Collect Oracle NetSuite logs

Supported in:

This document explains how to ingest Oracle NetSuite logs to Google Security Operations using Google Cloud Storage V2.

Oracle NetSuite is a cloud-based enterprise resource planning (ERP) platform that provides comprehensive business management capabilities including financial management, CRM, ecommerce, and inventory management. NetSuite generates audit logs for user logins, system changes, and API activity that can be queried through the SuiteQL REST API and ingested into Google SecOps for security monitoring and compliance.

Before you begin

Ensure that you have the following prerequisites:

  • A Google SecOps instance
  • A GCP project with Cloud Storage, Cloud Run, Pub/Sub, and Cloud Scheduler APIs enabled
  • Permissions to create and manage GCS buckets
  • Permissions to manage IAM policies on GCS buckets
  • Permissions to create Cloud Run services, Pub/Sub topics, and Cloud Scheduler jobs
  • Administrator access to your Oracle NetSuite account
  • REST Web Services and OAuth 2.0 features enabled in your NetSuite account
  • Your NetSuite account ID (found at Setup > Company > Company Information)

Enable required NetSuite features

  1. Sign in to your NetSuite accountas an Administrator.
  2. Go to Setup > Company > Enable Features.
  3. Click the SuiteCloudsubtab.
  4. In the SuiteTalk (Web Services)section, select the REST Web Servicesbox.
  5. In the Manage Authenticationsection, select the OAuth 2.0box.
  6. Click Save.

Configure Oracle NetSuite OAuth 2.0 credentials

To enable the Cloud Run function to retrieve audit logs from NetSuite, you need to create an integration record with OAuth 2.0 client credentials authentication.

Create integration record

  1. Sign in to your NetSuite accountas an Administrator.
  2. Go to Setup > Integration > Manage Integrations > New.
  3. In the Namefield, enter Google SecOps Integration .
  4. In the Descriptionfield, enter Integration with Google SecOps for audit log ingestion .
  5. In the Statefield, select Enabled.
  6. Click the Authenticationsubtab.
  7. In the OAuth 2.0section, configure the following:
    • Select Client Credentials (Machine to Machine) Grant.
    • Select REST Web Services.
  8. Clear all boxes in the Token-based Authenticationsection.
  9. Click Save.

Record OAuth 2.0 credentials

After saving the integration record, NetSuite displays your OAuth 2.0 credentials:

  • Client ID: your unique client identifier
  • Client Secret: your API secret key

Generate certificate for OAuth 2.0 client credentials

The OAuth 2.0 client credentials flow requires a certificate for JWT signing. Generate an ECDSA certificate using OpenSSL:

  1. On a machine with OpenSSL installed, run the following command to generate a private key and certificate:

     openssl  
    req  
    -new  
    -x509  
    -newkey  
    ec  
     \ 
      
    -pkeyopt  
    ec_paramgen_curve:prime256v1  
     \ 
      
    -pkeyopt  
    ec_param_enc:named_curve  
     \ 
      
    -nodes  
    -days  
     730 
      
     \ 
      
    -out  
    public.pem  
    -keyout  
    private.pem 
    
  2. When prompted, enter the certificate subject fields (Country, State, Organization, and so on). For Common Name, enter Google SecOps Integration .

  3. The command generates two files:

    • private.pem : private key (keep this secure; used for JWT signing in the Cloud Run function)
    • public.pem : public certificate (upload to NetSuite)

Create OAuth 2.0 client credentials mapping

  1. In NetSuite, go to Setup > Integration > Manage Authentication > OAuth 2.0 Client Credentials (M2M) Setup.
  2. Click Create New.
  3. In the dialog, configure the following:
    • Entity: select the employee or user that will be associated with API requests.
    • Role: select a role that has the Log in using OAuth 2.0 Access Tokenspermission (see Required permissions ). Without this permission, the role does not appear in this list.
    • Application: select Google SecOps Integration .
  4. Click Choose Fileand upload the public.pem certificate file.
  5. Click Save.
  6. After saving, note the Certificate IDvalue displayed in the mapping list. This value is used as the kid (Key ID) in the JWT header.

Required permissions

The role assigned to the OAuth 2.0 mapping must have the following permissions:

Permission Access level Purpose
Log in using OAuth 2.0 Access Tokens
Full Allow the role to use OAuth 2.0 token login
REST Web Services
Full Execute REST API requests
Login Audit Trail
Full Access login audit trail data
SuiteAnalytics Workbook
View Access analytics data using SuiteQL

Create a custom role for the integration

  1. Go to Setup > Users/Roles > Manage Roles > New.
  2. In the Namefield, enter Google SecOps Integration Role .
  3. Click the Permissionssubtab.
  4. Click the Setupsub-subtab.
  5. Add the following permissions:
    • Log in using OAuth 2.0 Access Tokens: set to Full.
    • REST Web Services: set to Full.
    • Login Audit Trail: set to Full.
  6. Click the Reportssub-subtab.
  7. Add the following permission:
    • SuiteAnalytics Workbook: set to View.
  8. Click Save.

Verify permissions

To verify that the role has the required permissions, do the following:

  1. Sign in to NetSuite.
  2. Go to Setup > Users/Roles > Manage Roles.
  3. Find the Google SecOps Integration Role and click Edit.
  4. Verify that the permissions listed in Required permissions are present on the Permissionssubtab.

Test API access

  • Test your credentials before proceeding with the integration:

      # Replace with your actual values 
     ACCOUNT_ID 
     = 
     "your-account-id" 
     CLIENT_ID 
     = 
     "your-client-id" 
     CERTIFICATE_ID 
     = 
     "your-certificate-id" 
     PRIVATE_KEY_FILE 
     = 
     "private.pem" 
     # Generate JWT (requires Python 3 with PyJWT and cryptography) 
    pip  
    install  
    PyJWT  
    cryptography TOKEN 
     = 
     $( 
    python3  
    -c  
     " 
     import jwt, time, json 
     with open(' 
     ${ 
     PRIVATE_KEY_FILE 
     } 
     ', 'r') as f: 
     key = f.read() 
     now = int(time.time()) 
     payload = { 
     'iss': ' 
     ${ 
     CLIENT_ID 
     } 
     ', 
     'scope': ['restlets', 'rest_webservices'], 
     'aud': 'https:// 
     ${ 
     ACCOUNT_ID 
     } 
     .suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token', 
     'iat': now, 
     'exp': now + 3600 
     } 
     print(jwt.encode(payload, key, algorithm='ES256', headers={'kid': ' 
     ${ 
     CERTIFICATE_ID 
     } 
     ', 'typ': 'JWT'})) 
     " 
     ) 
     # Obtain access token 
     ACCESS_TOKEN 
     = 
     $( 
    curl  
    -s  
    -X  
    POST  
     \ 
      
     "https:// 
     ${ 
     ACCOUNT_ID 
     } 
     .suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token" 
      
     \ 
      
    -H  
     "Content-Type: application/x-www-form-urlencoded" 
      
     \ 
      
    -d  
     "grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion= 
     ${ 
     TOKEN 
     } 
     " 
      
     \ 
      
     | 
      
    python3  
    -c  
     "import sys,json; print(json.load(sys.stdin)['access_token'])" 
     ) 
     # Test SuiteQL query 
    curl  
    -s  
    -X  
    POST  
     \ 
      
     "https:// 
     ${ 
     ACCOUNT_ID 
     } 
     .suitetalk.api.netsuite.com/services/rest/query/v1/suiteql?limit=5" 
      
     \ 
      
    -H  
     "Authorization: Bearer 
     ${ 
     ACCESS_TOKEN 
     } 
     " 
      
     \ 
      
    -H  
     "Content-Type: application/json" 
      
     \ 
      
    -H  
     "Prefer: transient" 
      
     \ 
      
    -d  
     '{"q": "SELECT Date, Status, User, IPAddress FROM LoginAudit ORDER BY Date DESC"}' 
      
     \ 
      
     | 
      
    python3  
    -m  
    json.tool 
    

A successful response returns a JSON object with an items array containing login audit records.

Create Google Cloud Storage bucket

  1. Go to the Google Cloud Console .
  2. Select your project or create a new one.
  3. In the navigation menu, go to Cloud Storage > Buckets.
  4. Click Create bucket.
  5. Provide the following configuration details:

    Setting Value
    Name your bucket Enter a globally unique name (for example, netsuite-audit-logs )
    Location type Choose based on your needs (Region, Dual-region, Multi-region)
    Location Select the location (for example, us-central1 )
    Storage class Standard (recommended for frequently accessed logs)
    Access control Uniform (recommended)
    Protection tools Optional: Enable object versioning or retention policy
  6. Click Create.

The Cloud Run function needs a service account with permissions to write to a GCS bucket and be invoked by Pub/Sub.

  1. In the GCP Console, go to IAM & Admin > Service Accounts.
  2. Click Create Service Account.
  3. Provide the following configuration details:
    • Service account name: enter netsuite-audit-collector-sa .
    • Service account description: enter Service account for Cloud Run function to collect Oracle NetSuite audit logs .
  4. Click Create and Continue.
  5. In the Grant this service account access to projectsection, add the following roles:
    1. Click Select a role.
    2. Search for and select Storage Object Admin.
    3. Click + Add another role.
    4. Search for and select Cloud Run Invoker.
    5. Click + Add another role.
    6. Search for and select Cloud Functions Invoker.
  6. Click Continue.
  7. Click Done.

These roles are required for:

  • Storage Object Admin: write logs to GCS bucket and manage state files.
  • Cloud Run Invoker: allow Pub/Sub to invoke the function.
  • Cloud Functions Invoker: allow function invocation.

Grant IAM permissions on GCS bucket

  1. Go to Cloud Storage > Buckets.
  2. Click your bucket name ( netsuite-audit-logs ).
  3. Go to the Permissionstab.
  4. Click Grant access.
  5. Provide the following configuration details:
    • Add principals: enter the service account email ( netsuite-audit-collector-sa@PROJECT_ID.iam.gserviceaccount.com ).
    • Assign roles: select Storage Object Admin.
  6. Click Save.

Create Pub/Sub topic

Create a Pub/Sub topic that Cloud Scheduler will publish to and the Cloud Run function will subscribe to.

  1. In the GCP Console, go to Pub/Sub > Topics.
  2. Click Create topic.
  3. Provide the following configuration details:
    • Topic ID: enter netsuite-audit-trigger .
    • Leave other settings as default.
  4. Click Create.

Create Cloud Run function to collect logs

The Cloud Run function will be triggered by Pub/Sub messages from Cloud Scheduler to fetch audit logs from the Oracle NetSuite SuiteQL REST API and write them to GCS.

  1. In the GCP Console, go to Cloud Run.
  2. Click Create service.
  3. Select Function(use an inline editor to create a function).
  4. In the Configuresection, provide the following configuration details:

    Setting Value
    Service name netsuite-audit-collector
    Region Select region matching your GCS bucket (for example, us-central1 )
    Runtime Select Python 3.12or later
  5. In the Trigger (optional)section:

    1. Click + Add trigger.
    2. Select Cloud Pub/Sub.
    3. In Select a Cloud Pub/Sub topic, choose netsuite-audit-trigger .
    4. Click Save.
  6. In the Authenticationsection:

    1. Select Require authentication.
    2. Select Identity and Access Management (IAM).
  7. Scroll down and expand Containers, Networking, Security.

  8. Go to the Securitytab:

    • Service account: select netsuite-audit-collector-sa .
  9. Go to the Containerstab:

    1. Click Variables & Secrets.
    2. Click + Add variablefor each environment variable:
    Variable name Example value Description
    GCS_BUCKET
    netsuite-audit-logs GCS bucket name
    GCS_PREFIX
    netsuite-audit Prefix for log files
    STATE_KEY
    netsuite-audit/state.json State file path
    NS_ACCOUNT_ID
    123456 NetSuite account ID
    NS_CLIENT_ID
    your-client-id OAuth 2.0 Client ID
    NS_CERTIFICATE_ID
    your-certificate-id Certificate ID (kid) from M2M mapping
    NS_PRIVATE_KEY
    -----BEGIN EC PRIVATE KEY-----... ECDSA private key contents
    LOOKBACK_HOURS
    24 Initial lookback period
    PAGE_SIZE
    1000 Records per SuiteQL page (max 1000)
    MAX_RECORDS
    50000 Max records per run
  10. In the Variables & Secretssection, scroll down to Requests:

    • Request timeout: Enter 600 seconds (10 minutes)
  11. Go to the Settingstab:

    • In the Resourcessection:
      • Memory: select 512 MiBor higher.
      • CPU: select 1.
  12. In the Revision scalingsection:

    • Minimum number of instances: enter 0 .
    • Maximum number of instances: enter 100 .
  13. Click Create.

  14. Wait for the service to be created (1-2 minutes).

  15. After the service is created, the inline code editorwill open automatically.

Add function code

  1. Enter mainin the Entry pointfield.
  2. In the inline code editor, create two files:

    • main.py:

        import 
        
       functions_framework 
       from 
        
       google.cloud 
        
       import 
        storage 
       
       import 
        
       json 
       import 
        
       os 
       import 
        
       urllib3 
       import 
        
       urllib.parse 
       import 
        
       jwt 
       import 
        
       time 
       from 
        
       datetime 
        
       import 
       datetime 
       , 
       timezone 
       , 
       timedelta 
       http 
       = 
       urllib3 
       . 
       PoolManager 
       ( 
       timeout 
       = 
       urllib3 
       . 
       Timeout 
       ( 
       connect 
       = 
       10.0 
       , 
       read 
       = 
       60.0 
       ), 
       retries 
       = 
       False 
       , 
       ) 
       storage_client 
       = 
        storage 
       
       . 
        Client 
       
       () 
       GCS_BUCKET 
       = 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'GCS_BUCKET' 
       ) 
       GCS_PREFIX 
       = 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'GCS_PREFIX' 
       , 
       'netsuite-audit' 
       ) 
       STATE_KEY 
       = 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'STATE_KEY' 
       , 
       'netsuite-audit/state.json' 
       ) 
       NS_ACCOUNT_ID 
       = 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'NS_ACCOUNT_ID' 
       ) 
       NS_CLIENT_ID 
       = 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'NS_CLIENT_ID' 
       ) 
       NS_CERTIFICATE_ID 
       = 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'NS_CERTIFICATE_ID' 
       ) 
       NS_PRIVATE_KEY 
       = 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'NS_PRIVATE_KEY' 
       , 
       '' 
       ) 
       . 
       replace 
       ( 
       ' 
       \\ 
       n' 
       , 
       ' 
       \n 
       ' 
       ) 
       LOOKBACK_HOURS 
       = 
       int 
       ( 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'LOOKBACK_HOURS' 
       , 
       '24' 
       )) 
       PAGE_SIZE 
       = 
       int 
       ( 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'PAGE_SIZE' 
       , 
       '1000' 
       )) 
       MAX_RECORDS 
       = 
       int 
       ( 
       os 
       . 
       environ 
       . 
       get 
       ( 
       'MAX_RECORDS' 
       , 
       '50000' 
       )) 
       @functions_framework 
       . 
       cloud_event 
       def 
        
       main 
       ( 
       cloud_event 
       ): 
       if 
       not 
       all 
       ([ 
       GCS_BUCKET 
       , 
       NS_ACCOUNT_ID 
       , 
       NS_CLIENT_ID 
       , 
       NS_CERTIFICATE_ID 
       , 
       NS_PRIVATE_KEY 
       ]): 
       print 
       ( 
       'Error: Missing required environment variables' 
       ) 
       return 
       try 
       : 
       bucket 
       = 
       storage_client 
       . 
        bucket 
       
       ( 
       GCS_BUCKET 
       ) 
       state 
       = 
       load_state 
       ( 
       bucket 
       ) 
       now 
       = 
       datetime 
       . 
       now 
       ( 
       timezone 
       . 
       utc 
       ) 
       if 
       isinstance 
       ( 
       state 
       , 
       dict 
       ) 
       and 
        state 
       
       . 
       get 
       ( 
       'last_event_time' 
       ): 
       try 
       : 
       last_val 
       = 
       state 
       [ 
       'last_event_time' 
       ] 
       if 
       last_val 
       . 
       endswith 
       ( 
       'Z' 
       ): 
       last_val 
       = 
       last_val 
       [: 
       - 
       1 
       ] 
       + 
       '+00:00' 
       last_time 
       = 
       datetime 
       . 
       fromisoformat 
       ( 
       last_val 
       ) 
       last_time 
       = 
       last_time 
       - 
       timedelta 
       ( 
       minutes 
       = 
       2 
       ) 
       except 
       Exception 
       as 
       e 
       : 
       print 
       ( 
       f 
       "Warning: Could not parse last_event_time: 
       { 
       e 
       } 
       " 
       ) 
       last_time 
       = 
       now 
       - 
       timedelta 
       ( 
       hours 
       = 
       LOOKBACK_HOURS 
       ) 
       else 
       : 
       last_time 
       = 
       now 
       - 
       timedelta 
       ( 
       hours 
       = 
       LOOKBACK_HOURS 
       ) 
       print 
       ( 
       f 
       "Fetching logs from 
       { 
       last_time 
       . 
       isoformat 
       () 
       } 
       to 
       { 
       now 
       . 
       isoformat 
       () 
       } 
       " 
       ) 
       access_token 
       = 
       get_access_token 
       () 
       login_audits 
       = 
       fetch_login_audit 
       ( 
       access_token 
       , 
       last_time 
       , 
       now 
       ) 
       system_notes 
       = 
       fetch_system_notes 
       ( 
       access_token 
       , 
       last_time 
       , 
       now 
       ) 
       all_records 
       = 
       [] 
       for 
       record 
       in 
       login_audits 
       : 
       record 
       [ 
       '_netsuite_record_type' 
       ] 
       = 
       'login_audit' 
       all_records 
       . 
       append 
       ( 
       record 
       ) 
       for 
       record 
       in 
       system_notes 
       : 
       record 
       [ 
       '_netsuite_record_type' 
       ] 
       = 
       'system_note' 
       all_records 
       . 
       append 
       ( 
       record 
       ) 
       if 
       not 
       all_records 
       : 
       print 
       ( 
       "No new records found." 
       ) 
       save_state 
       ( 
       bucket 
       , 
       now 
       . 
       isoformat 
       ()) 
       return 
       timestamp 
       = 
       now 
       . 
       strftime 
       ( 
       '%Y%m 
       %d 
       _%H%M%S' 
       ) 
       object_key 
       = 
       f 
       " 
       { 
       GCS_PREFIX 
       } 
       /netsuite_audit_ 
       { 
       timestamp 
       } 
       .ndjson" 
       blob 
       = 
       bucket 
       . 
       blob 
       ( 
       object_key 
       ) 
       ndjson 
       = 
       ' 
       \n 
       ' 
       . 
       join 
       ( 
       [ 
       json 
       . 
       dumps 
       ( 
       r 
       , 
       ensure_ascii 
       = 
       False 
       , 
       default 
       = 
       str 
       ) 
       for 
       r 
       in 
       all_records 
       ] 
       ) 
       + 
       ' 
       \n 
       ' 
       blob 
       . 
        upload_from_string 
       
       ( 
       ndjson 
       , 
       content_type 
       = 
       'application/x-ndjson' 
       ) 
       print 
       ( 
       f 
       "Wrote 
       { 
       len 
       ( 
       all_records 
       ) 
       } 
       records to gs:// 
       { 
       GCS_BUCKET 
       } 
       / 
       { 
       object_key 
       } 
       " 
       ) 
       newest 
       = 
       find_newest_time 
       ( 
       login_audits 
       , 
       system_notes 
       ) 
       save_state 
       ( 
       bucket 
       , 
       newest 
       if 
       newest 
       else 
       now 
       . 
       isoformat 
       ()) 
       print 
       ( 
       f 
       "Successfully processed 
       { 
       len 
       ( 
       all_records 
       ) 
       } 
       records " 
       f 
       "(login_audit: 
       { 
       len 
       ( 
       login_audits 
       ) 
       } 
       , system_note: 
       { 
       len 
       ( 
       system_notes 
       ) 
       } 
       )" 
       ) 
       except 
       Exception 
       as 
       e 
       : 
       print 
       ( 
       f 
       'Error processing logs: 
       { 
       str 
       ( 
       e 
       ) 
       } 
       ' 
       ) 
       raise 
       def 
        
       get_access_token 
       (): 
       token_url 
       = 
       ( 
       f 
       "https:// 
       { 
       NS_ACCOUNT_ID 
       } 
       .suitetalk.api.netsuite.com" 
       f 
       "/services/rest/auth/oauth2/v1/token" 
       ) 
       now 
       = 
       int 
       ( 
       time 
       . 
       time 
       ()) 
       payload 
       = 
       { 
       'iss' 
       : 
       NS_CLIENT_ID 
       , 
       'scope' 
       : 
       [ 
       'restlets' 
       , 
       'rest_webservices' 
       ], 
       'aud' 
       : 
       token_url 
       , 
       'iat' 
       : 
       now 
       , 
       'exp' 
       : 
       now 
       + 
       3600 
       , 
       } 
       client_assertion 
       = 
       jwt 
       . 
       encode 
       ( 
       payload 
       , 
       NS_PRIVATE_KEY 
       , 
       algorithm 
       = 
       'ES256' 
       , 
       headers 
       = 
       { 
       'kid' 
       : 
       NS_CERTIFICATE_ID 
       , 
       'typ' 
       : 
       'JWT' 
       }, 
       ) 
       body 
       = 
       urllib 
       . 
       parse 
       . 
       urlencode 
       ({ 
       'grant_type' 
       : 
       'client_credentials' 
       , 
       'client_assertion_type' 
       : 
       'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' 
       , 
       'client_assertion' 
       : 
       client_assertion 
       , 
       }) 
       . 
       encode 
       ( 
       'utf-8' 
       ) 
       response 
       = 
       http 
       . 
       request 
       ( 
       'POST' 
       , 
       token_url 
       , 
       body 
       = 
       body 
       , 
       headers 
       = 
       { 
       'Content-Type' 
       : 
       'application/x-www-form-urlencoded' 
       }, 
       ) 
       if 
       response 
       . 
       status 
       != 
       200 
       : 
       raise 
       Exception 
       ( 
       f 
       "Token request failed: 
       { 
       response 
       . 
       status 
       } 
       - " 
       f 
       " 
       { 
       response 
       . 
       data 
       . 
       decode 
       ( 
       'utf-8' 
       ) 
       } 
       " 
       ) 
       data 
       = 
       json 
       . 
       loads 
       ( 
       response 
       . 
       data 
       . 
       decode 
       ( 
       'utf-8' 
       )) 
       access_token 
       = 
       data 
       . 
       get 
       ( 
       'access_token' 
       ) 
       if 
       not 
       access_token 
       : 
       raise 
       Exception 
       ( 
       "No access_token in token response" 
       ) 
       print 
       ( 
       "Successfully obtained NetSuite OAuth 2.0 access token" 
       ) 
       return 
       access_token 
       def 
        
       run_suiteql 
       ( 
       access_token 
       , 
       query 
       , 
       page_size 
       = 
       1000 
       , 
       max_records 
       = 
       50000 
       ): 
       base_url 
       = 
       ( 
       f 
       "https:// 
       { 
       NS_ACCOUNT_ID 
       } 
       .suitetalk.api.netsuite.com" 
       f 
       "/services/rest/query/v1/suiteql" 
       ) 
       headers 
       = 
       { 
       'Authorization' 
       : 
       f 
       'Bearer 
       { 
       access_token 
       } 
       ' 
       , 
       'Content-Type' 
       : 
       'application/json' 
       , 
       'Prefer' 
       : 
       'transient' 
       , 
       } 
       all_items 
       = 
       [] 
       offset 
       = 
       0 
       backoff 
       = 
       1.0 
       while 
       True 
       : 
       if 
       len 
       ( 
       all_items 
       ) 
      > = 
       max_records 
       : 
       print 
       ( 
       f 
       "Reached max_records limit ( 
       { 
       max_records 
       } 
       )" 
       ) 
       break 
       url 
       = 
       f 
       " 
       { 
       base_url 
       } 
       ?limit= 
       { 
       page_size 
       } 
      & offset= 
       { 
       offset 
       } 
       " 
       body 
       = 
       json 
       . 
       dumps 
       ({ 
       'q' 
       : 
       query 
       }) 
       . 
       encode 
       ( 
       'utf-8' 
       ) 
       try 
       : 
       response 
       = 
       http 
       . 
       request 
       ( 
       'POST' 
       , 
       url 
       , 
       body 
       = 
       body 
       , 
       headers 
       = 
       headers 
       ) 
       if 
       response 
       . 
       status 
       == 
       429 
       : 
       retry_after 
       = 
       int 
       ( 
       response 
       . 
       headers 
       . 
       get 
       ( 
       'Retry-After' 
       , 
       str 
       ( 
       int 
       ( 
       backoff 
       )))) 
       print 
       ( 
       f 
       "Rate limited (429). Retrying after 
       { 
       retry_after 
       } 
       s..." 
       ) 
       time 
       . 
       sleep 
       ( 
       retry_after 
       ) 
       backoff 
       = 
       min 
       ( 
       backoff 
       * 
       2 
       , 
       60.0 
       ) 
       continue 
       backoff 
       = 
       1.0 
       if 
       response 
       . 
       status 
       != 
       200 
       : 
       print 
       ( 
       f 
       "SuiteQL error: 
       { 
       response 
       . 
       status 
       } 
       - " 
       f 
       " 
       { 
       response 
       . 
       data 
       . 
       decode 
       ( 
       'utf-8' 
       ) 
       } 
       " 
       ) 
       break 
       data 
       = 
       json 
       . 
       loads 
       ( 
       response 
       . 
       data 
       . 
       decode 
       ( 
       'utf-8' 
       )) 
       items 
       = 
       data 
       . 
       get 
       ( 
       'items' 
       , 
       []) 
       if 
       not 
       items 
       : 
       break 
       all_items 
       . 
       extend 
       ( 
       items 
       ) 
       page_num 
       = 
       ( 
       offset 
       // 
       page_size 
       ) 
       + 
       1 
       print 
       ( 
       f 
       "Page 
       { 
       page_num 
       } 
       : Retrieved 
       { 
       len 
       ( 
       items 
       ) 
       } 
       records " 
       f 
       "(total: 
       { 
       len 
       ( 
       all_items 
       ) 
       } 
       )" 
       ) 
       has_more 
       = 
       data 
       . 
       get 
       ( 
       'hasMore' 
       , 
       False 
       ) 
       if 
       not 
       has_more 
       : 
       break 
       offset 
       += 
       len 
       ( 
       items 
       ) 
       except 
       Exception 
       as 
       e 
       : 
       print 
       ( 
       f 
       "Error executing SuiteQL query: 
       { 
       e 
       } 
       " 
       ) 
       break 
       return 
       all_items 
       def 
        
       fetch_login_audit 
       ( 
       access_token 
       , 
       start_time 
       , 
       end_time 
       ): 
       start_str 
       = 
       start_time 
       . 
       strftime 
       ( 
       '%m/ 
       %d 
       /%Y %H:%M:%S' 
       ) 
       end_str 
       = 
       end_time 
       . 
       strftime 
       ( 
       '%m/ 
       %d 
       /%Y %H:%M:%S' 
       ) 
       query 
       = 
       ( 
       "SELECT " 
       "LoginAudit.Date, " 
       "LoginAudit.Status, " 
       "LoginAudit.User, " 
       "BUILTIN.DF(LoginAudit.User) AS Username, " 
       "LoginAudit.EmailAddress, " 
       "LoginAudit.Role, " 
       "BUILTIN.DF(LoginAudit.Role) AS Rolename, " 
       "LoginAudit.IPAddress, " 
       "LoginAudit.UserAgent, " 
       "LoginAudit.Detail, " 
       "LoginAudit.oAuthAppName, " 
       "LoginAudit.oAuthAccessTokenName, " 
       "LoginAudit.requestUri " 
       "FROM LoginAudit " 
       f 
       "WHERE LoginAudit.Date >= TO_DATE(' 
       { 
       start_str 
       } 
       ', 'MM/DD/YYYY HH24:MI:SS') " 
       f 
       "AND LoginAudit.Date <= TO_DATE(' 
       { 
       end_str 
       } 
       ', 'MM/DD/YYYY HH24:MI:SS') " 
       "ORDER BY LoginAudit.Date ASC" 
       ) 
       print 
       ( 
       "Fetching LoginAudit records..." 
       ) 
       return 
       run_suiteql 
       ( 
       access_token 
       , 
       query 
       , 
       PAGE_SIZE 
       , 
       MAX_RECORDS 
       ) 
       def 
        
       fetch_system_notes 
       ( 
       access_token 
       , 
       start_time 
       , 
       end_time 
       ): 
       start_str 
       = 
       start_time 
       . 
       strftime 
       ( 
       '%m/ 
       %d 
       /%Y %H:%M:%S' 
       ) 
       end_str 
       = 
       end_time 
       . 
       strftime 
       ( 
       '%m/ 
       %d 
       /%Y %H:%M:%S' 
       ) 
       query 
       = 
       ( 
       "SELECT " 
       "SystemNote.Date, " 
       "SystemNote.RecordTypeID, " 
       "BUILTIN.DF(SystemNote.RecordTypeID) AS RecordType, " 
       "SystemNote.RecordID, " 
       "SystemNote.Field, " 
       "SystemNote.OldValue, " 
       "SystemNote.NewValue, " 
       "SystemNote.Name AS EmployeeID, " 
       "BUILTIN.DF(SystemNote.Name) AS EmployeeName, " 
       "SystemNote.Role, " 
       "BUILTIN.DF(SystemNote.Role) AS RoleName, " 
       "SystemNote.Context, " 
       "BUILTIN.DF(SystemNote.Context) AS ContextName " 
       "FROM SystemNote " 
       f 
       "WHERE SystemNote.Date >= TO_DATE(' 
       { 
       start_str 
       } 
       ', 'MM/DD/YYYY HH24:MI:SS') " 
       f 
       "AND SystemNote.Date <= TO_DATE(' 
       { 
       end_str 
       } 
       ', 'MM/DD/YYYY HH24:MI:SS') " 
       "ORDER BY SystemNote.Date ASC" 
       ) 
       print 
       ( 
       "Fetching SystemNote records..." 
       ) 
       return 
       run_suiteql 
       ( 
       access_token 
       , 
       query 
       , 
       PAGE_SIZE 
       , 
       MAX_RECORDS 
       ) 
       def 
        
       find_newest_time 
       ( 
       login_audits 
       , 
       system_notes 
       ): 
       newest 
       = 
       None 
       for 
       r 
       in 
       login_audits 
       : 
       t 
       = 
       r 
       . 
       get 
       ( 
       'date' 
       ) 
       if 
       t 
       and 
       ( 
       newest 
       is 
       None 
       or 
       t 
      > newest 
       ): 
       newest 
       = 
       t 
       for 
       r 
       in 
       system_notes 
       : 
       t 
       = 
       r 
       . 
       get 
       ( 
       'date' 
       ) 
       if 
       t 
       and 
       ( 
       newest 
       is 
       None 
       or 
       t 
      > newest 
       ): 
       newest 
       = 
       t 
       return 
       newest 
       def 
        
       load_state 
       ( 
       bucket 
       ): 
       try 
       : 
       blob 
       = 
       bucket 
       . 
       blob 
       ( 
       STATE_KEY 
       ) 
       if 
       blob 
       . 
       exists 
       (): 
       return 
       json 
       . 
       loads 
       ( 
       blob 
       . 
        download_as_text 
       
       ()) 
       except 
       Exception 
       as 
       e 
       : 
       print 
       ( 
       f 
       "Warning: Could not load state: 
       { 
       e 
       } 
       " 
       ) 
       return 
       {} 
       def 
        
       save_state 
       ( 
       bucket 
       , 
       last_event_time_iso 
       ): 
       try 
       : 
       state 
       = 
       { 
       'last_event_time' 
       : 
       last_event_time_iso 
       , 
       'last_run' 
       : 
       datetime 
       . 
       now 
       ( 
       timezone 
       . 
       utc 
       ) 
       . 
       isoformat 
       () 
       } 
       blob 
       = 
       bucket 
       . 
       blob 
       ( 
       STATE_KEY 
       ) 
       blob 
       . 
        upload_from_string 
       
       ( 
       json 
       . 
       dumps 
       ( 
       state 
       , 
       indent 
       = 
       2 
       ), 
       content_type 
       = 
       'application/json' 
       ) 
       print 
       ( 
       f 
       "Saved state: last_event_time= 
       { 
       last_event_time_iso 
       } 
       " 
       ) 
       except 
       Exception 
       as 
       e 
       : 
       print 
       ( 
       f 
       "Warning: Could not save state: 
       { 
       e 
       } 
       " 
       ) 
       
      
    • requirements.txt:

       functions-framework==3.*
      google-cloud-storage==2.*
      urllib3>=2.0.0
      PyJWT[crypto]>=2.8.0 
      
  3. Click Deployto save and deploy the function.

  4. Wait for deployment to complete (2-3 minutes).

Create Cloud Scheduler job

Cloud Scheduler will publish messages to the Pub/Sub topic at regular intervals, triggering the Cloud Run function.

  1. In the GCP Console, go to Cloud Scheduler.
  2. Click Create Job.
  3. Provide the following configuration details:

    Setting Value
    Name netsuite-audit-collector-hourly
    Region Select same region as Cloud Run function
    Frequency 0 * * * * (every hour, on the hour)
    Timezone Select timezone (UTC recommended)
    Target type Pub/Sub
    Topic Select netsuite-audit-trigger
    Message body {} (empty JSON object)
  4. Click Create.

Schedule frequency options

Choose the frequency based on log volume and latency requirements:

Frequency Cron expression Use case
Every 15 minutes
*/15 * * * * High-volume, low-latency
Every hour
0 * * * * Standard (recommended)
Every 6 hours
0 */6 * * * Low volume, batch processing
Daily
0 0 * * * Historical data collection

Test the integration

  1. In the Cloud Schedulerconsole, find your job ( netsuite-audit-collector-hourly ).
  2. Click Force runto trigger the job manually.
  3. Wait a few seconds.
  4. Go to Cloud Run > Services.
  5. Click netsuite-audit-collector .
  6. Click the Logstab.
  7. Verify that the function executed successfully. Look for:

     Fetching logs from YYYY-MM-DDTHH:MM:SS+00:00 to YYYY-MM-DDTHH:MM:SS+00:00
    Successfully obtained NetSuite OAuth 2.0 access token
    Fetching LoginAudit records...
    Page 1: Retrieved X records (total: X)
    Fetching SystemNote records...
    Page 1: Retrieved X records (total: X)
    Wrote X records to gs://netsuite-audit-logs/netsuite-audit/netsuite_audit_YYYYMMDD_HHMMSS.ndjson
    Successfully processed X records (login_audit: X, system_note: X) 
    
  8. Go to Cloud Storage > Buckets.

  9. Click netsuite-audit-logs .

  10. Navigate to the netsuite-audit/ folder.

  11. Verify that a new .ndjson file was created with the current timestamp.

If you see errors in the logs:

  • HTTP 401: verify that the NS_CLIENT_ID , NS_CERTIFICATE_ID , and NS_PRIVATE_KEY environment variables are correct.
  • HTTP 403: verify that the NetSuite role has Log in using OAuth 2.0 Access Tokens (Full) , REST Web Services (Full) , and Login Audit Trail (Full) permissions.
  • HTTP 429: rate limiting — the function will automatically retry with exponential backoff.
  • Missing environment variables: verify all required variables are set in the Cloud Run function configuration.
  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. Click Configure a single feed.
  4. In the Feed namefield, enter a name for the feed (for example, NetSuite Audit Logs ).
  5. Select Google Cloud Storage V2as the Source type.
  6. Select Oracle NetSuiteas the Log type.
  7. Click Get Service Account. A unique service account email will be displayed, for example:

     chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com 
    
  8. Copy this email address for use in the next step.

  9. Click Next.

  10. Specify values for the following input parameters:

    • Storage bucket URL: enter the GCS bucket URI with the prefix path:

       gs://netsuite-audit-logs/netsuite-audit/ 
      
    • Source deletion option: select the deletion option according to your preference:

      • Never: never deletes any files after transfers (recommended for testing).
      • Delete transferred files: deletes files after successful transfer.
      • Delete transferred files and empty directories: deletes files and empty directories after successful transfer.

    • Maximum File Age: include files modified in the last number of days (default is 180 days).

    • Asset namespace: the asset namespace .

    • Ingestion labels: the label to be applied to the events from this feed.

  11. Click Next.

  12. Review your new feed configuration in the Finalizescreen, and then click Submit.

The Google SecOps service account needs the Storage Object Viewerrole on your GCS bucket.

  1. Go to Cloud Storage > Buckets.
  2. Click netsuite-audit-logs .
  3. Go to the Permissionstab.
  4. Click Grant access.
  5. Provide the following configuration details:
    • Add principals: paste the Google SecOps service account email.
    • Assign roles: select Storage Object Viewer.
  6. Click Save.

NetSuite API rate limits

NetSuite REST API has the following governance limits:

Limit type Value
Concurrency limit 10 concurrent requests per integration
SuiteQL query results per page 1,000 rows maximum
SuiteQL total results 100,000 rows per query

The Cloud Run function automatically handles rate limiting with exponential backoff.

UDM mapping table

Log field UDM mapping Logic
Login_Audit_Trail_Access_Token_Name_label
additional.fields Merged
Login_Audit_Trail_Detail_label
additional.fields Merged
additional_preview
additional.fields Merged
detail_label
additional.fields Merged
role_change_label
additional.fields Merged
sec_challenge_label
additional.fields Merged
oauthaccesstokenname
extensions.auth.auth_details Directly mapped
has_principal
extensions.auth.type Mapped: true AUTHTYPE_UNSPECIFIED
column7
metadata.description Directly mapped
msg
metadata.description Directly mapped
Role_Change_Date
metadata.event_timestamp Parsed as M/d/yyyy h:mm a
date
metadata.event_timestamp Parsed as M/d/yyyy h:mm:ss a
result.Login_Audit_Trail_Date
metadata.event_timestamp Parsed as LDAP
ts
metadata.event_timestamp Parsed as MMM d HH:mm:ss
has_principal
metadata.event_type Mapped: true USER_LOGIN , true STATUS_UPDATE
has_principal_user
metadata.event_type Mapped: true USER_UNCATEGORIZED
column1
metadata.product_event_type Directly mapped
log_type
metadata.product_event_type Directly mapped
useragent
network.http.parsed_user_agent Directly mapped
Login_Audit_Trail_User_Agent
network.http.user_agent Directly mapped
result.Login_Audit_Trail_User_Agent
network.http.user_agent Directly mapped
useragent
network.http.user_agent Directly mapped
Login_Audit_Trail_Application
principal.application Directly mapped
column10
principal.application Directly mapped
oauthappname
principal.application Directly mapped
result.host
principal.asset.hostname Directly mapped
column3
principal.asset.ip Merged
ipaddress
principal.asset.ip Merged
result.Login_Audit_Trail_IP_Address
principal.asset.ip Directly mapped
src_ip
principal.asset.ip Merged
result.host
principal.hostname Directly mapped
column3
principal.ip Merged
ipaddress
principal.ip Merged
result.Login_Audit_Trail_IP_Address
principal.ip Directly mapped
src_ip
principal.ip Merged
Login_Audit_Trail_Role_label
principal.user.attribute.labels Merged
login_audits_role_label
principal.user.attribute.labels Merged
supervisor_label
principal.user.attribute.labels Merged
role
principal.user.attribute.roles Merged
Email
principal.user.email_addresses Mapped: ^.+@.+$ Email
column2
principal.user.email_addresses Merged
emailaddress
principal.user.email_addresses Mapped: ^.+@.+$ emailaddress
result.Login_Audit_Trail_Email_Address
principal.user.email_addresses Merged
Job_Title
principal.user.title Directly mapped
Name
principal.user.user_display_name Directly mapped
Login_Audit_Trail_User
principal.user.userid Directly mapped
result.Login_Audit_Trail_User
principal.user.userid Directly mapped
user
principal.user.userid Directly mapped
Login_Audit_Trail_Security_Challenge_label
security_result.about.resource.attribute.labels Merged
security_result_action
security_result.action Merged
Login_Audit_Trail_Status
security_result.summary Directly mapped
result.Login_Audit_Trail_Status
security_result.summary Directly mapped
api_type_label
target.resource.attribute.labels Merged
Login_Audit_Trail_Request_URI
target.url Directly mapped
result.Login_Audit_Trail_Request_URI
target.url Directly mapped
N/A
extensions.auth.type Constant: AUTHTYPE_UNSPECIFIED
N/A
metadata.event_type Constant: USER_LOGIN
N/A
network.http.parsed_user_agent Constant: parseduseragent

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.

Create a Mobile Website
View Site in Mobile | Classic
Share by: