Google Cloud Logging

What does this pack do

The Google Cloud Logging Cortex XSOAR pack helps users to centralize all their GCP logs in a single location, making it easier to troubleshoot issues and gain insights from their data.

Google Cloud Logging Integration

The Google Cloud Logging Integration enables you to retrieve selected log entries that originated from a project/folder/organization/billing account. See the Google Cloud Logging integration documentation for additional details.

What does this pack do

The Google Cloud Logging Cortex XSIAM pack helps users to centralize all their GCP logs in a single location, making it easier to troubleshoot issues and gain insights from their data.

Google Cloud Logging Integration

The Google Cloud Logging Integration enables you to retrieve selected log entries that originated from a project/folder/organization/billing account. See the Google Cloud Logging integration documentation for additional details.

Google Cloud Logging SIEM Content

The SIEM content includes Cortex Data Modeling (XDM) Rules and Parsing Rules which are applied on Google Cloud Audit Logs and Google Cloud DNS Query Logs that are ingested into the google_cloud_logging_raw and google_dns_raw datasets (respectively) via the Google Cloud Platform Pub/Sub data source on Cortex XSIAM. See Ingest Logs and Data from a GCP Pub/Sub for additional details.

Remarks

• When configuring a sink to route Google Cloud logs to the Pub/Sub service as described here, you may wish to create an inclusion filter to include only a subset of the logs. See filter examples here and samples below:
  • Sample filter for including only Google Cloud Audit Logs:

     logName:"cloudaudit.googleapis.com"

• Sample filter for including only Google Cloud DNS Query Logs:

    log_id("dns.googleapis.com/dns_queries") 

• For auditing Data Access Audit Logs, you may need to explicitly enable the requested Google Cloud services. See Enable Data Access audit logs for additional details.