GCP Audit Logs (In Beta)

  • Updated on Jan 27, 2025
  • Published on May 16, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

GCP Audit Logs

gcp_audit

NDJSON

GCP/S3

Overview

Table name: gcp_audit

imageGoogle Cloud Platform (GCP) Audit Logs provide detailed insights into activities within your GCP resources, helping ensure security, compliance, and operational transparency. They record events such as API calls, resource changes, and administrative actions, categorizing them into three main types: Admin Activity, Data Access, and System Event logs. GCP Audit Logs enable organizations to monitor and analyze user actions, detect potential security threats, and maintain accountability, all while integrating seamlessly with tools like Cloud Logging and BigQuery for deeper analysis and reporting.

Send data to Hunters

1. Enable Audit logs

📘 Interesting Audit Logs

By default, some GCP Audit logs are not enabled. To comprehensively detect and investigate threats, all audit logs should be enabled. The definition of which logs should be saved is configured under IAM & Admin > Audit Logs. The definition describes which types of logs will be saved for each service and API.

  1. In your GCP instance, navigate to IAM & Admin, and then to Audit Logs.

  2. Perform the following changes:

    • Under Default Audit Config, change the selected value to include both Admin Read and Admin Write logs.

    • Enable logging of Data Read and Data Write For the following services:

      • Identity and Access Management (IAM) API

      • Identity Toolkit API

      • Security Token Service API (optional)

      • Security Command Center API (optional)

⚠️Cost alert

These changes may affect your GCP costs. You can read more about this here.

2. Route logs to the selected storage

Depending on whether you've chosen to store your Audit logs in an AWS S3 bucket or a GCP bucket, you'll need to make the appropriate arrangements to have your logs directed from GCP into the storage.

3. Connect logs based on the selected storage

Once you have your logs directed into the storage bucket, complete the process based on your storage type:

  • If you're connecting your logs via a GCP bucket, continue according to this process.

  • If you're connecting your logs via an AWS S3 bucket, continue according to this process.

Expected format

GCP Event: Creation of a new Virtual Machine

This is an example of an event log when a new VM is created in GCP.

{
  "insertId": "0887ae285-3458-23a4-983b-398ba257e98h",
  "labels": {
    "authentication.k8s.io/legacy-token": "system:serviceaccount:String-system:default",
    "authorization.k8s.io/decision": "allow"
  },
  "logName": "projects/f56ug/logs/cloudaudit.googleapis.com%2Factivity",
  "operation": {
    "first": true,
    "id": "0887ae285-3458-23a4-983b-398ba257e98h",
    "last": true,
    "producer": "k8s.io"
  },
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "system:serviceaccount:String-system:default"
    },
    "authorizationInfo": [
      {
        "granted": true,
        "permission": "io.k8s.authorization.rbac.v1.clusterrolebindings.update",
        "resource": "rbac.authorization.k8s.io/v1/clusterrolebindings/jg-gdl-td4f-mb57j-kh48ha"
      }
    ],
    "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update",
    "request": {
      "@type": "rbac.authorization.k8s.io/v1.ClusterRoleBinding",
      "apiVersion": "rbac.authorization.k8s.io/v1",
      "kind": "ClusterRoleBinding",
      "metadata": {
        "creationTimestamp": null,
        "name": "jg-gdl-td4f-mb57j-kh48ha",
        "resourceVersion": "75434367790"
      },
      "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "jg-gdl-td4f-mb57j-kh48ha"
      },
      "subjects": [
        {
          "kind": "ServiceAccount",
          "name": "jg-gdl-td4f-mb57j-kh48ha",
          "namespace": "String"
        }
      ]
    },
    "requestMetadata": {
      "callerIp": "1.1.1.1",
      "callerSuppliedUserAgent": "manager/v0.0.0 (linux/amd64) hlsrimml/$Format"
    },
    "resourceName": "rbac.authorization.k8s.io/v1/clusterrolebindings/jg-gdl-td4f-mb57j-kh48ha",
    "response": {
      "@type": "rbac.authorization.k8s.io/v1.ClusterRoleBinding",
      "apiVersion": "rbac.authorization.k8s.io/v1",
      "kind": "ClusterRoleBinding",
      "metadata": {
        "creationTimestamp": "2021-08-09T11:12:55Z",
        "managedFields": [
          {
            "apiVersion": "rbac.authorization.k8s.io/v1",
            "fieldsType": "FieldsV1",
            "fieldsV1": {
              "f:roleRef": {
                "f:apiGroup": {},
                "f:kind": {},
                "f:name": {}
              },
              "f:subjects": {}
            },
            "manager": "manager",
            "operation": "Update",
            "time": "2021-08-09T11:12:55Z"
          }
        ],
        "name": "jg-gdl-td4f-mb57j-kh48ha",
        "resourceVersion": "254589021",
        "selfLink": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/jg-gdl-td4f-mb57j-kh48ha",
        "uid": "a543bf656-d65d8-121de76-b21-279c-f807909a"
      },
      "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "jg-gdl-td4f-mb57j-kh48ha"
      },
      "subjects": [
        {
          "kind": "ServiceAccount",
          "name": "jg-gdl-td4f-mb57j-kh48ha",
          "namespace": "String"
        }
      ]
    },
    "serviceName": "String",
    "status": {}
  },
  "receiveTimestamp": "2021-12-08T12:00:11.435646342Z",
  "resource": {
    "labels": {
      "cluster_name": "ouf-khfl-sb-lfdh-lkf",
      "location": "String",
      "project_id": "ljfd57-jgfjdjkl-m754fm"
    },
    "type": "String"
  },
  "timestamp": "2021-12-08T12:00:10.333675Z"
}