This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to check Detailed Audit Logs for SOAR Playbooks

Posted on 10-30-2024 08:14 AM
skadav
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

I'm trying to access detailed audit logs specifically for SOAR Playbooks. Currently, I can view the audit logs for SIEM rules using metadata.product_name = "Google Cloud Platform", but I'm unable to locate similar logs for SOAR Playbooks.

Has anyone managed to find or configure audit logging specifically for SOAR Playbooks? 

0 4 297
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

SOAR has the audit logs under SOAR Settings, Advanced, Audit.  

You can see from an inspection that it is calling /api/external/v1/settings/ExportAuditLastWeekAsCsvV2 

THere's no direct way to do it right now.  You could probably piece together a clunky way to do it with a CSV export and then use ingest API to get the data. 

I'm questioning the value to do something like this - what would you do with that data if it was in SIEM?

0 Likes

Posted on --/--/---- --:-- AM
skadav
Silver 1
Silver 1
In response to dnehoda
Reply posted on --/--/---- --:-- AM

@dnehoda  Yes it has under Audit and can be exported as CSV, but if it is searchable like SIEM Audit logs, we can track the playbook run/error efficiently.

0 Likes

Posted on --/--/---- --:-- AM
TonyH
Staff
Reply posted on --/--/---- --:-- AM

Hello,

I believe the ability to search SOAR logs (including playbooks) in Google Cloud logging is coming. Unfortunately we don't have a firm date as of yet. 

 

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to TonyH
Reply posted on --/--/---- --:-- AM
It is coming but I don't believe until next year toward end of Q1.
Top Solution Authors
View all