This document explains how to export Cloud Identity Device Users logs into Google Security Operations using Cloud Storage. The parser first extracts data from JSON formatted Cloud Identity Device Users logs and transforms the timestamp to the standardized format. Then, it maps specific fields from the raw log data to the corresponding fields in the unified data model (UDM) for user entities, their relationships to assets, and additional user attributes like management and password states.
Before you begin
Make sure you have the following prerequisites:
Google Cloud Identity is enabled in your Google Cloud project.
Google SecOps instance.
Privileged access to Google Cloud Identity and Cloud Logging.
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:
In the Get started section, do the following:
Enter a unique name that meets the bucket name requirements; for example, gcp-cloudidentity-users-logs.
To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
To add a bucket label, click the expander arrow to expand the Labels section.
Click Add label, and specify a key and a value for your label.
In the Choose where to store your data section, do the following:
Select a Location type.
Use the location type menu to select a Location where object data within your bucket will be permanently stored.
To set up cross-bucket replication, expand the Set up cross-bucket replication section.
In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.
In the Choose how to control access to objects section, clear Enforce public access prevention, and select an Access control model for your bucket's objects.
In the Choose how to protect object data section, do the following:
Select any of the options under Data protection that you want to set for your bucket.
To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a data encryption method.
There are two different entry points to set up feeds in the
Google SecOps platform:
SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started
How to set up the Google Cloud Identity Device Users feed
Click the Google Cloud Compute platform pack.
Locate the Google Cloud Identity Device Users log type and click Add new feed.
Specify values for the following fields:
Source Type: Third party API
OAuth JWT endpoint: endpoint to retrieve the OAuth JSON web token (JWT).
JWT claims issuer: usually the client ID.
JWT claims subject: usually an email address.
JWT claims audience: JWT claims audience.
RSA private key: enter in PEM format.
Advanced options
Feed Name: A prepopulated value that identifies the feed.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
UDM Mapping Table
Log Field
UDM Mapping
Logic
collection_time.nanos
timestamp.nanos
Directly mapped from the log field. Represents the event timestamp in nanoseconds.
collection_time.seconds
timestamp.seconds
Directly mapped from the log field. Represents the event timestamp in seconds.
createTime
entity.metadata.creation_timestamp
Directly mapped from the log field after being parsed by the date filter. Represents the creation timestamp of the user.
managementState
entity.additional.fields.value.string_value
Directly mapped from the log field. Represents the management state of the user.
name
entity.entity.resource.name
Directly mapped from the log field. Represents the full resource name of the device user.
passwordState
entity.additional.fields.value.string_value
Directly mapped from the log field. Represents the password state of the user. This field is only mapped if the passwordState field exists in the raw log.
userEmail
entity.entity.user.email_addresses
Directly mapped from the log field. Represents the email address of the user.
entity.additional.fields.key
Set to a constant value Management State within the parser. This field is used to provide context to the managementState value.
entity.additional.fields.key
Set to a constant value Password State within the parser. This field is used to provide context to the passwordState value and is only present if passwordState exists in the raw log.
entity.entity.user.product_object_id
Extracted from the name field using the grok filter, capturing the deviceuser_id portion. Represents the unique identifier of the device user.
entity.metadata.collected_timestamp.nanos
Copied from collection_time.nanos. Represents the timestamp when the log was collected.
entity.metadata.collected_timestamp.seconds
Copied from collection_time.seconds. Represents the timestamp when the log was collected.
entity.metadata.entity_type
Set to a constant value USER within the parser.
entity.metadata.product_name
Set to a constant value GCP Cloud Identity Device Users within the parser.
entity.metadata.vendor_name
Set to a constant value Google Cloud Platform within the parser.
relations.entity.asset.product_object_id
Extracted from the name field using the grok filter, capturing the device_id portion. Represents the unique identifier of the device.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document guides you through exporting Cloud Identity Device Users logs into Google Security Operations using Cloud Storage, transforming JSON-formatted logs into a standardized UDM format.\u003c/p\u003e\n"],["\u003cp\u003eYou must first create a Cloud Storage bucket, ensuring you have the necessary access to Google Cloud Identity, Cloud Logging, and a Google SecOps instance.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration process involves setting up a log sink in Cloud Logging to direct logs to your Cloud Storage bucket and then creating a feed in Google SecOps to ingest these logs.\u003c/p\u003e\n"],["\u003cp\u003eThe parser maps raw log fields such as \u003ccode\u003ecollection_time\u003c/code\u003e, \u003ccode\u003ecreateTime\u003c/code\u003e, \u003ccode\u003emanagementState\u003c/code\u003e, and \u003ccode\u003euserEmail\u003c/code\u003e to corresponding fields in the unified data model (UDM), enriching the data with entity and relationship information.\u003c/p\u003e\n"],["\u003cp\u003eThe parser has been updated since its inception, including bug fixes such as the removal of \u003ccode\u003efirstSyncTime\u003c/code\u003e and \u003ccode\u003elastSyncTime\u003c/code\u003e, as well as enhancements to UDM field mapping for a more comprehensive understanding of device users.\u003c/p\u003e\n"]]],[],null,["# Collect Cloud Identity Device Users logs\n========================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to export Cloud Identity Device Users logs into Google Security Operations using Cloud Storage. The parser first extracts data from JSON formatted `Cloud Identity Device Users` logs and transforms the timestamp to the standardized format. Then, it maps specific fields from the raw log data to the corresponding fields in the unified data model (UDM) for user entities, their relationships to assets, and additional user attributes like management and password states.\n\nBefore you begin\n----------------\n\nMake sure you have the following prerequisites:\n\n- Google Cloud Identity is enabled in your Google Cloud project.\n- Google SecOps instance.\n- Privileged access to Google Cloud Identity and Cloud Logging.\n\nCreate a Cloud Storage bucket\n-----------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to the **Cloud Storage Buckets** page.\n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n3. Click **Create**.\n\n4. On the **Create a bucket** page, enter your bucket information. After each of the following steps, click **Continue** to proceed to the next step:\n\n 1. In the **Get started** section, do the following:\n\n 1. Enter a unique name that meets the bucket name requirements; for example, **gcp-cloudidentity-users-logs**.\n 2. To enable hierarchical namespace, click the expander arrow to expand the **Optimize for file oriented and data-intensive workloads** section, and then select **Enable Hierarchical namespace on this bucket**.\n\n | **Note:** You cannot enable hierarchical namespace on an existing bucket.\n 3. To add a bucket label, click the expander arrow to expand the **Labels** section.\n\n 4. Click **Add label**, and specify a key and a value for your label.\n\n 2. In the **Choose where to store your data** section, do the following:\n\n 1. Select a **Location type**.\n 2. Use the location type menu to select a **Location** where object data within your bucket will be permanently stored.\n\n | **Note:** If you select the **dual-region** location type, you can also choose to enable **turbo replication** by using the relevant checkbox.\n 3. To set up cross-bucket replication, expand the **Set up cross-bucket replication** section.\n\n 3. In the **Choose a storage class for your data** section, either select a **default storage class** for the bucket, or select **Autoclass** for automatic storage class management of your bucket's data.\n\n 4. In the **Choose how to control access to objects** section, clear **Enforce public access prevention** , and select an **Access control** model for your bucket's objects.\n\n | **Note:** If public access prevention is already enforced by your project's organization policy, the **Enforce public access prevention on this bucket** checkbox is locked.\n 5. In the **Choose how to protect object data** section, do the following:\n\n 1. Select any of the options under **Data protection** that you want to set for your bucket.\n 2. To choose how your object data will be encrypted, click the expander arrow labeled **Data encryption**, and select a data encryption method.\n5. Click **Create**.\n\n| **Note:** Be sure to provide your Google SecOps service account with permissions to Read or Read \\& Write to the newly created bucket.\n\nConfigure Cloud Identity Device Users logs export\n-------------------------------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to **Logging \\\u003e Log Router**.\n3. Click **Create Sink**.\n4. Provide the following configuration parameters:\n\n - **Sink Name** : enter a meaningful name; for example, `Cloudidentity-Users-Sink`.\n - **Sink Destination** : select **Cloud Storage Storage** and enter the URI for your bucket; for example, `gs://gcp-cloudidentity-users-logs`.\n - **Log Filter**:\n\n logName=\"projects/\u003cyour-project-id\u003e/logs/cloudaudit.googleapis.com%2Factivity\"\n resource.type=\"cloud_identity_user\"\n\n - **Set Export Options**: include all log entries.\n\n5. Click **Create**.\n\nConfigure permissions for Cloud Storage\n---------------------------------------\n\n1. Go to **IAM \\& Admin \\\u003e IAM**.\n2. Locate the **Cloud Logging** service account.\n3. Grant the **roles/storage.admin** on the bucket.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Google Cloud Identity Device Users feed\n---------------------------------------------------------\n\n1. Click the **Google Cloud Compute platform** pack.\n2. Locate the **Google Cloud Identity Device Users** log type and click **Add new feed**.\n3. Specify values for the following fields:\n - **Source Type**: Third party API\n - **OAuth JWT endpoint**: endpoint to retrieve the OAuth JSON web token (JWT).\n - **JWT claims issuer**: usually the client ID.\n - **JWT claims subject**: usually an email address.\n - **JWT claims audience**: JWT claims audience.\n - **RSA private key**: enter in PEM format.\n\n**Advanced options**\n\n- **Feed Name**: A prepopulated value that identifies the feed.\n- **Asset Namespace**: Namespace associated with the feed.\n- **Ingestion Labels**: Labels applied to all events from this feed.\n\n1. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
