Cloud Logging

This document provides guidance on how to integrate Cloud Logging with Google Security Operations SOAR.

Integration version: 1.0

Before you begin

To use the integration, you need a Google Cloud service account. You can use an existing service account or create a new one.

Create a service account

For guidance on creating a service account, see Create service accounts.

If you use a service account to authenticate to Google Cloud, you can create a service account key in JSON and provide the content of the downloaded JSON file when configuring the integration parameters.

For security reasons, we recommend using workload identity email addresses instead of a service account key. For more information about the workload identities, see Identities for workloads.

Integrate Cloud Logging with Google SecOps SOAR

The Cloud Logging integration requires the following parameters:

Parameter	Description
`Workload Identity Email`	Optional The client email address of your workload identity. You can configure either this parameter or the `User's Service Account` parameter. To impersonate service accounts with the workload identity email address, grant the `Service Account Token Creator` role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.
`User's Service Account`	Optional The content of the service account key JSON file. You can configure either this parameter or the `Workload Identity Email` parameter. To configure this parameter, provide the full content of the service account key JSON file that you downloaded when creating a service account. For more information about using service accounts as an authentication method, see Service accounts overview.
`Quota Project ID`	Optional The Google Cloud project ID which you use for Google Cloud APIs and billing. This parameter requires you to grant the `Service Usage Consumer` role to your service account. The integration attaches this parameter value to all API requests. If you don't set a value for this parameter, the integration retrieves the quota project ID from your Google Cloud service account.
`Organization ID`	Optional The organization ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`Project ID`	Optional The project ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`Verify SSL`	Required If selected, the integration verifies that the SSL certificate for connecting to Cloud Logging is valid. Selected by default.

For instructions about configuring an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.

Actions

The Cloud Logging integration includes the following actions:

Execute Query
Ping

Execute Query

Use the Execute Query action to execute custom queries in Cloud Logging.

This action doesn't run on Google SecOps entities.

Action inputs

The Execute Query action requires the following parameters:

Parameter	Description
`Project ID`	Optional The project ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`Organization ID`	Optional The organization ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`Query`	Required A query to find the logs.
`Time Frame`	Optional A period to retrieve the results from. If you select `Custom`, also configure the `Start Time` parameter. The possible values are as follows: `Last Hour` `Last 6 Hours` `Last 24 Hours` `Last Week` `Last Month` `Custom` The default value is `Last Hour`.
`Start Time`	Optional The start time to retrieve results. This parameter is required if you selected the `Custom` option for the `Time Frame` parameter. To configure this parameter, use the ISO 8601 format.
`End Time`	Optional The end time to retrieve results. If you don't set a value for this parameter and select the `Custom` option for the `Time Frame` parameter, the action uses the current time as the end time. To configure this parameter, use the ISO 8601 format.
`Max Results To Return`	Optional The maximum number of results to return. The default value is 50.

Action outputs

The Execute Query action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example describes the JSON result output received when using the Execute Query action:

[{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "system:clouddns"
        },
        "authorizationInfo": [
            {
                "granted": true,
                "permission": "io.k8s.coordination.v1.leases.update",
                "resource": "coordination.k8s.io/v1/namespaces/kube-system/leases/clouddns-lock"
            }
        ],
        "methodName": "io.k8s.coordination.v1.leases.update",
        "requestMetadata": {
            "callerIp": "192.0.2.6",
            "callerSuppliedUserAgent": "clouddns-leader-election"
        },
        "resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/clouddns-lock",
        "serviceName": "k8s.io",
        "status": {
            "code": 0
        }
    },
    "insertId": "ID",
    "resource": {
        "type": "k8s_cluster",
        "labels": {
            "cluster_name": "CLUSTER_NAME",
            "project_id": "PROJECT_ID",
            "location": "us-central1"
        }
    },
    "timestamp": "2024-09-18T09:46:38.647428Z",
    "labels": {
        "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:clouddns\" of ClusterRole \"system:clouddns-role\" to User \"system:clouddns\"",
        "authorization.k8s.io/decision": "allow"
    },
    "logName": "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
        "id": "ID",
        "producer": "k8s.io",
        "first": true,
        "last": true
    },
    "receiveTimestamp": "2024-09-18T09:46:39.063264993Z"
}]

Output messages

The Execute Query action provides the following output messages:

Output message Message description

Output message	Message description
`Successfully executed query "QUERY" in Cloud Logging.` `No results were found for the provided query.`	The action succeeded.
`Error executing action "Execute Query". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully executed query "QUERY" in Cloud Logging.

No results were found for the provided query.

The action succeeded.

Error executing action "Execute Query". Reason:
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the Execute Query action:

Script result name	Value
`is_success`	`True` or `False`

Ping

Use the Ping action to test the connectivity to Cloud Logging.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Ping action provides the following output messages:

Output message Message description

Successfully connected to the Cloud Logging server with the provided connection parameters! The action succeeded.

Output message	Message description
`Successfully connected to the Cloud Logging server with the provided connection parameters!`	The action succeeded.
`Failed to connect to the Cloud Logging server! Error is ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Failed to connect to the Cloud Logging server! Error is
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the Ping action:

Script result name	Value
`is_success`	`True` or `False`