Collect Oracle NetSuite logs

Supported in:

This document explains how to ingest Oracle NetSuite logs to Google Security Operations using Google Cloud Storage V2.

Oracle NetSuite is a cloud-based enterprise resource planning (ERP) platform that provides comprehensive business management capabilities including financial management, CRM, e-commerce, and inventory management. NetSuite generates audit logs for user logins, system changes, and API activity that can be queried through the SuiteQL REST API and ingested into Google SecOps for security monitoring and compliance.

Before you begin

Ensure that you have the following prerequisites:

  • A Google SecOps instance
  • A GCP project with Cloud Storage, Cloud Run, Pub/Sub, and Cloud Scheduler APIs enabled
  • Permissions to create and manage GCS buckets
  • Permissions to manage IAM policies on GCS buckets
  • Permissions to create Cloud Run services, Pub/Sub topics, and Cloud Scheduler jobs
  • Administrator access to your Oracle NetSuite account
  • REST Web Services and OAuth 2.0 features enabled in your NetSuite account
  • Your NetSuite account ID (found at Setup > Company > Company Information)

Enable required NetSuite features

  1. Sign in to your NetSuite account as an Administrator.
  2. Go to Setup > Company > Enable Features.
  3. Click the SuiteCloud subtab.
  4. In the SuiteTalk (Web Services) section, check the following boxes:
    • REST Web Services
    • OAuth 2.0
  5. Click Save.

Configure Oracle NetSuite OAuth 2.0 credentials

To enable the Cloud Run function to retrieve audit logs from NetSuite, you need to create an integration record with OAuth 2.0 client credentials authentication.

Create integration record

  1. Sign in to your NetSuite account as an Administrator.
  2. Go to Setup > Integration > Manage Integrations > New.
  3. In the Name field, enter Google SecOps Integration.
  4. In the Description field, enter Integration with Google SecOps for audit log ingestion.
  5. In the State field, select Enabled.
  6. Click the Authentication subtab.
  7. In the OAuth 2.0 section, configure the following:
    • Check Client Credentials (Machine to Machine) Grant
    • Check REST Web Services
  8. Clear all boxes in the Token-based Authentication section.
  9. Click Save.

Record OAuth 2.0 credentials

After saving the integration record, NetSuite displays your OAuth 2.0 credentials:

  • Client ID: Your unique client identifier

  • Client Secret: Your API secret key

Generate certificate for OAuth 2.0 client credentials

The OAuth 2.0 client credentials flow requires a certificate for JWT signing. Generate an ECDSA certificate using OpenSSL:

  1. On a machine with OpenSSL installed, run the following command to generate a private key and certificate:

    openssl req -new -x509 -newkey ec \
    -pkeyopt ec_paramgen_curve:prime256v1 \
    -pkeyopt ec_param_enc:named_curve \
    -nodes -days 730 \
    -out public.pem -keyout private.pem

  2. When prompted, enter the certificate subject fields (Country, State, Organization, and so on). For Common Name, enter Google SecOps Integration.

  3. The command generates two files:

    • private.pem: Private key (keep this secure; used for JWT signing in the Cloud Run function)
    • public.pem: Public certificate (upload to NetSuite)

Create OAuth 2.0 client credentials mapping

  1. In NetSuite, go to Setup > Integration > Manage Authentication > OAuth 2.0 Client Credentials (M2M) Setup.
  2. Click Create New.
  3. In the popup window, configure the following:
    • Entity: Select the employee or user that will be associated with API requests
    • Role: Select a role with permissions to access audit logs (see the Required Permissions section below)
    • Application: Select Google SecOps Integration
  4. Click Choose File and upload the public.pem certificate file.
  5. Click Save.
  6. After saving, note the Certificate ID value displayed in the mapping list. This value is used as the kid (Key ID) in the JWT header.

Required permissions

The role assigned to the OAuth 2.0 mapping must have the following permissions:

Permission Access Level Purpose
Login Audit Trail View Access login audit trail data
REST Web Services Full Execute REST API requests
SuiteAnalytics Workbook View Access analytics data via SuiteQL

Create a custom role for the integration

  1. Go to Setup > Users/Roles > Manage Roles > New.
  2. In the Name field, enter Google SecOps Integration Role.
  3. Click the Permissions subtab.
  4. Click the Setup sub-subtab.
  5. Add the following permissions:
    • Login Audit Trail: Set to View
    • REST Web Services: Set to Full
  6. Click the Reports sub-subtab.
  7. Add the following permission:
    • SuiteAnalytics Workbook: Set to View
  8. Click Save.

Verify permissions

To verify the role has the required permissions:

  1. Sign in to NetSuite.
  2. Go to Setup > Users/Roles > Manage Roles.
  3. Find the Google SecOps Integration Role and click Edit.
  4. Verify the permissions listed above are present on the Permissions subtab.

Test API access

  • Test your credentials before proceeding with the integration:

    # Replace with your actual values
ACCOUNT_ID="your-account-id"
CLIENT_ID="your-client-id"
CERTIFICATE_ID="your-certificate-id"
PRIVATE_KEY_FILE="private.pem"

# Generate JWT (requires Python 3 with PyJWT and cryptography)
pip install PyJWT cryptography

TOKEN=$(python3 -c "
import jwt, time, json
with open('${PRIVATE_KEY_FILE}', 'r') as f:
    key = f.read()
now = int(time.time())
payload = {
    'iss': '${CLIENT_ID}',
    'scope': ['restlets', 'rest_webservices'],
    'aud': 'https://${ACCOUNT_ID}.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token',
    'iat': now,
    'exp': now + 3600
}
print(jwt.encode(payload, key, algorithm='ES256', headers={'kid': '${CERTIFICATE_ID}', 'typ': 'JWT'}))
")

# Obtain access token
ACCESS_TOKEN=$(curl -s -X POST \
  "https://${ACCOUNT_ID}.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=${TOKEN}" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

# Test SuiteQL query
curl -s -X POST \
  "https://${ACCOUNT_ID}.suitetalk.api.netsuite.com/services/rest/query/v1/suiteql?limit=5" \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H "Content-Type: application/json" \
  -H "Prefer: transient" \
  -d '{"q": "SELECT Date, Status, User, IPAddress FROM LoginAudit ORDER BY Date DESC"}' \
  | python3 -m json.tool

A successful response returns a JSON object with an items array containing login audit records.

Create Google Cloud Storage bucket

  1. Go to the Google Cloud Console.
  2. Select your project or create a new one.
  3. In the navigation menu, go to Cloud Storage > Buckets.
  4. Click Create bucket.

  5. Provide the following configuration details:

    Setting Value
    Name your bucket Enter a globally unique name (for example, netsuite-audit-logs)
    Location type Choose based on your needs (Region, Dual-region, Multi-region)
    Location Select the location (for example, us-central1)
    Storage class Standard (recommended for frequently accessed logs)
    Access control Uniform (recommended)
    Protection tools Optional: Enable object versioning or retention policy

  6. Click Create.

Create service account for Cloud Run function

The Cloud Run function needs a service account with permissions to write to GCS bucket and be invoked by Pub/Sub.

Create service account

  1. In the GCP Console, go to IAM & Admin > Service Accounts.
  2. Click Create Service Account.
  3. Provide the following configuration details:
    • Service account name: Enter netsuite-audit-collector-sa
    • Service account description: Enter Service account for Cloud Run function to collect Oracle NetSuite audit logs
  4. Click Create and Continue.
  5. In the Grant this service account access to project section, add the following roles:
    1. Click Select a role.
    2. Search for and select Storage Object Admin.
    3. Click + Add another role.
    4. Search for and select Cloud Run Invoker.
    5. Click + Add another role.
    6. Search for and select Cloud Functions Invoker.
  6. Click Continue.
  7. Click Done.

These roles are required for:

  • Storage Object Admin: Write logs to GCS bucket and manage state files
  • Cloud Run Invoker: Allow Pub/Sub to invoke the function
  • Cloud Functions Invoker: Allow function invocation

Grant IAM permissions on GCS bucket

  1. Go to Cloud Storage > Buckets.
  2. Click on your bucket name (netsuite-audit-logs).
  3. Go to the Permissions tab.
  4. Click Grant access.
  5. Provide the following configuration details:
    • Add principals: Enter the service account email (netsuite-audit-collector-sa@PROJECT_ID.iam.gserviceaccount.com)
    • Assign roles: Select Storage Object Admin
  6. Click Save.

Create Pub/Sub topic

Create a Pub/Sub topic that Cloud Scheduler will publish to and the Cloud Run function will subscribe to.

  1. In the GCP Console, go to Pub/Sub > Topics.
  2. Click Create topic.
  3. Provide the following configuration details:
    • Topic ID: Enter netsuite-audit-trigger
    • Leave other settings as default
  4. Click Create.

Create Cloud Run function to collect logs

The Cloud Run function will be triggered by Pub/Sub messages from Cloud Scheduler to fetch audit logs from the Oracle NetSuite SuiteQL REST API and write them to GCS.

  1. In the GCP Console, go to Cloud Run.
  2. Click Create service.
  3. Select Function (use an inline editor to create a function).

  4. In the Configure section, provide the following configuration details:

    Setting Value
    Service name netsuite-audit-collector
    Region Select region matching your GCS bucket (for example, us-central1)
    Runtime Select Python 3.12 or later

  5. In the Trigger (optional) section:

    1. Click + Add trigger.
    2. Select Cloud Pub/Sub.
    3. In Select a Cloud Pub/Sub topic, choose netsuite-audit-trigger.
    4. Click Save.

  6. In the Authentication section:

    1. Select Require authentication.
    2. Check Identity and Access Management (IAM).

  7. Scroll down and expand Containers, Networking, Security.

  8. Go to the Security tab:

    • Service account: Select netsuite-audit-collector-sa

  9. Go to the Containers tab:

    1. Click Variables & Secrets.
    2. Click + Add variable for each environment variable:
    Variable Name Example Value Description
    GCS_BUCKET netsuite-audit-logs GCS bucket name
    GCS_PREFIX netsuite-audit Prefix for log files
    STATE_KEY netsuite-audit/state.json State file path
    NS_ACCOUNT_ID 123456 NetSuite account ID
    NS_CLIENT_ID your-client-id OAuth 2.0 Client ID
    NS_CERTIFICATE_ID your-certificate-id Certificate ID (kid) from M2M mapping
    NS_PRIVATE_KEY -----BEGIN EC PRIVATE KEY-----... ECDSA private key contents
    LOOKBACK_HOURS 24 Initial lookback period
    PAGE_SIZE 1000 Records per SuiteQL page (max 1000)
    MAX_RECORDS 50000 Max records per run

  10. In the Variables & Secrets section, scroll down to Requests:

    • Request timeout: Enter 600 seconds (10 minutes)

  11. Go to the Settings tab:

    • In the Resources section:
      • Memory: Select 512 MiB or higher
      • CPU: Select 1

  12. In the Revision scaling section:

    • Minimum number of instances: Enter 0
    • Maximum number of instances: Enter 100

  13. Click Create.

  14. Wait for the service to be created (1-2 minutes).

  15. After the service is created, the inline code editor will open automatically.

Add function code

  1. Enter main in the Entry point field.

  2. In the inline code editor, create two files:

    • main.py:
    import functions_framework
from google.cloud import storage
import json
import os
import urllib3
import urllib.parse
import jwt
import time
from datetime import datetime, timezone, timedelta

http = urllib3.PoolManager(
  timeout=urllib3.Timeout(connect=10.0, read=60.0),
  retries=False,
)

storage_client = storage.Client()

GCS_BUCKET = os.environ.get('GCS_BUCKET')
GCS_PREFIX = os.environ.get('GCS_PREFIX', 'netsuite-audit')
STATE_KEY = os.environ.get('STATE_KEY', 'netsuite-audit/state.json')
NS_ACCOUNT_ID = os.environ.get('NS_ACCOUNT_ID')
NS_CLIENT_ID = os.environ.get('NS_CLIENT_ID')
NS_CERTIFICATE_ID = os.environ.get('NS_CERTIFICATE_ID')
NS_PRIVATE_KEY = os.environ.get('NS_PRIVATE_KEY', '').replace('\\n', '\n')
LOOKBACK_HOURS = int(os.environ.get('LOOKBACK_HOURS', '24'))
PAGE_SIZE = int(os.environ.get('PAGE_SIZE', '1000'))
MAX_RECORDS = int(os.environ.get('MAX_RECORDS', '50000'))

@functions_framework.cloud_event
def main(cloud_event):
  if not all([GCS_BUCKET, NS_ACCOUNT_ID, NS_CLIENT_ID, NS_CERTIFICATE_ID, NS_PRIVATE_KEY]):
    print('Error: Missing required environment variables')
    return

  try:
    bucket = storage_client.bucket(GCS_BUCKET)
    state = load_state(bucket)
    now = datetime.now(timezone.utc)

    if isinstance(state, dict) and state.get('last_event_time'):
      try:
        last_val = state['last_event_time']
        if last_val.endswith('Z'):
          last_val = last_val[:-1] + '+00:00'
        last_time = datetime.fromisoformat(last_val)
        last_time = last_time - timedelta(minutes=2)
      except Exception as e:
        print(f"Warning: Could not parse last_event_time: {e}")
        last_time = now - timedelta(hours=LOOKBACK_HOURS)
    else:
      last_time = now - timedelta(hours=LOOKBACK_HOURS)

    print(f"Fetching logs from {last_time.isoformat()} to {now.isoformat()}")

    access_token = get_access_token()

    login_audits = fetch_login_audit(access_token, last_time, now)
    system_notes = fetch_system_notes(access_token, last_time, now)

    all_records = []
    for record in login_audits:
      record['_netsuite_record_type'] = 'login_audit'
      all_records.append(record)
    for record in system_notes:
      record['_netsuite_record_type'] = 'system_note'
      all_records.append(record)

    if not all_records:
      print("No new records found.")
      save_state(bucket, now.isoformat())
      return

    timestamp = now.strftime('%Y%m%d_%H%M%S')
    object_key = f"{GCS_PREFIX}/netsuite_audit_{timestamp}.ndjson"
    blob = bucket.blob(object_key)

    ndjson = '\n'.join(
      [json.dumps(r, ensure_ascii=False, default=str) for r in all_records]
    ) + '\n'
    blob.upload_from_string(ndjson, content_type='application/x-ndjson')

    print(f"Wrote {len(all_records)} records to gs://{GCS_BUCKET}/{object_key}")

    newest = find_newest_time(login_audits, system_notes)
    save_state(bucket, newest if newest else now.isoformat())

    print(f"Successfully processed {len(all_records)} records "
        f"(login_audit: {len(login_audits)}, system_note: {len(system_notes)})")

  except Exception as e:
    print(f'Error processing logs: {str(e)}')
    raise

def get_access_token():
  token_url = (
    f"https://{NS_ACCOUNT_ID}.suitetalk.api.netsuite.com"
    f"/services/rest/auth/oauth2/v1/token"
  )

  now = int(time.time())
  payload = {
    'iss': NS_CLIENT_ID,
    'scope': ['restlets', 'rest_webservices'],
    'aud': token_url,
    'iat': now,
    'exp': now + 3600,
  }

  client_assertion = jwt.encode(
    payload,
    NS_PRIVATE_KEY,
    algorithm='ES256',
    headers={'kid': NS_CERTIFICATE_ID, 'typ': 'JWT'},
  )

  body = urllib.parse.urlencode({
    'grant_type': 'client_credentials',
    'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
    'client_assertion': client_assertion,
  }).encode('utf-8')

  response = http.request(
    'POST', token_url,
    body=body,
    headers={'Content-Type': 'application/x-www-form-urlencoded'},
  )

  if response.status != 200:
    raise Exception(
      f"Token request failed: {response.status} - "
      f"{response.data.decode('utf-8')}"
    )

  data = json.loads(response.data.decode('utf-8'))
  access_token = data.get('access_token')
  if not access_token:
    raise Exception("No access_token in token response")

  print("Successfully obtained NetSuite OAuth 2.0 access token")
  return access_token

def run_suiteql(access_token, query, page_size=1000, max_records=50000):
  base_url = (
    f"https://{NS_ACCOUNT_ID}.suitetalk.api.netsuite.com"
    f"/services/rest/query/v1/suiteql"
  )

  headers = {
    'Authorization': f'Bearer {access_token}',
    'Content-Type': 'application/json',
    'Prefer': 'transient',
  }

  all_items = []
  offset = 0
  backoff = 1.0

  while True:
    if len(all_items) >= max_records:
      print(f"Reached max_records limit ({max_records})")
      break

    url = f"{base_url}?limit={page_size}&offset={offset}"
    body = json.dumps({'q': query}).encode('utf-8')

    try:
      response = http.request('POST', url, body=body, headers=headers)

      if response.status == 429:
        retry_after = int(response.headers.get('Retry-After', str(int(backoff))))
        print(f"Rate limited (429). Retrying after {retry_after}s...")
        time.sleep(retry_after)
        backoff = min(backoff * 2, 60.0)
        continue

      backoff = 1.0

      if response.status != 200:
        print(f"SuiteQL error: {response.status} - "
            f"{response.data.decode('utf-8')}")
        break

      data = json.loads(response.data.decode('utf-8'))
      items = data.get('items', [])

      if not items:
        break

      all_items.extend(items)
      page_num = (offset // page_size) + 1
      print(f"Page {page_num}: Retrieved {len(items)} records "
          f"(total: {len(all_items)})")

      has_more = data.get('hasMore', False)
      if not has_more:
        break

      offset += len(items)

    except Exception as e:
      print(f"Error executing SuiteQL query: {e}")
      break

  return all_items

def fetch_login_audit(access_token, start_time, end_time):
  start_str = start_time.strftime('%m/%d/%Y %H:%M:%S')
  end_str = end_time.strftime('%m/%d/%Y %H:%M:%S')

  query = (
    "SELECT "
    "LoginAudit.Date, "
    "LoginAudit.Status, "
    "LoginAudit.User, "
    "BUILTIN.DF(LoginAudit.User) AS Username, "
    "LoginAudit.EmailAddress, "
    "LoginAudit.Role, "
    "BUILTIN.DF(LoginAudit.Role) AS Rolename, "
    "LoginAudit.IPAddress, "
    "LoginAudit.UserAgent, "
    "LoginAudit.Detail, "
    "LoginAudit.oAuthAppName, "
    "LoginAudit.oAuthAccessTokenName, "
    "LoginAudit.requestUri "
    "FROM LoginAudit "
    f"WHERE LoginAudit.Date >= TO_DATE('{start_str}', 'MM/DD/YYYY HH24:MI:SS') "
    f"AND LoginAudit.Date <= TO_DATE('{end_str}', 'MM/DD/YYYY HH24:MI:SS') "
    "ORDER BY LoginAudit.Date ASC"
  )

  print("Fetching LoginAudit records...")
  return run_suiteql(access_token, query, PAGE_SIZE, MAX_RECORDS)

def fetch_system_notes(access_token, start_time, end_time):
  start_str = start_time.strftime('%m/%d/%Y %H:%M:%S')
  end_str = end_time.strftime('%m/%d/%Y %H:%M:%S')

  query = (
    "SELECT "
    "SystemNote.Date, "
    "SystemNote.RecordTypeID, "
    "BUILTIN.DF(SystemNote.RecordTypeID) AS RecordType, "
    "SystemNote.RecordID, "
    "SystemNote.Field, "
    "SystemNote.OldValue, "
    "SystemNote.NewValue, "
    "SystemNote.Name AS EmployeeID, "
    "BUILTIN.DF(SystemNote.Name) AS EmployeeName, "
    "SystemNote.Role, "
    "BUILTIN.DF(SystemNote.Role) AS RoleName, "
    "SystemNote.Context, "
    "BUILTIN.DF(SystemNote.Context) AS ContextName "
    "FROM SystemNote "
    f"WHERE SystemNote.Date >= TO_DATE('{start_str}', 'MM/DD/YYYY HH24:MI:SS') "
    f"AND SystemNote.Date <= TO_DATE('{end_str}', 'MM/DD/YYYY HH24:MI:SS') "
    "ORDER BY SystemNote.Date ASC"
  )

  print("Fetching SystemNote records...")
  return run_suiteql(access_token, query, PAGE_SIZE, MAX_RECORDS)

def find_newest_time(login_audits, system_notes):
  newest = None
  for r in login_audits:
    t = r.get('date')
    if t and (newest is None or t > newest):
      newest = t
  for r in system_notes:
    t = r.get('date')
    if t and (newest is None or t > newest):
      newest = t
  return newest

def load_state(bucket):
  try:
    blob = bucket.blob(STATE_KEY)
    if blob.exists():
      return json.loads(blob.download_as_text())
  except Exception as e:
    print(f"Warning: Could not load state: {e}")
  return {}

def save_state(bucket, last_event_time_iso):
  try:
    state = {
      'last_event_time': last_event_time_iso,
      'last_run': datetime.now(timezone.utc).isoformat()
    }
    blob = bucket.blob(STATE_KEY)
    blob.upload_from_string(
      json.dumps(state, indent=2),
      content_type='application/json'
    )
    print(f"Saved state: last_event_time={last_event_time_iso}")
  except Exception as e:
    print(f"Warning: Could not save state: {e}")
    • requirements.txt:
    functions-framework==3.*
google-cloud-storage==2.*
urllib3>=2.0.0
PyJWT[crypto]>=2.8.0

  3. Click Deploy to save and deploy the function.

  4. Wait for deployment to complete (2-3 minutes).

Create Cloud Scheduler job

Cloud Scheduler will publish messages to the Pub/Sub topic at regular intervals, triggering the Cloud Run function.

  1. In the GCP Console, go to Cloud Scheduler.
  2. Click Create Job.

  3. Provide the following configuration details:

    Setting Value
    Name netsuite-audit-collector-hourly
    Region Select same region as Cloud Run function
    Frequency 0 * * * * (every hour, on the hour)
    Timezone Select timezone (UTC recommended)
    Target type Pub/Sub
    Topic Select netsuite-audit-trigger
    Message body {} (empty JSON object)

  4. Click Create.

Schedule frequency options

Choose frequency based on log volume and latency requirements:

Frequency Cron Expression Use Case
Every 15 minutes */15 * * * * High-volume, low-latency
Every hour 0 * * * * Standard (recommended)
Every 6 hours 0 */6 * * * Low volume, batch processing
Daily 0 0 * * * Historical data collection

Test the integration

  1. In the Cloud Scheduler console, find your job (netsuite-audit-collector-hourly).
  2. Click Force run to trigger the job manually.
  3. Wait a few seconds.
  4. Go to Cloud Run > Services.
  5. Click on netsuite-audit-collector.
  6. Click the Logs tab.

  7. Verify the function executed successfully. Look for:

    Fetching logs from YYYY-MM-DDTHH:MM:SS+00:00 to YYYY-MM-DDTHH:MM:SS+00:00
Successfully obtained NetSuite OAuth 2.0 access token
Fetching LoginAudit records...
Page 1: Retrieved X records (total: X)
Fetching SystemNote records...
Page 1: Retrieved X records (total: X)
Wrote X records to gs://netsuite-audit-logs/netsuite-audit/netsuite_audit_YYYYMMDD_HHMMSS.ndjson
Successfully processed X records (login_audit: X, system_note: X)

  8. Go to Cloud Storage > Buckets.

  9. Click on netsuite-audit-logs.

  10. Navigate to the netsuite-audit/ folder.

  11. Verify that a new .ndjson file was created with the current timestamp.

If you see errors in the logs:

  • HTTP 401: Verify the NS_CLIENT_ID, NS_CERTIFICATE_ID, and NS_PRIVATE_KEY environment variables are correct
  • HTTP 403: Verify the NetSuite role has Login Audit Trail (View) and REST Web Services (Full) permissions
  • HTTP 429: Rate limiting — the function will automatically retry with exponential backoff
  • Missing environment variables: Verify all required variables are set in the Cloud Run function configuration

Retrieve the Google SecOps service account

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. Click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, NetSuite Audit Logs).
  5. Select Google Cloud Storage V2 as the Source type.
  6. Select Oracle NetSuite as the Log type.

  7. Click Get Service Account. A unique service account email will be displayed. For example:

    chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com

  8. Copy this email address for use in the next step.

  9. Click Next.

  10. Specify values for the following input parameters:

    • Storage bucket URL: Enter the GCS bucket URI with the prefix path:

      gs://netsuite-audit-logs/netsuite-audit/
    • Source deletion option: Select the deletion option according to your preference:
      • Never: Never deletes any files after transfers (recommended for testing).
      • Delete transferred files: Deletes files after successful transfer.
      • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
    • Maximum File Age: Include files modified in the last number of days (default is 180 days)
    • Asset namespace: The asset namespace
    • Ingestion labels: The label to be applied to the events from this feed

  11. Click Next.

  12. Review your new feed configuration in the Finalize screen, and then click Submit.

Grant IAM permissions to the Google SecOps service account

The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.

  1. Go to Cloud Storage > Buckets.
  2. Click on netsuite-audit-logs.
  3. Go to the Permissions tab.
  4. Click Grant access.
  5. Provide the following configuration details:
    • Add principals: Paste the Google SecOps service account email
    • Assign roles: Select Storage Object Viewer

  6. Click Save.

NetSuite API rate limits

NetSuite REST API has the following governance limits:

Limit Type Value
Concurrency limit 10 concurrent requests per integration
SuiteQL query results per page 1,000 rows maximum
SuiteQL total results 100,000 rows per query

The Cloud Run function automatically handles rate limiting with exponential backoff.

UDM mapping table

Log Field UDM Mapping Logic
preview additional.fields Additional key-value pairs for the event
Login_Audit_Trail_Access_Token_Name additional.fields
Login_Audit_Trail_Detail additional.fields
msg metadata.description Description of the event
column7 metadata.description
result.Login_Audit_Trail_Date metadata.event_timestamp Timestamp when the event occurred
ts metadata.event_timestamp
metadata.event_type metadata.event_type Type of event (e.g., USER_LOGIN, NETWORK_CONNECTION)
column1 metadata.product_event_type Product-specific event type
result.Login_Audit_Trail_User_Agent network.http.user_agent User agent string for HTTP requests
Login_Audit_Trail_User_Agent network.http.user_agent
Login_Audit_Trail_Application principal.application Application associated with the principal
column10 principal.application
result.host principal.asset.hostname Hostname of the asset
result.Login_Audit_Trail_IP_Address principal.asset.ip IP address of the asset
column3 principal.asset.ip
src_ip principal.asset.ip
result.host principal.hostname Hostname of the principal
result.Login_Audit_Trail_IP_Address principal.ip IP address of the principal
column3 principal.ip
src_ip principal.ip
Login_Audit_Trail_Role principal.user.attribute.labels Labels for user attributes
role principal.user.attribute.roles Roles associated with the user
result.Login_Audit_Trail_Email_Address principal.user.email_addresses Email addresses associated with the user
column2 principal.user.email_addresses
result.Login_Audit_Trail_User principal.user.userid User ID of the principal
Login_Audit_Trail_User principal.user.userid
role.type role.type Type of role (e.g., ADMINISTRATOR)
Login_Audit_Trail_Security_Challenge security_result.about.resource.attribute.labels Labels for resource attributes
security_result_action security_result.action Action taken by the security system
result.Login_Audit_Trail_Status security_result.summary Summary of the security result
Login_Audit_Trail_Status security_result.summary
result.Login_Audit_Trail_Request_URI target.url URL of the target
Login_Audit_Trail_Request_URI target.url

Need more help? Get answers from Community members and Google SecOps professionals.