Collect SOAR logs

Supported in:

This document describes how to use Google Cloud Logs Explorer to manage and monitor SOAR logs.

The integration provides the following key capabilities:

  • Centralized monitoring: View and analyze essential data captured from the Google SecOps SOAR platform's ETL, Playbook, and Python functions (for example, Python script execution, alert ingestion, and playbook performance).

  • Custom metrics and alerting: Use Google Cloud tools to configure custom metrics and alerts based on specific events recorded in the Google SecOps SOAR operational logs.

Set up SOAR logs

To set up the SOAR logs, follow these steps:

  1. Create a Service Account in the Google Cloud project where you plan to view the logs. For details, see Create and manage service accounts.
  2. Go to IAM & Admin > IAM.
  3. Locate the Service Account you created and click edit Edit principal.

    Go to IAM

  4. In the Assign Roles section, select Logs Writer. For more information, see the predefined Logs Writer role.

  5. Click Save.

  6. Select Service Accounts and select your created service account.

  7. Click more_vert More and select Manage Permissions.

  8. In the Permissions section, click Grant Access.

    Grant access in Permissions section.

  9. In the Add Principal section, add the following principal:

    gke-init-backgroundservices@{SOAR-GCP-Project-Id}.iam.gserviceaccount.com

    • If you don't know the SOAR_GCP_Project_Id, submit a ticket through Google Support.
  10. In Assign Roles, select Service Account Token Creator. For more information, see Service Account Token Creator.

  11. Click Save.

  12. Provide the name of the configured Service Account to the Google SecOps support team.

SOAR logs

SOAR logs are written in a separate namespace, called chronicle-soar, and are categorized by the service that generated the log. Because the logs are generated by a background job, you must configure this job first to send the logs to Google Cloud:

To access SOAR logs, do the following:

  1. In the Google Cloud console, go to Logging > Logs Explorer.
  2. Select the Google SecOps Google Cloud project.
  3. Enter the following filter in the box and click Run Query:

    resource.labels.namespace_name="chronicle-soar"
    

    Provide relevant text about the image here.

  4. To filter logs from a specific service, enter the following syntax in the query box and click Run Query:

        resource.labels.namespace_name="chronicle-soar" 
        resource.labels.container_name="<container_name>" 
    
  5. Replace <container_name> with the relevant service container: playbook, python, or etl.

Playbook log labels

Playbook log labels provide a more efficient and convenient way to refine a query scope. All labels are located in the Labels section of each log message.

Log labels in messages.

To narrow the log scope, expand the log message, right-click each label, and hide or show specific logs:

Provide relevant text about the image here.

The following labels are available:

  • playbook_name
  • playbook_definition
  • block_name
  • block_definition
  • case_id
  • correlation_id
  • integration_name
  • action_name

Python logs

The following logs are available for Python service:

```none
resource.labels.container_name="python"
```

Integration and connector labels:

  • integration_name
  • integration_version
  • connector_name
  • connector_instance

Job labels:

  • integration_name
  • integration_version
  • job_name

Action labels:

  • integration_name
  • integration_version
  • integration_instance
  • correlation_id
  • action_name

ETL logs

The following logs are available for ETL service:

```none
resource.labels.container_name="etl"
```

ETL labels

  • correlation_id

For example, to provide the ingestion flow for an alert, filter by correlation_id:

ETL ingestion logs filter.

Need more help? Get answers from Community members and Google SecOps professionals.