Google Cloud Logging v1.0.28
Google Cloud Logging is a managed logging solution provided by Google Cloud Platform (GCP) that allows users to collect, store, search, analyze, and monitor logs generated by GCP services, third-party applications, and custom applications running on GCP.
- Author:
- Cortex XSOAR
- Support:
- xsoar
Integrations (1)
Modeling rules (1)
Parsing rules (1)
README
What does this pack do
The Google Cloud Logging Cortex <~XSOAR>XSOAR</~XSOAR><~XSIAM>XSIAM</~XSIAM> pack helps users to centralize all their GCP logs in a single location, making it easier to troubleshoot issues and gain insights from their data.
Google Cloud Logging Integration
The Google Cloud Logging Integration enables you to retrieve selected log entries that originated from a project/folder/organization/billing account. See the Google Cloud Logging integration documentation for additional details.
<~XSIAM>
Google Cloud Logging SIEM Content
The SIEM content includes Cortex Data Modeling (XDM) Rules and Parsing Rules which are applied on Google Cloud Audit Logs, Google Cloud DNS Query Logs and Google Cloud VPC Flow Logs. Audit and VPC Flow logs are ingested into the google_cloud_logging_raw dataset, DNS logs are ingested into the google_dns_raw dataset. Log are ingested via the Google Cloud Platform Pub/Sub data source on Cortex XSIAM. See Ingest Logs and Data from a GCP Pub/Sub for additional details.
Remarks
- When configuring a sink to route Google Cloud logs to the Pub/Sub service as described here, you may wish to create an inclusion filter to include only a subset of the logs. See filter examples here and samples below:
- Sample filter for including only Google Cloud Audit Logs:
logName:"cloudaudit.googleapis.com"- Sample filter for including only Google Cloud DNS Query Logs:
log_id("dns.googleapis.com/dns_queries")- Sample filter for including only Google Cloud VPC Flow Logs:
log_id("compute.googleapis.com/vpc_flows") - For auditing Data Access Audit Logs, you may need to explicitly enable the requested Google Cloud services. See Enable Data Access audit logs for additional details.
</~XSIAM>