Stay organized with collectionsSave and categorize content based on your preferences.
Collect Google SecOps SOAR logs
Supported in:
Google secops
You can manage and monitor Google Security Operations SOAR logs in theGoogle Cloud Logs Explorer. You can
also use Google Cloud tools to set up special metrics and alerts
that are triggered by specific events in your SOAR operation logs.
The logs capture essential data from SOAR'sETL,playbook, andPythonfunctions.
The types of captured data include the running of Python scripts, alert
ingestion, and playbook performance.
Access Google SecOps SOAR logs
Google SecOps SOAR logs are written in a separate namespace calledchronicle-soarand are categorized by the service which generated the log.
To access Google SecOps SOAR logs, do the following:
In the Google Cloud console, go toLogging>Logs Explorer.
Select the Google SecOps Google Cloud project.
Enter the following filter in the field and clickRun Query:
resource.labels.namespace_name="chronicle-soar"
To filter logs from a specific service, enter the following filters in the box
and clickRun Query:
Playbook log labels provide a more efficient and convenient way to refine a query
scope. All labels are located in the labels section of each
log message:
To narrow the log scope, expand the log message, right-click each label, and
hide or show specific logs:
The following labels are available:
playbook_definition
playbook_name
block_name
block_definition
case_id
correlation_id
integration_name
action_name
Python logs
The following logs are available for python service:
resource.labels.container_name="python"
Integration and Connector labels:
integration_name
integration_version
connector_name
connector_instance
Job labels:
integration_name
integration_version
job_name
Action labels:
integration_name
integration_version
integration_instance
correlation_id
action_name
ETL logs
The following logs are available for ETL service:
resource.labels.container_name="etl"
ETL labels:
correlation_id
For example, to provide the ingestion flow for an alert, filter bycorrelation_id:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGoogle SecOps SOAR logs, which capture data from ETL, playbook, and Python functions, can be managed and monitored in the Google Cloud Logs Explorer.\u003c/p\u003e\n"],["\u003cp\u003eLogs are stored in a separate namespace called \u003ccode\u003echronicle-soar\u003c/code\u003e and are categorized by the service that generated them, which can be filtered by \u003ccode\u003eplaybook\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or \u003ccode\u003eetl\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eSpecific filters, such as \u003ccode\u003eresource.labels.namespace_name="chronicle-soar"\u003c/code\u003e and \u003ccode\u003eresource.labels.container_name="<container_name>"\u003c/code\u003e are available to query logs within the Logs Explorer.\u003c/p\u003e\n"],["\u003cp\u003ePlaybook log labels, including \u003ccode\u003eplaybook_definition\u003c/code\u003e, \u003ccode\u003eplaybook_name\u003c/code\u003e, and \u003ccode\u003ecase_id\u003c/code\u003e, enable a more efficient way to refine query scopes and are located within the labels section of each log message.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ecorrelation_id\u003c/code\u003e label can be used to retrieve logs from both playbook and Python services, thus providing complete tracing and analysis of an entire playbook execution.\u003c/p\u003e\n"]]],[],null,["Collect Google SecOps SOAR logs \nSupported in: \nGoogle secops\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nYou can manage and monitor Google Security Operations SOAR logs in the\n[Google Cloud Logs Explorer](https://cloud.google.com/logging/docs). You can\nalso use Google Cloud tools to set up special metrics and alerts\nthat are triggered by specific events in your SOAR operation logs.\n\nThe logs capture essential data from SOAR's *ETL* ,\n*playbook* , and *Python* functions.\nThe types of captured data include the running of Python scripts, alert\ningestion, and playbook performance.\n\nAccess Google SecOps SOAR logs\n\nGoogle SecOps SOAR logs are written in a separate namespace called\n*chronicle-soar* and are categorized by the service which generated the log.\n\nTo access Google SecOps SOAR logs, do the following:\n\n1. In the Google Cloud console, go to **Logging** \\\u003e **Logs Explorer**.\n2. Select the Google SecOps Google Cloud project.\n3. Enter the following filter in the field and click **Run Query**:\n\n resource.labels.namespace_name=\"chronicle-soar\"\n\n4. To filter logs from a specific service, enter the following filters in the box\n and click **Run Query**:\n\n resource.labels.namespace_name=\"chronicle-soar\" \n resource.labels.container_name=\"\u003ccontainer_name\u003e\" \n\n where the values include `playbook`, `python` or `etl`.\n\nPlaybook labels\n\nPlaybook log labels provide a more efficient and convenient way to refine a query\nscope. All labels are located in the labels section of each\nlog message:\n\nTo narrow the log scope, expand the log message, right-click each label, and\nhide or show specific logs:\n\nThe following labels are available:\n\n- `playbook_definition`\n- `playbook_name`\n- `block_name`\n- `block_definition`\n- `case_id`\n- `correlation_id`\n- `integration_name`\n- `action_name`\n\n| **Note:** The `correlation_id` label retrieves logs from both the playbook and associated Python services. The logs therefore provide complete tracing and analysis of an entire playbook execution.\n\nPython logs\n\nThe following logs are available for python service: \n\n resource.labels.container_name=\"python\"\n\nIntegration and Connector labels:\n\n- `integration_name`\n- `integration_version`\n- `connector_name`\n- `connector_instance`\n\nJob labels:\n\n- `integration_name`\n- `integration_version`\n- `job_name`\n\nAction labels:\n\n- `integration_name`\n- `integration_version`\n- `integration_instance`\n- `correlation_id`\n- `action_name`\n\nETL logs\n\nThe following logs are available for ETL service: \n\n resource.labels.container_name=\"etl\"\n\nETL labels:\n\n- `correlation_id`\n\nFor example, to provide the ingestion flow for an alert, filter by\n`correlation_id`:\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
