Back to Feed
Special Ops 1Advanced

Special Ops: Automating Security Operations (The 429 Analyzer)

We build a Python-powered security bot that analyzes Cloud Armor alerts and sends high-impact result cards to Google Chat.

AuthorPratik Shetti
β€’Feb 1, 2026β€’3 min read

πŸ‘‹ The Mission

In high-scale environments, Cloud Armor generates thousands of logs. Identifying which ones are true positives (actual attacks) vs. noise is a full-time job.

Today’s mission: Automate the analyst.

We are building a Python script that:

  1. Analyzes raw Cloud Armor Security Policy logs.
  2. Extracts the most frequent offending IPs (429 Rate Limiting).
  3. Packages the data into a professional Google Chat Card.

🐍 The Solution: The Python Analyzer

This script is designed to run in a Cloud Function or as a scheduled job. It parses the incoming JSON alerts and formats them for human-readable consumption.

import json
import requests

def analyze_security_alerts(event, context):
    """
    Parses Cloud Armor logs and sends a summary to Google Chat.
    """
    # 1. Extract logs from the event
    logs = event.get('data', [])
    
    summary = {}
    for log in logs:
        # We focus on Rate Limiting (429) events
        if log['jsonPayload']['enforcedSecurityPolicy']['outcome'] == 'DENY':
            ip = log['jsonPayload']['remoteIp']
            summary[ip] = summary.get(ip, 0) + 1

    # 2. Sort by impact
    top_offenders = sorted(summary.items(), key=lambda x: x[1], reverse=True)[:5]
    
    if top_offenders:
        send_to_google_chat(top_offenders)

def send_to_google_chat(data):
    webhook_url = "YOUR_GOOGLE_CHAT_WEBHOOK"
    
    # Create the Card Payload
    card = {
        "cards": [{
            "header": {
                "title": "πŸ›‘οΈ Cloud Armor: Rate Limit Report",
                "subtitle": "Security Operations Center (SOC)"
            },
            "sections": [{
                "widgets": [
                    {"textParagraph": {"text": "<b>Top Offending IPs (Last 60m)</b>"}},
                    *[{"keyValue": {"topLabel": f"Hits: {count}", "content": ip}} for ip, count in data]
                ]
            }]
        }]
    }
    
    requests.post(webhook_url, json=card)

πŸ“¦ The Result: Google Chat Card

When the script detects a spike in 429 errors (Rate Limiting), the SOC team receives this instant notification:

+-------------------------------------------------+
| πŸ›‘οΈ Cloud Armor: Rate Limit Report               |
| Security Operations Center (SOC)                |
+-------------------------------------------------+
| Top Offending IPs (Last 60m)                    |
|                                                 |
| Hits: 1,402                                     |
| IP: 185.220.101.44 (Tor Exit Node)              |
|                                                 |
| Hits: 894                                       |
| IP: 45.155.205.233                              |
|                                                 |
| Hits: 412                                       |
| IP: 192.0.2.1                                   |
+-------------------------------------------------+
| [ View Logs in Console ]   [ Block IP Range ]   |
+-------------------------------------------------+

🧠 Why This Matters

  • Reduced MTTR (Mean Time To Respond): Analysts don't have to query BigQuery; the data comes to them.
  • Contextual Alerting: We don't just say "there's an attack," we provide the specific IPs and hit counts.
  • Automated Context: By integrating with an IP Intelligence API (like VirusTotal or CrowdSec), you can further enhance the card with "Malicious" or "Safe" labels.

πŸš€ Key Takeaways

  1. Automation > Manual Review: In modern security, if you can't automate it, you can't scale it.
  2. Human-Centered Design: Alerts should be beautiful and actionable, not just raw text.
  3. Low Latency Feedback: Real-time visibility into Cloud Armor allows for faster rule tuning.

Topics

SecurityAutomationCloud ArmorPythonGoogle Chat