We have a requirement to ingest Google SecOps SOAR Audit Logs into the SIEM platform for monitoring. How can this be achieved?
We can view the audit logs in SecOps > SOAR Settings > Advanced > Audit. However, requirement is to ingest it into SIEM for correlation and writing detections on the data.
Has anyone done this before?
Hi Reuban --
I’m almost positive Audit logs can be ingested the same way you’re ingesting your other logs. Sounds like the Audit logs are enabled which is good. What is your ingestion method for the rest of your logs (bindplance, API, forwarder etc.?)
Hi [removed by moderator] ,
We are using the native direct ingestion approach for GCP Cloud Audit logs. Is SOAR logs are also part of the cloud audit logs?
Hi,
I think the following guide will answer your question:
https://cloud.google.com/chronicle/docs/soar/investigate/collecting-soar-logs
HI,
I had a similar requirement and we asked our account manager to enable soar logs for us. Now I can see SOAR logs in the GCP Log explorer. But when I try to add the filter to the Export filter it fails. My filter is the following:
( logName="projects/<project_name>/logs/soar-logs") AND (resource.labels.namespace_name="chronicle-soar")
Seems like ingesting SOAR Audit logs via GCP Cloud Audit will work once the migration to BYOP is completed.
The link shared by Eoved is for Standalone SOAR instance.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.