Cloud Logging
This document provides guidance on how to integrate Cloud Logging withGoogle SecOps.
Integration version: 1.0
Before you begin
To use the integration, you need a Google Cloud service account. You canuse an existing service account or create a new one.
Create a service account
For guidance on creating a service account, seeCreate serviceaccounts.
If you use a service account to authenticate to Google Cloud, you cancreate a service account key in JSONand provide the content of the downloaded JSON file when configuring theintegration parameters.
For security reasons, we recommend using workload identity emailaddresses instead of a service account key. For more information about theworkload identities, seeIdentities for workloads.
Integrate Cloud Logging with Google SecOps SOAR
The Cloud Logging integration requires the following parameters:
| Parameter | Description |
|---|---|
Workload Identity Email | Optional The client email address of your workload identity. You can configure either this parameter or the To impersonate service accounts with the workload identity email address, grant the |
User's Service Account | Optional The content of the service account key JSON file. You can configure either this parameter or the To configure this parameter, provide the full content of the service account key JSON file that you downloaded when creating a service account. For more information about using service accounts as an authentication method, seeService accounts overview. |
Quota Project ID | Optional The Google Cloud project ID which you use for Google Cloud APIs and billing. This parameter requires you to grant the The integration attaches this parameter value to all API requests. If you don't set a value for this parameter, the integration retrieves the quota project ID from your Google Cloud service account. |
Organization ID | Optional The organization ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Project ID | Optional The project ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Verify SSL | Required If selected, the integration verifies that the SSL certificate for connecting to Cloud Logging is valid. Selected by default. |
For instructions about configuring an integration inGoogle SecOps, seeConfigureintegrations.
You can make changes at a later stage if needed. After you configure anintegration instance, you can use it in playbooks. For more information aboutconfiguring and supporting multiple instances, seeSupporting multipleinstances.
Actions
The Cloud Logging integration includes the following actions:
Execute Query
Use theExecute Query action to execute custom queries inCloud Logging.
This action doesn't run on Google SecOps entities.
Action inputs
TheExecute Query action requires the following parameters:
| Parameter | Description |
|---|---|
Project ID | Optional The project ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Organization ID | Optional The organization ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Query | Required A query to find the logs. |
Time Frame | Optional A period to retrieve the results from. If you select The possible values are as follows:
Last Hour. |
Start Time | Optional The start time to retrieve results. This parameter is required if you selected the To configure this parameter, use the ISO 8601 format. |
End Time | Optional The end time to retrieve results. If you don't set a value for this parameter and select the To configure this parameter, use the ISO 8601 format. |
Max Results To Return | Optional The maximum number of results to return. The default value is 50. |
Action outputs
TheExecute Query action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theExecute Query action:
[{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:clouddns"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.coordination.v1.leases.update","resource":"coordination.k8s.io/v1/namespaces/kube-system/leases/clouddns-lock"}],"methodName":"io.k8s.coordination.v1.leases.update","requestMetadata":{"callerIp":"192.0.2.6","callerSuppliedUserAgent":"clouddns-leader-election"},"resourceName":"coordination.k8s.io/v1/namespaces/kube-system/leases/clouddns-lock","serviceName":"k8s.io","status":{"code":0}},"insertId":"ID","resource":{"type":"k8s_cluster","labels":{"cluster_name":"CLUSTER_NAME","project_id":"PROJECT_ID","location":"us-central1"}},"timestamp":"2024-09-18T09:46:38.647428Z","labels":{"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:clouddns\" of ClusterRole \"system:clouddns-role\" to User \"system:clouddns\"","authorization.k8s.io/decision":"allow"},"logName":"projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"ID","producer":"k8s.io","first":true,"last":true},"receiveTimestamp":"2024-09-18T09:46:39.063264993Z"}]Output messages
TheExecute Query action provides the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Execute Query". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when usingtheExecute Query action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Ping
Use thePing action to test the connectivity to Cloud Logging.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
ThePing action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
ThePing action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Cloud Logging server with the provided connection parameters! | The action succeeded. |
Failed to connect to the Cloud Logging server! Error isERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when usingthePing action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Need more help?Get answers from Community members and Google SecOps professionals.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.