Collect SOAR logs

Supported in:

SOAR

This document describes how to use Google Cloud Logs Explorer to manage and monitor SOAR logs.

The integration provides the following key capabilities:

Centralized monitoring: View and analyze essential data captured from the Google SecOps SOAR platform's ETL, Playbook, and Python functions (for example, Python script execution, alert ingestion, and playbook performance).
Custom metrics and alerting: Use Google Cloud tools to configure custom metrics and alerts based on specific events recorded in the Google SecOps SOAR operational logs.

Set up SOAR logs

To set up the SOAR logs, follow these steps:

Create a Service Account in the Google Cloud project where you plan to view the logs. For details, see Create and manage service accounts.
Go to IAM & Admin > IAM.
Locate the Service Account you created and click edit Edit principal.

Go to IAM
In the Assign Roles section, select Logs Writer. For more information, see the predefined Logs Writer role.
Click Save.
Select Service Accounts and select your created service account.
Click more_vert More and select Manage Permissions.
In the Permissions section, click Grant Access.
In the Add Principal section, add the following principal:

gke-init-backgroundservices@{SOAR-GCP-Project-Id}.iam.gserviceaccount.com
- If you don't know the SOAR_GCP_Project_Id, submit a ticket through Google Support.
Note: Organization policies may restrict access to external service accounts due to Domain Restriction Sharing. If this occurs, an allowlist exception must be added for the mentioned principal. For more information, see Restricting Domains: Configure Exceptions.
In Assign Roles, select Service Account Token Creator. For more information, see Service Account Token Creator.
Click Save.
Provide the name of the configured Service Account to the Google SecOps support team.

SOAR logs

SOAR logs are written in a separate namespace, called chronicle-soar, and are categorized by the service that generated the log. Because the logs are generated by a background job, you must configure this job first to send the logs to Google Cloud:

To access SOAR logs, do the following:

In the Google Cloud console, go to Logging > Logs Explorer.
Select the Google SecOps Google Cloud project.
Enter the following filter in the box and click Run Query:
```
resource.labels.namespace_name="chronicle-soar"
```

To filter logs from a specific service, enter the following syntax in the query box and click Run Query:

    resource.labels.namespace_name="chronicle-soar" 
    resource.labels.container_name="<container_name>"

Replace <container_name> with the relevant service container: playbook, python, or etl.

Playbook log labels

Playbook log labels provide a more efficient and convenient way to refine a query scope. All labels are located in the Labels section of each log message.

Log labels in messages.

To narrow the log scope, expand the log message, right-click each label, and hide or show specific logs:

Provide relevant text about the image here.

The following labels are available:

playbook_name
playbook_definition
block_name
block_definition
case_id
correlation_id
integration_name
action_name

Python logs

The following logs are available for Python service:

```none
resource.labels.container_name="python"
```

Integration and connector labels:

integration_name
integration_version
connector_name
connector_instance

Job labels:

integration_name
integration_version
job_name

Action labels:

integration_name
integration_version
integration_instance
correlation_id
action_name

ETL logs

The following logs are available for ETL service:

```none
resource.labels.container_name="etl"
```

ETL labels

correlation_id

For example, to provide the ingestion flow for an alert, filter by correlation_id:

ETL ingestion logs filter.

Need more help? Get answers from Community members and Google SecOps professionals.