This document explains how to export and ingest Cloud NGFW logs into Google Security Operations using Google Cloud. The parser extracts fields from Google Cloud Firewall logs, transforms and maps them to the UDM. It handles various log fields, including connection details, threat information, rule details, and network information, performing data type conversions, renaming, and conditional logic based on the action and direction fields to populate the UDM model correctly.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Cloud NGFW is active and configured in your Google Cloud environment.
Privileged access to Google Cloud and appropriate permissions to access Cloud NGFW logs.
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:
In the Get started section, do the following:
Enter a unique name that meets the bucket name requirements; for example, gcp-ngfw-logs.
To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
To add a bucket label, click the expander arrow to expand the Labels section.
Click Add label, and specify a key and a value for your label.
In the Choose where to store your data section, do the following:
Select a Location type.
Use the location type menu to select a Location where object data within your bucket will be permanently stored.
To set up cross-bucket replication, expand the Set up cross-bucket replication section.
In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.
In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.
In the Choose how to protect object data section, do the following:
Select any of the options under Data protection that you want to set for your bucket.
To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.
Mapped from jsonPayload.securityProfileGroupDetails.securityProfileGroupId with key rule_details_securityProfileGroupDetails_id.
jsonPayload.threatDetails.category
security_result.rule_labels
Mapped from jsonPayload.threatDetails.category with key rule_details_category.
jsonPayload.threatDetails.direction
security_result.rule_labels
Mapped from jsonPayload.threatDetails.direction with key rule_details_direction.
jsonPayload.threatDetails.id
security_result.threat_id
Directly mapped from the jsonPayload.threatDetails.id field.
jsonPayload.threatDetails.severity
security_result.severity
Mapped from jsonPayload.threatDetails.severity. If the value is CRITICAL, the UDM field is set to CRITICAL. Similar logic applies for HIGH, MEDIUM, LOW, and INFO.
jsonPayload.threatDetails.threat
security_result.threat_name
Directly mapped from the jsonPayload.threatDetails.threat field.
jsonPayload.threatDetails.type
security_result.rule_labels
Mapped from jsonPayload.threatDetails.type with key rule_details_threat_type.
jsonPayload.threatDetails.uriOrFilename
security_result.rule_labels
Mapped from jsonPayload.threatDetails.uriOrFilename with key rule_details_uriOrFilename.
logName
metadata.product_event_type
Directly mapped from the logName field.
metadata.collected_timestamp
metadata.collected_timestamp
Directly mapped from the receiveTimestamp field and parsed using the specified date format.
metadata.event_type
metadata.event_type
Set to NETWORK_CONNECTION if both principal_ip and target_ip are present. Set to STATUS_UNCATEGORIZED if only principal_ip is present. Otherwise, set to GENERIC_EVENT.
metadata.product_name
metadata.product_name
Hardcoded to GCP Firewall.
metadata.vendor_name
metadata.vendor_name
Hardcoded to Google Cloud Platform.
receiveTimestamp
metadata.collected_timestamp
Directly mapped from the receiveTimestamp field.
security_result.action
security_result.action
Derived from the jsonPayload.action field. Mapped to ALLOW, BLOCK, or UNKNOWN_ACTION based on the value of jsonPayload.action.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to export and ingest Cloud NGFW Enterprise logs into Google Security Operations (SecOps) for analysis.\u003c/p\u003e\n"],["\u003cp\u003eYou must create a Cloud Storage bucket to store the Cloud NGFW Enterprise logs before exporting them, ensuring the Google SecOps service account has read or read/write access.\u003c/p\u003e\n"],["\u003cp\u003eCloud NGFW log export is configured via the Google Cloud console, by setting up a sink in Log Router and defining the destination as the previously created Cloud Storage bucket, with a log filter for firewall logs.\u003c/p\u003e\n"],["\u003cp\u003eA feed in Google SecOps is required to ingest the logs from the Cloud Storage bucket, specifying the bucket URI and other parameters for data transfer, including the deletion of transferred files if needed.\u003c/p\u003e\n"],["\u003cp\u003eThe log data will be parsed and transformed into the UDM format with specific mappings for fields such as connection details, threat information, and rule specifics for a uniform representation in SecOps.\u003c/p\u003e\n"]]],[],null,["# Collect Cloud Next Generation Firewall logs\n===========================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to export and ingest Cloud NGFW logs into Google Security Operations using Google Cloud. The parser extracts fields from Google Cloud Firewall logs, transforms and maps them to the UDM. It handles various log fields, including connection details, threat information, rule details, and network information, performing data type conversions, renaming, and conditional logic based on the `action` and `direction` fields to populate the UDM model correctly.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Cloud NGFW is active and configured in your Google Cloud environment.\n- Privileged access to Google Cloud and appropriate permissions to access Cloud NGFW logs.\n\nCreate a Cloud Storage bucket\n-----------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to the **Cloud Storage Buckets** page.\n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n3. Click **Create**.\n\n4. On the **Create a bucket** page, enter your bucket information. After each of the following steps, click **Continue** to proceed to the next step:\n\n 1. In the **Get started** section, do the following:\n\n 1. Enter a unique name that meets the bucket name requirements; for example, **gcp-ngfw-logs**.\n 2. To enable hierarchical namespace, click the expander arrow to expand the **Optimize for file oriented and data-intensive workloads** section, and then select **Enable Hierarchical namespace on this bucket**.\n\n | **Note:** You cannot enable hierarchical namespace on an existing bucket.\n 3. To add a bucket label, click the expander arrow to expand the **Labels** section.\n\n 4. Click **Add label**, and specify a key and a value for your label.\n\n 2. In the **Choose where to store your data** section, do the following:\n\n 1. Select a **Location type**.\n 2. Use the location type menu to select a **Location** where object data within your bucket will be permanently stored.\n\n | **Note:** If you select the **dual-region** location type, you can also choose to enable **turbo replication** by using the relevant checkbox.\n 3. To set up cross-bucket replication, expand the **Set up cross-bucket replication** section.\n\n 3. In the **Choose a storage class for your data** section, either select a **default storage class** for the bucket, or select **Autoclass** for automatic storage class management of your bucket's data.\n\n 4. In the **Choose how to control access to objects** section, select **not** to enforce **public access prevention** , and select an **access control model** for your bucket's objects.\n\n | **Note:** If public access prevention is already enforced by your project's organization policy, the **Prevent public access** checkbox is locked.\n 5. In the **Choose how to protect object data** section, do the following:\n\n 1. Select any of the options under **Data protection** that you want to set for your bucket.\n 2. To choose how your object data will be encrypted, click the expander arrow labeled **Data encryption** , and select a **Data encryption method**.\n5. Click **Create**.\n\n| **Note:** Be sure to provide your Google SecOps service account with permissions to Read or Read \\& Write to the newly created bucket.\n\nConfigure Cloud NGFW logs export\n--------------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to **Logging \\\u003e Log Router**.\n3. Click **Create Sink**.\n4. Provide the following configuration parameters:\n\n - **Sink Name** : enter a meaningful name; for example, `NGFW-Export-Sink`.\n - **Sink Destination** : select **Google Cloud Storage** and enter the URI for your bucket; for example, `gs://gcp-ngfw-logs`.\n - **Log Filter**:\n\n logName=\"projects/\u003cyour-project-id\u003e/logs/gcp-firewall\"\n\n5. Click **Create**.\n\nConfigure permissions for Cloud Storage\n---------------------------------------\n\n1. Go to **IAM \\& Admin \\\u003e IAM**.\n2. Locate the **Cloud Logging** service account.\n3. Grant the **roles/storage.admin** on the bucket.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Google Cloud NGFW Enterprise feed\n---------------------------------------------------\n\n1. Click the **Google Cloud Compute platform** pack.\n2. Locate the **GCP NGFW Enterprise** log type.\n3. Click **Next**.\n4. Specify values for the following fields:\n\n - **Source Type**: Google Cloud Storage V2\n - **Storage Bucket URI** : Google Cloud storage bucket URL; for example, `gs://gcp-ngfw-logs`.\n - **Source deletion options**: select the deletion option according to your preference.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum file age**: Include files modified within the last number of days. Default is 180 days.\n\n5. Click **Get a Service Account** next to the **Chronicle Service Account** field.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace** : [Namespace associated with the feed](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion Labels**: Labels applied to all events from this feed.\n6. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
