You can manage and monitor Google Security Operations SOAR logs in the
Google Cloud Logs Explorer. You can
also use Google Cloud tools to set up special metrics and alerts
that are triggered by specific events in your SOAR operation logs.
The logs captures essential data from SOAR's ETL,
playbook, and Python functions.
The types of captured data include the running of Python scripts, alert
ingestion, and playbook performance.
Set up Google SecOps SOAR logs
Create a Service Account in the Google Cloud project where you plan to view the logs. For details, see
Create and manage service accounts.
Go to IAM & Admin>IAM.
Locate the Service Account you created and click
edit
Edit principal.
In the Assign Roles section, select Logs Writer. For more information,
see Logs Writer.
Click Save.
In the left navigation, select Service Accounts and select your created service account.
Click
more_vert
, and select Manage Permissions.
In the Permissions section, click Grant Access.
In the Add Principal section, add the following principal:
gke-init-backgroundservices@{SOAR-GCP-Project-Id}.iam.gserviceaccount.com
If you don't know the SOAR_GCP_Project_Id, submit a ticket through Google Support.
In the Assign Roles section, select Service Account Token Creator. For more information,
see Service Account Token Creator.
Click Save.
Provide the name of the configured Service Account to the Google SOAR support team.
Google SecOps SOAR logs
Google SecOps SOAR logs are written in a separate namespace called
chronicle-soar and are categorized by the service that generated the log.
The logs are generated by a background job that needs to be configured first.
To configure a job to send the logs to Google Cloud, do the following:
To access Google SecOps SOAR logs, do the following:
In the Google Cloud console, go to Logging > Logs Explorer.
Select the Google SecOps Google Cloud project.
Enter the following filter in the box and click Run Query:
resource.labels.namespace_name="chronicle-soar"
To filter logs from a specific service, enter the following filters in the box
and click Run Query:
where the values include "playbook", "python" or "etl"
Playbook labels
Playbook log labels provide a more efficient and convenient way to refine a query
scope. All labels are located in the labels section of each
log message:
To narrow the log scope, expand the log message, right-click on each label, and
hide or show specific logs:
The following labels are available:
playbook_name
playbook_definition
block_name
block_definition
case_id
correlation_id
integration_name
action_name
Python logs
The following logs are available for python service:
```
resource.labels.container_name="python"
```
Integration and Connector labels:
integration_name
integration_version
connector_name
connector_instance
Job labels:
integration_name
integration_version
job_name
Action labels:
integration_name
integration_version
integration_instance
correlation_id
action_name
ETL Logs
The following logs are available for ETL service:
```
resource.labels.container_name="etl"
```
ETL labels:
correlation_id
For example, to provide the ingestion flow for an alert, filter by
correlation_id:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations SOAR logs can be managed and monitored in the Google Cloud Logs Explorer, allowing for the setup of custom metrics and alerts based on specific events.\u003c/p\u003e\n"],["\u003cp\u003eSOAR logs capture data from ETL, playbook, and Python functions, including Python script execution, alert ingestion, and playbook performance.\u003c/p\u003e\n"],["\u003cp\u003eSetting up SOAR logs requires creating a service account with Logs Writer and Service Account Token Creator roles, and adding a specific principal to manage permissions.\u003c/p\u003e\n"],["\u003cp\u003eAccessing SOAR logs in the Google Cloud console is done through the Logs Explorer by filtering using \u003ccode\u003eresource.labels.namespace_name="chronicle-soar"\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003ePlaybook log labels, such as \u003ccode\u003eplaybook_name\u003c/code\u003e, \u003ccode\u003eblock_name\u003c/code\u003e, and \u003ccode\u003ecase_id\u003c/code\u003e, offer a way to refine query scopes and trace the entire playbook execution, while other labels are also available for python, integrations and ETL logs.\u003c/p\u003e\n"]]],[],null,["# Collect Google SecOps SOAR logs\n===============================\n\nSupported in: \n[SOAR](/chronicle/docs/secops/google-secops-soar-toc)\n\n\u003cbr /\u003e\n\n| **Note:** This document is for customers using the standalone SOAR platform only.\n\n\u003cbr /\u003e\n\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\n\u003cbr /\u003e\n\n| **Note:** This feature is not available to all customers in all regions.\n\n\u003cbr /\u003e\n\nGeneral overview\n----------------\n\nYou can manage and monitor Google Security Operations SOAR logs in the\n[Google Cloud Logs Explorer](https://cloud.google.com/logging/docs). You can\nalso use Google Cloud tools to set up special metrics and alerts\nthat are triggered by specific events in your SOAR operation logs.\n\nThe logs captures essential data from SOAR's *ETL* ,\n*playbook* , and *Python* functions.\nThe types of captured data include the running of Python scripts, alert\ningestion, and playbook performance.\n\nSet up Google SecOps SOAR logs\n------------------------------\n\n1. Create a Service Account in the Google Cloud project where you plan to view the logs. For details, see [Create and manage service accounts](/iam/docs/service-accounts-create).\n2. Go to **IAM \\& Admin** \\\u003e **IAM**.\n3. Locate the Service Account you created and click edit **Edit principal**.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n4. In the **Assign Roles** section, select **Logs Writer** . For more information,\n see [Logs Writer](/logging/docs/access-control#logging.logWriter).\n\n5. Click **Save**.\n\n6. In the left navigation, select **Service Accounts** and select your created service account.\n\n7. Click more_vert , and select **Manage Permissions**.\n\n8. In the **Permissions** section, click **Grant Access**.\n\n9. In the **Add Principal** section, add the following principal:\n `gke-init-backgroundservices@{SOAR-GCP-Project-Id}.iam.gserviceaccount.com` \n\n If you don't know the SOAR_GCP_Project_Id, submit a ticket through [Google Support](https://console.cloud.google.com/support).\n\n | **Note:** In addition, some Organization Policies may restrict access to external service accounts due to Domain Restriction Sharing. In this case, an exception can be added to allowlist the mentioned principal. For more information, see [Restricting Domains: Configure Exceptions](/resource-manager/docs/organization-policy/restricting-domains#configure-exceptions).\n10. In the **Assign Roles** section, select **Service Account Token Creator** . For more information,\n see [Service Account Token Creator](/iam/docs/service-account-permissions#token-creator-role).\n\n11. Click **Save**.\n\n12. Provide the name of the configured Service Account to the Google SOAR support team.\n\nGoogle SecOps SOAR logs\n-----------------------\n\nGoogle SecOps SOAR logs are written in a separate namespace called\n*chronicle-soar* and are categorized by the service that generated the log.\nThe logs are generated by a background job that needs to be configured first.\nTo configure a job to send the logs to Google Cloud, do the following:\n\nTo access Google SecOps SOAR logs, do the following:\n\n1. In the Google Cloud console, go to **Logging** \\\u003e **Logs Explorer**.\n2. Select the **Google SecOps Google Cloud** project.\n3. Enter the following filter in the box and click **Run Query**:\n\n resource.labels.namespace_name=\"chronicle-soar\"\n\n4. To filter logs from a specific service, enter the following filters in the box\n and click **Run Query**:\n\n resource.labels.namespace_name=\"chronicle-soar\" \n resource.labels.container_name=\"\u003ccontainer_name\u003e\" \n\nwhere the values include \"playbook\", \"python\" or \"etl\"\n\nPlaybook labels\n---------------\n\nPlaybook log labels provide a more efficient and convenient way to refine a query\nscope. All labels are located in the labels section of each\nlog message:\n\nTo narrow the log scope, expand the log message, right-click on each label, and\nhide or show specific logs:\n\nThe following labels are available:\n\n- `playbook_name`\n- `playbook_definition`\n- `block_name`\n- `block_definition`\n- `case_id`\n- `correlation_id`\n- `integration_name`\n- `action_name`\n\n| **Note:** The `correlation_id` label retrieves logs from both the playbook and associated Python services. The logs therefore provide complete tracing and analysis of an entire playbook execution.\n\n### Python logs\n\nThe following logs are available for python service: \n\n ```\n resource.labels.container_name=\"python\"\n ```\n\nIntegration and Connector labels:\n\n- `integration_name`\n- `integration_version`\n- `connector_name`\n- `connector_instance`\n\nJob labels:\n\n- `integration_name`\n- `integration_version`\n- `job_name`\n\nAction labels:\n\n- `integration_name`\n- `integration_version`\n- `integration_instance`\n- `correlation_id`\n- `action_name`\n\n#### ETL Logs\n\nThe following logs are available for ETL service: \n\n ```\n resource.labels.container_name=\"etl\"\n ```\n\nETL labels:\n\n- `correlation_id`\n\nFor example, to provide the ingestion flow for an alert, filter by\n*correlation_id*:\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
