GCP logs provide unique and crucial visibility into the activities and resources in an organization’s GCP environment.
As Cloud environments are vastly different from regular on-prem environments, many classic security products and auditing and logging mechanisms do not exist anymore in the Cloud environment as they were, which make the multiple logging mechanisms of GCP all the more important for defending an organization’s GCP environment.
Supported APIs and data types
GCP Audit logs
Logs regarding actions in GCP. These include logs for read and write operations on cloud resources. For example - creation of a new Virtual Machine.
GCP Security Command Center Assets
Provides a list of all GCP assets currently available in the environment.
GCP Security Command Center Findings
Provides alerts from the GCP environment such as misconfigurations.
Sending Audit logs to hunters
Audit logs - General Information
First, we will configure the Audit Logs which are needed for the Hunters detection and investigation.
After all the relevant Audit Logs are created, we need them to flow properly into Hunters.
Making the logs accessible to external applications will include the following steps-
A Pub/Sub Topic should be configured to consume the Audit Logs
A subscription should be configured to allow reading from the Topic we configured
The Audit Logs should be configured to be read by a Sink. The Sink should be configured to write to the Pub/Sub Topic
A service account should be created and defined to allow Hunters to query the data - This is defined at the end of the document
After these steps are over - the logs will automatically flow into a Pub/Sub Topic. The service account will be used by Hunters to query the data from Pub/Sub and ingest it.
Definition of interesting Audit Logs
By default, some GCP Audit logs are not enabled. In order to allow proper detection and investigation in Hunters, we will enable such logs.
Definition of which logs should be saved is configured under "IAM & Admin" -> "Audit Logs". The definition describes which types of logs will be saved for each service and API.
The following changes should be done-
Change the default (Under "DEFAULT AUDIT CONFIG") - to include both "Admin Read" and "Admin Write" logs
Enable logging of "Data Read" and "Data Write" For the following services-
“Identity and Access Management (IAM) API”
“Identity Toolkit API“
“Security Token Service API”
“Security Command Center API”
Creating of Pub/Sub Topic
In order to create a Topic - follow the following manual.
Things to note while configuring the Topic-
Give the Topic an indicative name such as "Hunters-Audit-Logs-Topic"
Do not create a default subscription for the Topic
Other than the mentioned configurations - we suggest using the default GCP configuration for the Topic
Note that these changes may have an effect on costs. You can read more about this here.
Creating a Subscription
In order to create a Subscription - follow the following manual.
Things to note while configuring the Subscription-
The Subscription should be created for the Topic we created in the last section
Give the Subscription an indicative name such as "Hunters-Audit-Logs-Subscription"
The name of this subscription should be shared with hunters
Set pull delivery
Configure a retention duration of 7 days
Set subscription to never expire
Do not set a subscription filter
Message ordering- Order messages with the order they arrive
We suggest leaving the rest of the configuration as it is by default
Definition of the sink
In order to create a sink - follow the following manual.
Things to note while configuring the sink-
"Sink details" step
Give the sink an indicative name such as "Hunters-Audit-Logs-Sink"
"Sink destination" step
The Sink service should be "Cloud Pub/Sub Topic"
Select the Topic which was created in the previous sections
"Choose logs to include in sink" and "Choose logs to filter out of sink" steps
When defining the sink - it is possible to filter logs that written to the sink. We recommend sending all GCP Audit Logs. Partial logs may cause the detection and investigation to be partial.
Allow Hunters to access the Security Command Center
Enabling the Security Command Center
In this part, we assume you have enabled the Security Command Center in your GCP environment. If you have not - this can be done using this manual.
Enabling the Security Command Center API
To allow Hunters to query the security command center - you will need to enable the "Security Command Center API". This can be done here.
A service account will need to be configured in order to allow Hunters to query the API. This will be described in the next part.
Definition of the Service Account
In order to define a service account - follow the following manual.
Things to note while configuring the Service Account-
Give the Service Account an indicative name such as "Hunters-Service-Account"
Give the Service Account the following roles -
"Security Center Assets Viewer" - To allow Hunters to query the Security Command Center
"Security Center Findings Viewer" - To allow Hunters to query the Security Command Center
"Security Center Sources Viewer" - To allow Hunters to query the Security Command Center
In order to allow the Service Account to query the Pub/Sub subscription, we will give it the required permissions-
Go to the "Subscriptions" page under "Pub/Sub"
Click on the Subscription which was created for Hunters
In the "Permissions" tab - click "ADD MEMBER"
Add the Service Account Name as a new member with the role "Pub/Sub Subscriber"
You should be able to see the user account under the "Permissions" tab under "Pub/Sub Subscriber"
Important to note: Security Center roles should be assigned at the organization level, and not at the project level.
Once the service account is created - generate a key for the service account.
This is done inside the definition of the service account -> Keys -> ADD KEY (Create new key) -> Json.
Parameters to share with Hunters
The generated Service Account Json
The name of the topic subscription
for example, the string "Hunters-Audit-Logs-Subscription"
Your project id (name of the project in which the subscription was created)
Your organization code (can be found here)