This guide will explain how to export Cloud Identity Devices logs into Google Security Operations using Cloud Storage. The parser extracts fields from JSON logs, transforms specific fields likedeviceTypeand dates, and maps them to the UDM, creating anasset_entityrepresenting the device and enriching it with hardware and metadata information.
Before You Begin
Ensure that you have the following prerequisites:
Google Cloud Identity is enabled in your Google Cloud project.
Google SecOps instance.
Privileged access to Google Cloud Identity and Cloud Logging.
On theCreate a bucketpage, enter your bucket information. After each of the following steps, clickContinueto proceed to the next step:
In theGet startedsection, do the following:
Enter a unique name that meets the bucket name requirements; for example,gcp-cloudidentity-devices-logs.
To enable hierarchical namespace, click the expander arrow to expand theOptimize for file oriented and data-intensive workloadssection, and then selectEnable Hierarchical namespace on this bucket.
To add a bucket label, click the expander arrow to expand theLabelssection.
ClickAdd label, and specify a key and a value for your label.
In theChoose where to store your datasection, do the following:
Select aLocation type.
Use the location type menu to select aLocationwhere object data within your bucket will be permanently stored.
To set up cross-bucket replication, expand theSet up cross-bucket replicationsection.
In theChoose a storage class for your datasection, either select a default storage class for the bucket, or selectAutoclassfor automatic storage class management of your bucket's data.
In theChoose how to control access to objectssection, clearEnforce public access prevention, and select anAccess controlmodel for your bucket's objects.
In theChoose how to protect object datasection, do the following:
Select any of the options underData protectionthat you want to set for your bucket.
To choose how your object data will be encrypted, click the expander arrow labeledData encryption, and select a data encryption method.
Value is set tosecurityPatchTime. Used as part of a label.
securityPatchTime
entity.entity.asset.attribute.labels.value
Directly mapped. Used as part of a label.
serialNumber
entity.entity.asset.hardware.serial_number
Directly mapped. Copied from the top-levelcreate_timefield in the raw log. Value is set toASSET. Value is set toGCP Cloud Identity Devices. Value is set toGoogle Cloud Platform. Copied from the top-levelcreate_timefield in the raw log.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide outlines how to export Cloud Identity Devices logs to Google Security Operations (SecOps) using Cloud Storage.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating a Cloud Storage bucket, configuring Cloud Identity Devices logs export via Logging's Log Router, and setting up a feed in Google SecOps to ingest the logs.\u003c/p\u003e\n"],["\u003cp\u003eThe parser in Google Security Operations extracts and transforms fields from JSON logs, including mapping device type and dates, and creates an \u003ccode\u003easset_entity\u003c/code\u003e representing the device, enriching it with metadata.\u003c/p\u003e\n"],["\u003cp\u003eSpecific permissions must be granted to the Google SecOps service account for both the Cloud Storage bucket and Log Router to ensure successful log ingestion.\u003c/p\u003e\n"],["\u003cp\u003eThe document includes a detailed UDM (Unified Data Model) mapping table showing how specific log fields are transformed and mapped to the UDM format for analysis within SecOps.\u003c/p\u003e\n"]]],[],null,["# Collect Cloud Identity Devices logs\n===================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis guide will explain how to export Cloud Identity Devices logs into Google Security Operations using Cloud Storage. The parser extracts fields from JSON logs, transforms specific fields like `deviceType` and dates, and maps them to the UDM, creating an `asset_entity` representing the device and enriching it with hardware and metadata information.\n\nBefore You Begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google Cloud Identity is enabled in your Google Cloud project.\n- Google SecOps instance.\n- Privileged access to Google Cloud Identity and Cloud Logging.\n\nCreate a Cloud Storage bucket\n-----------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to the **Cloud Storage Buckets** page.\n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n3. Click **Create**.\n\n4. On the **Create a bucket** page, enter your bucket information. After each of the following steps, click **Continue** to proceed to the next step:\n\n 1. In the **Get started** section, do the following:\n\n 1. Enter a unique name that meets the bucket name requirements; for example, **gcp-cloudidentity-devices-logs**.\n 2. To enable hierarchical namespace, click the expander arrow to expand the **Optimize for file oriented and data-intensive workloads** section, and then select **Enable Hierarchical namespace on this bucket**.\n\n | **Note:** You cannot enable hierarchical namespace on an existing bucket.\n 3. To add a bucket label, click the expander arrow to expand the **Labels** section.\n\n 4. Click **Add label**, and specify a key and a value for your label.\n\n 2. In the **Choose where to store your data** section, do the following:\n\n 1. Select a **Location type**.\n 2. Use the location type menu to select a **Location** where object data within your bucket will be permanently stored.\n\n | **Note:** If you select the **dual-region** location type, you can also choose to enable **turbo replication** by using the relevant checkbox.\n 3. To set up cross-bucket replication, expand the **Set up cross-bucket replication** section.\n\n 3. In the **Choose a storage class for your data** section, either select a default storage class for the bucket, or select **Autoclass** for automatic storage class management of your bucket's data.\n\n 4. In the **Choose how to control access to objects** section, clear **Enforce public access prevention** , and select an **Access control** model for your bucket's objects.\n\n | **Note:** If public access prevention is already enforced by your project's organization policy, the **Enforce public access prevention on this bucket** checkbox is locked.\n 5. In the **Choose how to protect object data** section, do the following:\n\n 1. Select any of the options under **Data protection** that you want to set for your bucket.\n 2. To choose how your object data will be encrypted, click the expander arrow labeled **Data encryption**, and select a data encryption method.\n5. Click **Create**.\n\n| **Note:** Be sure to provide your Google SecOps service account with permissions to Read or Read \\& Write to the newly created bucket.\n\nConfigure Cloud Identity Devices Logs Export\n--------------------------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to **Logging \\\u003e Log Router**.\n3. Click **Create Sink**.\n4. Provide the following configuration parameters:\n\n - **Sink Name** : enter a meaningful name; for example, `cloud-identity-devices-logs-sink`.\n - **Sink Destination** : select **Cloud Storage Storage** and enter the URI for your bucket; for example, `gs://gcp-cloudidentity-devices-logs`.\n - **Log Filter**:\n\n logName=\"projects/\u003cyour-project-id\u003e/logs/cloudaudit.googleapis.com%2Factivity\"\n resource.type=\"cloud_identity_device\"\n\n - **Set Export Options**: include all log entries.\n\n5. Click **Create**.\n\nConfigure permissions for Cloud Storage\n---------------------------------------\n\n1. Go to **IAM \\& Admin \\\u003e IAM**.\n2. Locate the **Cloud Logging** service account.\n3. Grant the **roles/storage.admin** on the bucket.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Google Cloud Identity Devices feed\n----------------------------------------------------\n\n1. Click the **Google Cloud Compute platform** pack.\n2. Locate the **Google Cloud Identity Devices** log type and click **Add new feed**.\n3. Specify values for the following fields:\n - **Source Type**: Third party API\n - **OAuth JWT endpoint**: endpoint to retrieve the OAuth JSON web token (JWT).\n - **JWT claims issuer**: usually the client ID.\n - **JWT claims subject**: usually an email address.\n - **JWT claims audience**: JWT claims audience.\n - **RSA private key**: enter in PEM format.\n\n**Advanced options**\n\n- **Feed Name**: A prepopulated value that identifies the feed.\n- **Asset Namespace**: Namespace associated with the feed.\n- **Ingestion Labels**: Labels applied to all events from this feed.\n\n1. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
