Which workflow supports time-windowed anomaly detection and analyst triage by using BigQuery, Cloud Run, Pub/Sub, and log-based metrics with SCC findings?

Think about a security operations workflow that needs scalable analytics, fast alerting, and centralized triage. To achieve time-windowed anomaly detection and analyst triage, you want a pipeline that stores rich log data, processes it to produce normalized alerts, distributes those alerts for downstream handling, and surfaces them where analysts can act. Sink logs to BigQuery provides a centralized, scalable place to store raw and parsed logs and run SQL-based analyses over time windows. With windowed queries, you can compute baselines, detect spikes, and identify anomalies within a sliding or fixed time frame, which is essential for timely detection. Cloud Run functions can take those detections and normalize them into a consistent alert format, then publish them to Pub/Sub. This creates an event-driven flow where each detected anomaly becomes a message that can be consumed by additional services, enabling rapid, scalable processing and routing without bottlenecks. Using log-based metrics ties the pipeline into Cloud Monitoring, letting you generate metrics from your logs, observe trends, and trigger automated responses or dashboards. This adds visibility and a structured way to monitor for irregular activity over time. Finally, writing alerts as SCC findings surfaces the detections directly in Security Command Center, giving security analysts a single place to triage, investigate, and respond. This integration is what makes the anomalies actionable within the broader security posture and incident response workflow. Other options miss one or more of these elements: they either rely on basic alerting without the deep time-window analytics, skip the scalable, data-warehouse-backed analysis, or don’t feed SCC findings for centralized triage.