lama yeteneklerini zenginle\u015ftiren \"istihbarat\" ve \"kural geli\u015ftirme\" platformu olarak i\u015flev g\u00f6r\u00fcr. \u00d6rne\u011fin, BigQuery'de tespit etti\u011finiz bir IP adresinden gelen anormal say\u0131da ba\u015far\u0131s\u0131z oturum a\u00e7ma giri\u015fimini bir IOC olarak al\u0131p, bu IP'yi hedefleyen bir YARA-L kural\u0131 olu\u015fturabilirsiniz.<\/p>\n<h3>YARA-L Kurallar\u0131 ile Geli\u015fmi\u015f Tehdit Tespiti<\/h3>\n<p>Chronicle SIEM'in kalbinde, g\u00fcvenlik verilerinizde tehditleri tespit etmek i\u00e7in kullan\u0131lan YARA-L adl\u0131 g\u00fc\u00e7l\u00fc bir alg\u0131lama dili bulunur. YARA-L, \u00f6zellikle geli\u015fmi\u015f tehditler (APT'ler), k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar ve \u015f\u00fcpheli davran\u0131\u015flar i\u00e7in kurallar yazman\u0131za olanak tan\u0131r. BigQuery'de yapt\u0131\u011f\u0131n\u0131z analizlerden elde etti\u011finiz i\u00e7g\u00f6r\u00fcleri YARA-L kurallar\u0131na d\u00f6n\u00fc\u015ft\u00fcrerek, Chronicle'\u0131n ger\u00e7ek zamanl\u0131 alg\u0131lama yeteneklerini g\u00fc\u00e7lendirebilirsiniz.<\/p>\n<p>YARA-L kurallar\u0131 temel olarak \u00fc\u00e7 b\u00f6l\u00fcmden olu\u015fur:<\/p>\n<ul>\n<li><strong>Meta B\u00f6l\u00fcm\u00fc:<\/strong> Kural hakk\u0131nda bilgi (yazar, a\u00e7\u0131klama, referanslar).<\/li>\n<li><strong>Events B\u00f6l\u00fcm\u00fc:<\/strong> Alg\u0131laman\u0131n temelini olu\u015fturan olaylar\u0131 tan\u0131mlar. Bu b\u00f6l\u00fcmde, Unified Data Model (UDM) alanlar\u0131n\u0131 kullanarak log verilerini filtreleyebilirsiniz.<\/li>\n<li><strong>Outcome B\u00f6l\u00fcm\u00fc:<\/strong> Alg\u0131lama tetiklendi\u011finde al\u0131nacak eylemleri veya d\u00f6nd\u00fcr\u00fclecek bilgiyi tan\u0131mlar.<\/li>\n<\/ul>\n<p>\u00d6rnek olarak, BigQuery'de tespit etti\u011fimiz \"Al\u0131\u015f\u0131lmad\u0131k Konumdan Y\u00f6netici Etkinli\u011fi\" senaryosunu Chronicle SIEM'de bir YARA-L kural\u0131na d\u00f6n\u00fc\u015ft\u00fcrelim. \u0130lk ad\u0131mda, g\u00fcvenli kabul edilen \u00fclkelerin veya IP aral\u0131klar\u0131n\u0131n bir listesini d\u0131\u015f referans olarak kullanabiliriz.<\/p>\n<pre><code>\nrule unusual_admin_login_from_new_location {\n  meta:\n    author = \"Your Security Team\"\n    description = \"Detects admin logins from IP addresses not seen before for that user, potentially indicating account compromise.\"\n    severity = \"HIGH\"\n    reference = \"BigQuery analysis: Unusual Admin Activity\"\n\n  events:\n    $e.metadata.event_type = \"USER_LOGIN\"\n    $e.metadata.product_object.labels[\"type\"] = \"GCP_AUDIT_LOG\"\n    $e.principal.user.email = \/@yourdomain.com\/ nocase \/\/ Etki alan\u0131n\u0131z\u0131 buraya ekleyin\n    $e.principal.ip IN %unusual_admin_ip_list \/\/ Bu liste BigQuery analizinden gelebilir\n\n  outcome:\n    $e.metadata.vendor_name = \"Google Cloud\"\n    $e.metadata.product_name = \"Audit Logs\"\n    $e.detection.id = \"UNUSUAL_ADMIN_LOGIN\"\n    $e.detection.description = \"Admin login from an unusual IP address based on BigQuery historical analysis.\"\n\n  \/\/ Bu kural, 'unusual_admin_ip_list' ad\u0131nda dinamik bir referans listesi kullan\u0131r.\n  \/\/ Bu liste, BigQuery'de yap\u0131lan ge\u00e7mi\u015f analizlerden elde edilen ve bir kullan\u0131c\u0131n\u0131n daha \u00f6nce hi\u00e7 giri\u015f yapmad\u0131\u011f\u0131 IP adreslerini i\u00e7erebilir.\n  \/\/ Bu listenin Chronicle'a beslenmesi gerekmektedir (\u00f6rne\u011fin API veya feed arac\u0131l\u0131\u011f\u0131yla).\n}\n    <\/pre>\n<p><\/code><\/p>\n<p><em>A\u00e7\u0131klama:<\/em> Bu YARA-L kural\u0131, GCP denetim kay\u0131tlar\u0131ndan gelen \"USER_LOGIN\" t\u00fcr\u00fcndeki olaylar\u0131 hedefler. \u00d6zellikle, <code>unusual_admin_ip_list<\/code> adl\u0131 bir referans listesindeki IP adreslerinden gelen ve tan\u0131mlanm\u0131\u015f etki alan\u0131ndaki y\u00f6netici e-postalar\u0131na ait oturum a\u00e7ma denemelerini yakalar. Bu <code>unusual_admin_ip_list<\/code>, BigQuery'de yap\u0131lan ge\u00e7mi\u015f analizlerden (bir kullan\u0131c\u0131n\u0131n belirli bir zaman diliminde hi\u00e7 g\u00f6r\u00fclmemi\u015f bir IP'den giri\u015f yapmas\u0131 gibi) dinamik olarak olu\u015fturulabilir ve Chronicle'a aktar\u0131labilir. Bu dinamik listeler, BigQuery'nin analitik g\u00fcc\u00fcn\u00fc Chronicle'\u0131n ger\u00e7ek zamanl\u0131 alg\u0131lama motoruyla birle\u015ftirmenin bir yoludur.<\/p>\n<div class=\"tip-box\">\n      Uzman \u0130pucu: Chronicle SIEM'de dinamik referans listeleri (threat intelligence feed'leri gibi) olu\u015fturarak, BigQuery'den elde etti\u011finiz karma\u015f\u0131k IOC'leri (\u015f\u00fcpheli IP'ler, kullan\u0131c\u0131lar, kaynak adlar\u0131 vb.) otomatik olarak bu listelere besleyebilir ve YARA-L kurallar\u0131n\u0131z\u0131 bu listeleri kullanarak daha esnek ve g\u00fcncel hale getirebilirsiniz.\n    <\/div>\n<h2>Vaka Analizi: Fidye Yaz\u0131l\u0131m\u0131 Sald\u0131r\u0131s\u0131 Erken Tespiti<\/h2>\n<p>Ger\u00e7ek d\u00fcnya senaryolar\u0131nda, bulut denetim kay\u0131tlar\u0131 ve geli\u015fmi\u015f analiz ara\u00e7lar\u0131, bir sald\u0131r\u0131n\u0131n erken a\u015famalar\u0131nda tespit edilmesinde hayati rol oynar. \u015eimdi, kurgusal bir fidye yaz\u0131l\u0131m\u0131 sald\u0131r\u0131s\u0131 senaryosunu ele alal\u0131m ve BigQuery ile Chronicle SIEM'in bu sald\u0131r\u0131y\u0131 nas\u0131l erken a\u015famada tespit edebilece\u011fini inceleyelim.<\/p>\n<h3>Senaryo: Bir Hizmet Hesab\u0131n\u0131n Ele Ge\u00e7irilmesi ve Dosya \u015eifreleme Giri\u015fimi<\/h3>\n<p>Bir kurulu\u015fun GCP ortam\u0131nda \u00e7al\u0131\u015fan bir hizmet hesab\u0131 (<code>data-processor@your-project.iam.gserviceaccount.com<\/code>), genellikle Cloud Storage'daki belirli kovalara okuma\/yazma eri\u015fimi olan ve d\u00fczenli veri i\u015fleme g\u00f6revlerini yerine getiren me\u015fru bir hesapt\u0131r. Ancak bir sald\u0131rgan, bu hizmet hesab\u0131n\u0131n kimlik bilgilerini (\u00f6rne\u011fin, bir GCE \u00f6rne\u011findeki zafiyet veya yanl\u0131\u015f yap\u0131land\u0131rma yoluyla) ele ge\u00e7irir.<\/p>\n<p>Sald\u0131rgan, ele ge\u00e7irdi\u011fi hizmet hesab\u0131n\u0131 kullanarak a\u015fa\u011f\u0131daki \u015f\u00fcpheli eylemleri ger\u00e7ekle\u015ftirmeye ba\u015flar:<\/p>\n<ol>\n<li>Kurulu\u015fun kritik veri i\u00e7eren birden fazla Cloud Storage kovas\u0131na ayn\u0131 anda eri\u015fim sa\u011flamaya \u00e7al\u0131\u015f\u0131r.<\/li>\n<li>Bu kovalardaki dosyalar\u0131 okuduktan k\u0131sa bir s\u00fcre sonra, ayn\u0131 hizmet hesab\u0131 bu dosyalar\u0131 \"delete\" (silme) veya \"update\" (g\u00fcncelleme - \u015fifreleme ile e\u015fde\u011fer) operasyonlar\u0131yla de\u011fi\u015ftirmeye ba\u015flar.<\/li>\n<li>Normalde eri\u015fmedi\u011fi co\u011frafi b\u00f6lgelerdeki veya farkl\u0131 projelerdeki depolama koval\u0131na eri\u015fmeye \u00e7al\u0131\u015f\u0131r.<\/li>\n<\/ol>\n<h3>BigQuery ve Chronicle SIEM ile Erken Tespit<\/h3>\n<p>Bu senaryoda, BigQuery ve Chronicle SIEM'in birle\u015fimi sald\u0131r\u0131y\u0131 birden fazla a\u015famada tespit edebilir:<\/p>\n<h4>BigQuery ile Anomali Avc\u0131l\u0131\u011f\u0131 ve Temel \u00c7izgi Olu\u015fturma:<\/h4>\n<p>BigQuery, uzun vadeli ve karma\u015f\u0131k kal\u0131p analizleri i\u00e7in kullan\u0131l\u0131r. G\u00fcvenlik ekibi, hizmet hesaplar\u0131n\u0131n ge\u00e7mi\u015f davran\u0131\u015flar\u0131n\u0131 analiz ederek bir \"normal\" temel \u00e7izgi olu\u015fturabilir:<\/p>\n<ul>\n<li><strong>Normal Davran\u0131\u015f Analizi:<\/strong> BigQuery, <code>data-processor<\/code> hizmet hesab\u0131n\u0131n genellikle hangi Cloud Storage kovalar\u0131na, hangi b\u00f6lgelerde ve ne s\u0131kl\u0131kla eri\u015fti\u011fini belirlemek i\u00e7in ge\u00e7mi\u015f denetim kay\u0131tlar\u0131n\u0131 analiz edebilir.<\/li>\n<li><strong>Anormal Eri\u015fim Kal\u0131plar\u0131:<\/strong> Sald\u0131r\u0131 an\u0131nda, BigQuery'deki bir sorgu, <code>data-processor<\/code> hesab\u0131n\u0131n, normalde eri\u015fmedi\u011fi co\u011frafi b\u00f6lgelerden veya \u00e7ok daha y\u00fcksek bir h\u0131zda, \u00e7ok say\u0131da farkl\u0131 kovaya eri\u015fti\u011fini tespit edebilir. \u00d6rne\u011fin:\n<pre><code>\nSELECT\n    timestamp,\n    protoPayload.authenticationInfo.principalEmail AS service_account,\n    protoPayload.methodName AS action,\n    REGEXP_EXTRACT(protoPayload.resourceName, 'buckets\/(.*?)\/') AS bucket_name,\n    COUNT(*) AS event_count\nFROM\n    <code>your_project_id.audit_logs.cloudaudit_googleapis_com_data_access_*<\/code>\nWHERE\n    _PARTITIONTIME BETWEEN TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 1 HOUR) AND CURRENT_TIMESTAMP()\n    AND protoPayload.authenticationInfo.principalEmail = 'data-processor@your-project.iam.gserviceaccount.com'\n    AND protoPayload.methodName IN ('google.storage.v1.storage.objects.get', 'google.storage.v1.storage.objects.update')\nGROUP BY\n    service_account, action, bucket_name, TIMESTAMP_TRUNC(timestamp, MINUTE)\nHAVING\n    event_count > 50 -- 1 dakika i\u00e7inde belirli bir kovada 50'den fazla okuma\/g\u00fcncelleme\nORDER BY\n    event_count DESC;\n            <\/pre>\n<p><\/code><\/p>\n<p>Bu sorgu, <code>data-processor<\/code> hesab\u0131n\u0131n belirli bir kovada anormal say\u0131da okuma\/g\u00fcncelleme yap\u0131p yapmad\u0131\u011f\u0131n\u0131 belirleyerek potansiyel bir sald\u0131r\u0131y\u0131 i\u015faret edebilir.<\/p>\n<\/ul>\n<h4>Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Alg\u0131lama ve Korelasyon:<\/h4>\n<p>Chronicle SIEM, do\u011frudan Log Router'dan gelen ger\u00e7ek zamanl\u0131 denetim kay\u0131tlar\u0131n\u0131 kullanarak an\u0131nda alg\u0131lama kurallar\u0131 \u00e7al\u0131\u015ft\u0131r\u0131r:<\/p>\n<ul>\n<li><strong>A\u015fama 1: Anormal Kaynak Eri\u015fimi (BigQuery'den Al\u0131nan Bilgiyle):<\/strong> BigQuery'deki analizin \"data-processor\" hesab\u0131n\u0131n normalde eri\u015fmedi\u011fi \"finance-data-backup\" kovas\u0131na eri\u015fti\u011fini g\u00f6sterdi\u011fini varsayal\u0131m. Bu bilgiyle bir YARA-L kural\u0131 olu\u015fturulabilir.\n<pre><code>\nrule unusual_service_account_access_to_critical_bucket {\n  meta:\n    author = \"Your SOC Team\"\n    description = \"Detects unusual access by a service account to a critical Cloud Storage bucket.\"\n    severity = \"HIGH\"\n\n  events:\n    $e.metadata.event_type = \"STORAGE_OBJECT_ACCESS\"\n    $e.principal.user.email = \"data-processor@your-project.iam.gserviceaccount.com\"\n    $e.target.resource.name = \"finance-data-backup\" \/\/ Kritik kova ad\u0131\n    $e.principal.ip IN %unusual_access_ips \/\/ BigQuery'den beslenen anormal IP listesi\n\n  outcome:\n    $e.detection.id = \"CRITICAL_BUCKET_UNUSUAL_ACCESS\"\n    $e.detection.description = \"Service account 'data-processor' accessed critical bucket from unusual IP.\"\n}\n            <\/pre>\n<p><\/code><\/p>\n<p>Bu kural, <code>data-processor<\/code> hesab\u0131n\u0131n kritik bir kovaya eri\u015fmesini ve bu eri\u015fimin BigQuery taraf\u0131ndan anormal kabul edilen bir IP'den gelmesini izler.<\/p>\n<li><strong>A\u015fama 2: Toplu Silme\/De\u011fi\u015ftirme (\u015eifreleme G\u00f6stergesi):<\/strong> Ayn\u0131 hizmet hesab\u0131n\u0131n, k\u0131sa bir s\u00fcre i\u00e7inde birden fazla dosyay\u0131 silme veya de\u011fi\u015ftirme (<code>objects.update<\/code> genellikle dosya i\u00e7eri\u011finin de\u011fi\u015ftirilmesi, yani \u015fifrelenmesi anlam\u0131na gelir) eylemini tespit eden bir YARA-L kural\u0131 tetiklenir.\n<pre><code>\nrule ransomware_like_file_modification {\n  meta:\n    author = \"Your SOC Team\"\n    description = \"Detects rapid, large-scale file modification\/deletion by a single service account, indicative of ransomware.\"\n    severity = \"CRITICAL\"\n    mitre_attack = \"T1486 - Data Encrypted for Impact\"\n\n  events:\n    $e.metadata.event_type = \"STORAGE_OBJECT_CHANGE\"\n    $e.principal.user.email = \"data-processor@your-project.iam.gserviceaccount.com\"\n    $e.target.resource.name = \/^projects\\\/.*\\\/buckets\\\/.*\\\/\/ \/\/ Herhangi bir kovay\u0131 hedefle\n    $e.metadata.event_type = \"STORAGE_OBJECT_CHANGE\"\n    $e.security_result.action = \"ALLOW\"\n\n  match:\n    \/\/ Ayn\u0131 hizmet hesab\u0131 taraf\u0131ndan 5 dakika i\u00e7inde 100'den fazla obje de\u011fi\u015fikli\u011fi\n    $e.principal.user.email over 100 events in 5m by $e.principal.user.email\n\n  outcome:\n    $e.detection.id = \"RANSOMWARE_SUSPICIOUS_ACTIVITY\"\n    $e.detection.description = \"Service account 'data-processor' engaged in high-volume, rapid file modification\/deletion, potential ransomware.\"\n}\n            <\/pre>\n<p><\/code><\/p>\n<p>Bu kural, <code>data-processor<\/code> hizmet hesab\u0131n\u0131n 5 dakika i\u00e7inde 100'den fazla depolama objesini de\u011fi\u015ftirmesi durumunda bir alarm verir. Bu, fidye yaz\u0131l\u0131m\u0131 benzeri davran\u0131\u015f\u0131n g\u00fc\u00e7l\u00fc bir g\u00f6stergesidir.<\/p>\n<\/ul>\n<p>Bu iki a\u015famal\u0131 yakla\u015f\u0131m sayesinde, sald\u0131r\u0131n\u0131n ilk a\u015famalar\u0131ndaki anormal eri\u015fim kal\u0131plar\u0131 BigQuery taraf\u0131ndan ortaya \u00e7\u0131kar\u0131l\u0131rken, Chronicle SIEM, ger\u00e7ek zamanl\u0131 olarak \u015f\u00fcpheli dosya modifikasyonlar\u0131n\u0131 tespit ederek an\u0131nda bir alarm olu\u015fturur. G\u00fcvenlik ekibi, Chronicle'\u0131n entegre olay m\u00fcdahale yetenekleri sayesinde h\u0131zla olaya m\u00fcdahale edebilir, ele ge\u00e7irilen hizmet hesab\u0131n\u0131 devre d\u0131\u015f\u0131 b\u0131rakabilir ve potansiyel veri kayb\u0131n\u0131 en aza indirebilir.<\/p>\n<h2>\u0130leri D\u00fczey \u0130pu\u00e7lar\u0131 ve En \u0130yi Uygulamalar<\/h2>\n<p>BigQuery ve Chronicle SIEM ile g\u00fcvenlik operasyonlar\u0131n\u0131z\u0131 bir \u00fcst seviyeye ta\u015f\u0131mak i\u00e7in baz\u0131 ileri d\u00fczey ipu\u00e7lar\u0131 ve en iyi uygulamalar \u015funlard\u0131r:<\/p>\n<ul>\n<li><strong>BigQuery Sorgular\u0131n\u0131 Otomatikle\u015ftirme:<\/strong> Tehdit avc\u0131l\u0131\u011f\u0131 i\u00e7in geli\u015ftirdi\u011finiz BigQuery sorgular\u0131n\u0131 manuel olarak \u00e7al\u0131\u015ft\u0131rmak yerine, bunlar\u0131 otomatikle\u015ftirin. Google Cloud Scheduled Queries veya Cloud Functions kullanarak belirli aral\u0131klarla (\u00f6rne\u011fin, her saat veya her g\u00fcn) bu sorgular\u0131 \u00e7al\u0131\u015ft\u0131rabilir ve sonu\u00e7lar\u0131 bir Pub\/Sub konusuna, Cloud Storage'a veya do\u011frudan Chronicle'a bir besleme olarak g\u00f6nderebilirsiniz.<\/li>\n<li><strong>Dinamik Tehdit Beslemeleri Olu\u015fturma:<\/strong> BigQuery'de tespit etti\u011finiz \u015f\u00fcpheli IP adresleri, kullan\u0131c\u0131 hesaplar\u0131 veya kaynak adlar\u0131 gibi g\u00f6stergeleri (IOC'ler) dinamik listeler halinde d\u0131\u015fa aktar\u0131n. Bu listeleri Chronicle SIEM'e veya di\u011fer g\u00fcvenlik ara\u00e7lar\u0131n\u0131za (\u00f6rne\u011fin, g\u00fcvenlik duvarlar\u0131, WAF'ler) besleyerek, alg\u0131lama ve \u00f6nleme yeteneklerinizi ger\u00e7ek zamanl\u0131 olarak g\u00fcncel tutun.<\/li>\n<li><strong>BigQuery Maliyet Optimizasyonu:<\/strong> BigQuery'nin sorgu maliyetleri i\u015flenen veri miktar\u0131na ba\u011fl\u0131 oldu\u011fundan, cost.googleapis.com API'si gibi ara\u00e7lar\u0131 kullanarak BigQuery kullan\u0131m\u0131n\u0131z\u0131 izleyin. \u00d6zellikle s\u0131k \u00e7al\u0131\u015ft\u0131r\u0131lan otomatik sorgularda, sadece gerekli s\u00fctunlar\u0131 se\u00e7meye, b\u00f6l\u00fcmleme ve k\u00fcmeleme kullanmaya \u00f6zen g\u00f6sterin. Gereksiz veya \u00e7ok geni\u015f tarih aral\u0131\u011f\u0131 sorgular\u0131ndan ka\u00e7\u0131n\u0131n.<\/li>\n<li><strong>Siber G\u00fcvenlik SOAR (Security Orchestration, Automation and Response) Entegrasyonu:<\/strong> Chronicle SIEM'den gelen alarmlar\u0131, Cloud Functions veya di\u011fer entegrasyon ara\u00e7lar\u0131 arac\u0131l\u0131\u011f\u0131yla bir SOAR platformuna ileterek olay m\u00fcdahale s\u00fcre\u00e7lerinizi otomatikle\u015ftirin. Bu, bir alarm tetiklendi\u011finde otomatik olarak soru\u015fturma ba\u015flatma, kullan\u0131c\u0131y\u0131 kilitleme veya bir a\u011f segmentini izole etme gibi eylemleri tetikleyebilir.<\/li>\n<li><strong>Kurallar\u0131 D\u00fczenli Olarak G\u00f6zden Ge\u00e7irme ve Ayarlama:<\/strong> Tehdit ortam\u0131 s\u00fcrekli de\u011fi\u015fti\u011finden, hem BigQuery'deki analitik sorgular\u0131n\u0131z\u0131 hem de Chronicle SIEM'deki YARA-L kurallar\u0131n\u0131z\u0131 d\u00fczenli olarak g\u00f6zden ge\u00e7irin ve g\u00fcncelleyin. Yanl\u0131\u015f pozitifleri azaltmak ve yeni tehditleri kapsamak i\u00e7in s\u00fcrekli ayarlamalar yap\u0131n.<\/li>\n<li><strong>Kullan\u0131c\u0131 ve Hizmet Hesab\u0131 Davran\u0131\u015f Profilleri Olu\u015fturma:<\/strong> BigQuery ML kullanarak kullan\u0131c\u0131lar\u0131n ve hizmet hesaplar\u0131n\u0131n normal davran\u0131\u015f kal\u0131plar\u0131n\u0131 \u00f6\u011frenin. Bu profillerden sapan herhangi bir aktiviteyi, Chronicle'da anomali tabanl\u0131 alg\u0131lama kurallar\u0131 ile hedefleyin.<\/li>\n<\/ul>\n<h2>Sonu\u00e7: Gelece\u011fin G\u00fcvenlik Operasyonlar\u0131<\/h2>\n<p>Bulut ortamlar\u0131n\u0131n karma\u015f\u0131kl\u0131\u011f\u0131 ve siber tehditlerin s\u00fcrekli evrimi, geleneksel g\u00fcvenlik yakla\u015f\u0131mlar\u0131n\u0131n yetersiz kalmas\u0131na neden olmaktad\u0131r. Google Cloud Audit Logs'tan ba\u015flayarak, BigQuery'nin g\u00fc\u00e7l\u00fc analitik yetenekleri ve Chronicle SIEM'in ger\u00e7ek zamanl\u0131 alg\u0131lama motoruyla birle\u015fen entegre bir yakla\u015f\u0131m, kurulu\u015flar\u0131n siber g\u00fcvenlik duru\u015funu \u00f6nemli \u00f6l\u00e7\u00fcde g\u00fc\u00e7lendirmektedir. Bu makalede ad\u0131m ad\u0131m a\u00e7\u0131klad\u0131\u011f\u0131m\u0131z entegrasyon s\u00fcreci, bulut kaynaklar\u0131n\u0131z \u00fczerinde tam g\u00f6r\u00fcn\u00fcrl\u00fck sa\u011flaman\u0131za, anormal davran\u0131\u015flar\u0131 h\u0131zla tespit etmenize ve potansiyel tehditlere kar\u015f\u0131 proaktif bir \u015fekilde m\u00fcdahale etmenize olanak tan\u0131r.<\/p>\n<p>BigQuery, petabaytlarca veriyi i\u015fleyebilme kapasitesiyle derinlemesine tehdit avc\u0131l\u0131\u011f\u0131na ve karma\u015f\u0131k anomali tespitine olanak tan\u0131rken, Chronicle SIEM t\u00fcm g\u00fcvenlik verilerinizi tek bir platformda birle\u015ftirerek, YARA-L kurallar\u0131 ile ger\u00e7ek zamanl\u0131 alg\u0131lama ve olay m\u00fcdahalesi sa\u011flar. Bu sinerjik yakla\u015f\u0131m, g\u00fcvenlik operasyon ekiplerinin daha h\u0131zl\u0131, daha ak\u0131ll\u0131 ve daha verimli \u00e7al\u0131\u015fmas\u0131na yard\u0131mc\u0131 olur. Sonu\u00e7 olarak, bu g\u00fc\u00e7l\u00fc ara\u00e7lar\u0131 etkin bir \u015fekilde kullanarak, dijital varl\u0131klar\u0131n\u0131z\u0131 daha iyi koruyabilir ve gelece\u011fin g\u00fcvenlik tehditlerine kar\u015f\u0131 daha diren\u00e7li olabilirsiniz.<\/p>\n<h3>S\u0131k\u00e7a Sorulan Sorular<\/h3>\n<ul>\n<li>\n            <strong>BigQuery ve Chronicle SIEM birlikte kullan\u0131ld\u0131\u011f\u0131nda maliyetler nas\u0131l y\u00f6netilir?<\/strong><\/p>\n<p><strong>Cevap:<\/strong> BigQuery maliyetleri genellikle depolama ve sorgulanan veri miktar\u0131na ba\u011fl\u0131d\u0131r. Maliyetleri y\u00f6netmek i\u00e7in sorgular\u0131n\u0131z\u0131 optimize edin (yaln\u0131zca gerekli s\u00fctunlar\u0131 se\u00e7in, b\u00f6l\u00fcmleme ve k\u00fcmeleme kullan\u0131n) ve kullan\u0131lmayan tablolar\u0131 temizleyin. Chronicle SIEM ise veri al\u0131m hacmine g\u00f6re fiyatland\u0131r\u0131l\u0131r. \u0130htiya\u00e7 duymad\u0131\u011f\u0131n\u0131z loglar\u0131 filtreleyerek veya daha az kritik loglar\u0131 daha uzun saklama s\u00fcreleriyle BigQuery'ye y\u00f6nlendirerek maliyetleri optimize edebilirsiniz. Ayr\u0131ca, GCP'nin maliyet y\u00f6netimi ara\u00e7lar\u0131n\u0131 kullanarak b\u00fct\u00e7e uyar\u0131lar\u0131 ayarlamak \u00f6nemlidir.<\/p>\n<\/li>\n<li>\n            <strong>BigQuery'deki t\u00fcm verileri Chronicle SIEM'e aktarmal\u0131 m\u0131y\u0131m?<\/strong><\/p>\n<p><strong>Cevap:<\/strong> Genellikle hay\u0131r. Cloud Audit Logs gibi kritik g\u00fcvenlik verileri hem BigQuery'ye hem de Chronicle SIEM'e do\u011frudan ak\u0131t\u0131labilir. BigQuery, uzun s\u00fcreli depolama, derinlemesine analitik ve makine \u00f6\u011frenimi tabanl\u0131 tehdit avc\u0131l\u0131\u011f\u0131 i\u00e7in idealdir. Chronicle SIEM ise ger\u00e7ek zamanl\u0131 alg\u0131lama, olay korelasyonu ve olay m\u00fcdahalesi i\u00e7in tasarlanm\u0131\u015ft\u0131r. BigQuery'den elde etti\u011finiz belirli i\u00e7g\u00f6r\u00fcleri (\u00f6rn. \u015f\u00fcpheli IP listeleri, anomali e\u015fikleri) Chronicle'daki YARA-L kurallar\u0131n\u0131z\u0131 zenginle\u015ftirmek i\u00e7in kullanman\u0131z daha verimlidir, t\u00fcm ham veriyi aktarmak yerine.<\/p>\n<\/li>\n<li>\n            <strong>YARA-L kurallar\u0131 yazmak i\u00e7in herhangi bir programlama bilgisine sahip olmam gerekiyor mu?<\/strong><\/p>\n<p><strong>Cevap:<\/strong> YARA-L, g\u00fcvenlik analistleri i\u00e7in tasarlanm\u0131\u015f, okunmas\u0131 ve yaz\u0131lmas\u0131 nispeten kolay bir dildir. Temel programlama mant\u0131\u011f\u0131na a\u015fina olmak faydal\u0131 olsa da, kapsaml\u0131 bir yaz\u0131l\u0131m geli\u015ftirme bilgisi gerekmez. Google Cloud'un kapsaml\u0131 dok\u00fcmantasyonu ve \u00f6rnek kurallar, ba\u015flang\u0131\u00e7 seviyesindeki kullan\u0131c\u0131lar\u0131n bile etkili kurallar olu\u015fturmas\u0131na yard\u0131mc\u0131 olabilir.<\/p>\n<\/li>\n<li>\n            <strong>BigQuery ML, s\u0131f\u0131r g\u00fcn (zero-day) tehditlerini tespit edebilir mi?<\/strong><\/p>\n<p><strong>Cevap:<\/strong> BigQuery ML, bilinmeyen veya \"s\u0131f\u0131r g\u00fcn\" tehditlerini do\u011frudan tespit etmekte zorlanabilir, \u00e7\u00fcnk\u00fc bunlar i\u00e7in bilinen bir imza veya kal\u0131p yoktur. Ancak, BigQuery ML'i kullanarak anormal davran\u0131\u015flar\u0131 (\u00f6rne\u011fin, bir kullan\u0131c\u0131n\u0131n veya hizmet hesab\u0131n\u0131n normalden sapmas\u0131) tespit edebilir. Bu t\u00fcr anormallikler, s\u0131f\u0131r g\u00fcn sald\u0131r\u0131s\u0131n\u0131n bir yan etkisi olabilir ve bu sayede sald\u0131r\u0131n\u0131n belirtilerini fark etmenize yard\u0131mc\u0131 olabilir. Bu, imza tabanl\u0131 tespitten daha proaktif bir yakla\u015f\u0131md\u0131r.<\/p>\n<\/li>\n<li>\n            <strong>Bu \u00e7\u00f6z\u00fcm, di\u011fer bulut sa\u011flay\u0131c\u0131lar\u0131n\u0131n (AWS, Azure) denetim kay\u0131tlar\u0131yla da \u00e7al\u0131\u015f\u0131r m\u0131?<\/strong><\/p>\n<p><strong>Cevap:<\/strong> Bu makale Google Cloud Platform \u00f6zelinde BigQuery ve Chronicle SIEM entegrasyonuna odaklanm\u0131\u015ft\u0131r. Ancak Chronicle SIEM, di\u011fer bulut sa\u011flay\u0131c\u0131lar\u0131ndan (AWS CloudTrail, Azure Monitor gibi) ve \u015firket i\u00e7i sistemlerden gelen loglar\u0131 da alabilen bir platformdur. Bu loglar\u0131 da UDM'ye d\u00f6n\u00fc\u015ft\u00fcrerek analiz edebilir. BigQuery ise genellikle GCP ortam\u0131nda en verimli \u015fekilde \u00e7al\u0131\u015fsa da, federated query \u00f6zelli\u011fi ile di\u011fer bulutlardaki veri kaynaklar\u0131na da eri\u015febilir. Ancak entegrasyon detaylar\u0131 bulut sa\u011flay\u0131c\u0131s\u0131na g\u00f6re de\u011fi\u015fiklik g\u00f6sterecektir.<\/p>\n<\/li>\n<\/ul>\n<p><\/body><\/p>\n","protected":false},"excerpt":{"rendered":"Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform&#8217;daki denetim&hellip;","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"csco_page_header_type":"","csco_page_load_nextpost":"","csco_page_subscribe_form":"","csco_page_contact_form":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-34890","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-genel","7":"cs-entry","8":"cs-video-wrap"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v25.3.1) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti<\/title>\n<meta name=\"description\" content=\"Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform&#039;daki denetim kay\u0131tlar\u0131n\u0131 BigQuery ile analiz ederek ve Chronicle SIEM ile ger\u00e7ek zamanl\u0131 tehdit tespiti yaparak g\u00fcvenlik duru\u015funuzu nas\u0131l g\u00fc\u00e7lendirebilece\u011finizi ad\u0131m ad\u0131m a\u00e7\u0131kl\u0131yor. B\u00f6ylece, anormallikleri h\u0131zla belirleyip m\u00fcdahale edebilirsiniz.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/\" \/>\n<meta property=\"og:locale\" content=\"tr_TR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti\" \/>\n<meta property=\"og:description\" content=\"Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform&#039;daki denetim kay\u0131tlar\u0131n\u0131 BigQuery ile analiz ederek ve Chronicle SIEM ile ger\u00e7ek zamanl\u0131 tehdit tespiti yaparak g\u00fcvenlik duru\u015funuzu nas\u0131l g\u00fc\u00e7lendirebilece\u011finizi ad\u0131m ad\u0131m a\u00e7\u0131kl\u0131yor. B\u00f6ylece, anormallikleri h\u0131zla belirleyip m\u00fcdahale edebilirsiniz.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/\" \/>\n<meta property=\"og:site_name\" content=\"Kodlar\u0131n Gizemli D\u00fcnyas\u0131\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-23T06:01:23+00:00\" \/>\n<meta name=\"author\" content=\"Fatih Soysal\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Yazan:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fatih Soysal\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tahmini okuma s\u00fcresi\" \/>\n\t<meta name=\"twitter:data2\" content=\"33 dakika\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/\"},\"author\":{\"name\":\"Fatih Soysal\",\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1\"},\"headline\":\"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti\",\"datePublished\":\"2025-11-23T06:01:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/\"},\"wordCount\":5475,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1\"},\"inLanguage\":\"tr\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/\",\"url\":\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/\",\"name\":\"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti\",\"isPartOf\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#website\"},\"datePublished\":\"2025-11-23T06:01:23+00:00\",\"description\":\"Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform'daki denetim kay\u0131tlar\u0131n\u0131 BigQuery ile analiz ederek ve Chronicle SIEM ile ger\u00e7ek zamanl\u0131 tehdit tespiti yaparak g\u00fcvenlik duru\u015funuzu nas\u0131l g\u00fc\u00e7lendirebilece\u011finizi ad\u0131m ad\u0131m a\u00e7\u0131kl\u0131yor. B\u00f6ylece, anormallikleri h\u0131zla belirleyip m\u00fcdahale edebilirsiniz.\",\"breadcrumb\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#breadcrumb\"},\"inLanguage\":\"tr\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Anasayfa\",\"item\":\"https:\/\/fatihsoysal.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#website\",\"url\":\"https:\/\/fatihsoysal.com\/blog\/\",\"name\":\"Fatihsoysal.com\",\"description\":\"Blog - Yaz\u0131l\u0131m D\u00fcnyas\u0131 Tecr\u00fcbelerim\",\"publisher\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/fatihsoysal.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"tr\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1\",\"name\":\"Fatih Soysal\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"tr\",\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/fatihsoysal.com\/blog\/wp-content\/uploads\/2024\/04\/cropped-replicate-prediction-3kgg1hgjn5rgp0cf0p5tr0jw7w-1.png\",\"contentUrl\":\"https:\/\/fatihsoysal.com\/blog\/wp-content\/uploads\/2024\/04\/cropped-replicate-prediction-3kgg1hgjn5rgp0cf0p5tr0jw7w-1.png\",\"width\":512,\"height\":512,\"caption\":\"Fatih Soysal\"},\"logo\":{\"@id\":\"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"Kullan\u0131m ve kodlama m\u00fckemmeliyetini odak alan uygulamalar olu\u015fturma deneyimine sahip, profesyonel olarak 15+ y\u0131l \u00fczeri deneyime sahip bir yaz\u0131l\u0131m m\u00fchendisi.\",\"url\":\"https:\/\/fatihsoysal.com\/blog\/author\/fatihsoysal\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti","description":"Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform'daki denetim kay\u0131tlar\u0131n\u0131 BigQuery ile analiz ederek ve Chronicle SIEM ile ger\u00e7ek zamanl\u0131 tehdit tespiti yaparak g\u00fcvenlik duru\u015funuzu nas\u0131l g\u00fc\u00e7lendirebilece\u011finizi ad\u0131m ad\u0131m a\u00e7\u0131kl\u0131yor. B\u00f6ylece, anormallikleri h\u0131zla belirleyip m\u00fcdahale edebilirsiniz.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/","og_locale":"tr_TR","og_type":"article","og_title":"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti","og_description":"Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform'daki denetim kay\u0131tlar\u0131n\u0131 BigQuery ile analiz ederek ve Chronicle SIEM ile ger\u00e7ek zamanl\u0131 tehdit tespiti yaparak g\u00fcvenlik duru\u015funuzu nas\u0131l g\u00fc\u00e7lendirebilece\u011finizi ad\u0131m ad\u0131m a\u00e7\u0131kl\u0131yor. B\u00f6ylece, anormallikleri h\u0131zla belirleyip m\u00fcdahale edebilirsiniz.","og_url":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/","og_site_name":"Kodlar\u0131n Gizemli D\u00fcnyas\u0131","article_published_time":"2025-11-23T06:01:23+00:00","author":"Fatih Soysal","twitter_card":"summary_large_image","twitter_misc":{"Yazan:":"Fatih Soysal","Tahmini okuma s\u00fcresi":"33 dakika"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#article","isPartOf":{"@id":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/"},"author":{"name":"Fatih Soysal","@id":"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1"},"headline":"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti","datePublished":"2025-11-23T06:01:23+00:00","mainEntityOfPage":{"@id":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/"},"wordCount":5475,"commentCount":0,"publisher":{"@id":"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1"},"inLanguage":"tr","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/fatihsoysal.com\/blog\/#organization"}},{"@type":"WebPage","@id":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/","url":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/","name":"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti","isPartOf":{"@id":"https:\/\/fatihsoysal.com\/blog\/#website"},"datePublished":"2025-11-23T06:01:23+00:00","description":"Bulut ortamlar\u0131nda g\u00fcvenli\u011fi sa\u011flamak, g\u00fcn\u00fcm\u00fcz\u00fcn karma\u015f\u0131k siber tehdit ortam\u0131nda b\u00fcy\u00fck bir zorluktur. Bu makale, Google Cloud Platform'daki denetim kay\u0131tlar\u0131n\u0131 BigQuery ile analiz ederek ve Chronicle SIEM ile ger\u00e7ek zamanl\u0131 tehdit tespiti yaparak g\u00fcvenlik duru\u015funuzu nas\u0131l g\u00fc\u00e7lendirebilece\u011finizi ad\u0131m ad\u0131m a\u00e7\u0131kl\u0131yor. B\u00f6ylece, anormallikleri h\u0131zla belirleyip m\u00fcdahale edebilirsiniz.","breadcrumb":{"@id":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#breadcrumb"},"inLanguage":"tr","potentialAction":[{"@type":"ReadAction","target":["https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/fatihsoysal.com\/blog\/bulut-denetim-kayitlarindan-bigquery-ve-chronicle-siem-ile-gercek-zamanli-tehdit-tespiti\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Anasayfa","item":"https:\/\/fatihsoysal.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Bulut Denetim Kay\u0131tlar\u0131ndan BigQuery ve Chronicle SIEM ile Ger\u00e7ek Zamanl\u0131 Tehdit Tespiti"}]},{"@type":"WebSite","@id":"https:\/\/fatihsoysal.com\/blog\/#website","url":"https:\/\/fatihsoysal.com\/blog\/","name":"Fatihsoysal.com","description":"Blog - Yaz\u0131l\u0131m D\u00fcnyas\u0131 Tecr\u00fcbelerim","publisher":{"@id":"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/fatihsoysal.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"tr"},{"@type":["Person","Organization"],"@id":"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/002a254750921dcfd568a99e48240dd1","name":"Fatih Soysal","image":{"@type":"ImageObject","inLanguage":"tr","@id":"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/fatihsoysal.com\/blog\/wp-content\/uploads\/2024\/04\/cropped-replicate-prediction-3kgg1hgjn5rgp0cf0p5tr0jw7w-1.png","contentUrl":"https:\/\/fatihsoysal.com\/blog\/wp-content\/uploads\/2024\/04\/cropped-replicate-prediction-3kgg1hgjn5rgp0cf0p5tr0jw7w-1.png","width":512,"height":512,"caption":"Fatih Soysal"},"logo":{"@id":"https:\/\/fatihsoysal.com\/blog\/#\/schema\/person\/image\/"},"description":"Kullan\u0131m ve kodlama m\u00fckemmeliyetini odak alan uygulamalar olu\u015fturma deneyimine sahip, profesyonel olarak 15+ y\u0131l \u00fczeri deneyime sahip bir yaz\u0131l\u0131m m\u00fchendisi.","url":"https:\/\/fatihsoysal.com\/blog\/author\/fatihsoysal\/"}]}},"yoast_meta":{"yoast_wpseo_title":"","yoast_wpseo_metadesc":"","yoast_wpseo_canonical":""},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/posts\/34890","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/comments?post=34890"}],"version-history":[{"count":0,"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/posts\/34890\/revisions"}],"wp:attachment":[{"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/media?parent=34890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/categories?post=34890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fatihsoysal.com\/blog\/wp-json\/wp\/v2\/tags?post=34890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}