Collect Google SecOps SOAR logs

Supported in:

You can manage and monitor Google Security Operations SOAR logs in the Google Cloud Logs Explorer. You can also use Google Cloud tools to set up special metrics and alerts that are triggered by specific events in your SOAR operation logs.

The logs capture essential data from SOAR's ETL, playbook, and Python functions. The types of captured data include the running of Python scripts, alert ingestion, and playbook performance.

Access Google SecOps SOAR logs

Google SecOps SOAR logs are written in a separate namespace called chronicle-soar and are categorized by the service which generated the log.

To access Google SecOps SOAR logs, do the following:

  1. In the Google Cloud console, go to Logging > Logs Explorer.
  2. Select the Google SecOps Google Cloud project.

  3. Enter the following filter in the field and click Run Query:

    resource.labels.namespace_name="chronicle-soar"

    Provide relevant text about the image here.

  4. To filter logs from a specific service, enter the following filters in the box and click Run Query:

        resource.labels.namespace_name="chronicle-soar" 
    resource.labels.container_name="<container_name>"

    where the values include playbook, python or etl.

Playbook labels

Playbook log labels provide a more efficient and convenient way to refine a query scope. All labels are located in the labels section of each log message:

Log labels in messages.

To narrow the log scope, expand the log message, right-click each label, and hide or show specific logs:

Provide relevant text about the image here.

The following labels are available:

  • playbook_definition
  • playbook_name
  • block_name
  • block_definition
  • case_id
  • correlation_id
  • integration_name
  • action_name

Python logs

The following logs are available for python service:

resource.labels.container_name="python"

Integration and Connector labels:

  • integration_name
  • integration_version
  • connector_name
  • connector_instance

Job labels:

  • integration_name
  • integration_version
  • job_name

Action labels:

  • integration_name
  • integration_version
  • integration_instance
  • correlation_id
  • action_name

ETL logs

The following logs are available for ETL service:

resource.labels.container_name="etl"

ETL labels:

  • correlation_id

For example, to provide the ingestion flow for an alert, filter by correlation_id:

ETL ingestion logs filter.

Need more help? Get answers from Community members and Google SecOps professionals.