Skip to content

GCP CloudAudit

Chronicle supports the ingestion of GCP CloudAudit logs via a GCS Bucket.

Chronicle Data Types

  • GCP


  1. Create a new GCS bucket for the CloudAudit logs to be stored in. If you already have a GCS bucket setup you can use the existing bucket.
  2. In GCP CloudAudit logs are not enabled by default. Follow this GCP Guide to enable them.
  3. Once the VPC Flow Logs have been enabled follow this GCP Guide on how to export them into a GCS bucket. The resource needed to be exported for this step is resource.type="audited_resource"".
  4. Once the CloudAudit logs is running and confirmed to be flowing in your GCS bucket follow the GCP GCS Bucket guide on how to configure the GCS bucket so that CYDERES that can access the logs.