Collect Google SecOps SOAR logs

Supported in:

General overview

You can manage and monitor Google Security Operations SOAR logs in the Google Cloud Logs Explorer. You can also use Google Cloud tools to set up special metrics and alerts that are triggered by specific events in your SOAR operation logs.

The logs captures essential data from SOAR's ETL, playbook, and Python functions. The types of captured data include the running of Python scripts, alert ingestion, and playbook performance.

Set up Google SecOps SOAR logs

  1. Create a Service Account in the Google Cloud project where you plan to view the logs. For details, see Create and manage service accounts.
  2. Go to IAM & Admin > IAM.

  3. Locate the Service Account you created and click edit Edit principal.

    Go to IAM

  4. In the Assign Roles section, select Logs Writer. For more information, see Logs Writer.

  5. Click Save.

  6. In the left navigation, select Service Accounts and select your created service account.

  7. Click more_vert , and select Manage Permissions.

  8. In the Permissions section, click Grant Access.

    Grant access in Permissions section.

  9. In the Add Principal section, add the following principal: gke-init-backgroundservices@{SOAR-GCP-Project-Id}.iam.gserviceaccount.com
    If you don't know the SOAR_GCP_Project_Id, submit a ticket through Google Support.

  10. In the Assign Roles section, select Service Account Token Creator. For more information, see Service Account Token Creator.

  11. Click Save.

  12. Provide the name of the configured Service Account to the Google SOAR support team.

Google SecOps SOAR logs

Google SecOps SOAR logs are written in a separate namespace called chronicle-soar and are categorized by the service that generated the log. The logs are generated by a background job that needs to be configured first. To configure a job to send the logs to Google Cloud, do the following:

To access Google SecOps SOAR logs, do the following:

  1. In the Google Cloud console, go to Logging > Logs Explorer.
  2. Select the Google SecOps Google Cloud project.

  3. Enter the following filter in the box and click Run Query:

    resource.labels.namespace_name="chronicle-soar"

    Provide relevant text about the image here.

  4. To filter logs from a specific service, enter the following filters in the box and click Run Query:

        resource.labels.namespace_name="chronicle-soar" 
    resource.labels.container_name="<container_name>"

where the values include "playbook", "python" or "etl"

Playbook labels

Playbook log labels provide a more efficient and convenient way to refine a query scope. All labels are located in the labels section of each log message:

Log labels in messages.

To narrow the log scope, expand the log message, right-click on each label, and hide or show specific logs:

Provide relevant text about the image here.

The following labels are available:

  • playbook_name
  • playbook_definition
  • block_name
  • block_definition
  • case_id
  • correlation_id
  • integration_name
  • action_name

Python logs

The following logs are available for python service:

```
resource.labels.container_name="python"
```

Integration and Connector labels:

  • integration_name
  • integration_version
  • connector_name
  • connector_instance

Job labels:

  • integration_name
  • integration_version
  • job_name

Action labels:

  • integration_name
  • integration_version
  • integration_instance
  • correlation_id
  • action_name

ETL Logs

The following logs are available for ETL service:

```
resource.labels.container_name="etl"
```

ETL labels:

  • correlation_id

For example, to provide the ingestion flow for an alert, filter by correlation_id:

ETL ingestion logs filter.