Skip to content

Cloud Audit

Chronicle supports the ingestion of GCP Cloud Audit logs via two (2) methods. The recommended method is a one (1) time Chronicle access code. The optional/secondary method is a GCS Bucket.

Chronicle Data Types

Data types or log sources within Chronicle will have a GCP or Google prefix.

  • Example: GCP_CLOUDAUDIT

Configuration - Access Code

  1. Setup IAM Role. Follow this Google guide Ingest GCP Logs to Chronicle.
  2. Enable GCP Telemetry Ingestion. Follow this Google guide Ingest GCP Logs to Chronicle.
  3. Review GCP services with CloudAudit logging capability and configure the security related services. Review this Google services list Google Cloud services with audit logs.

Configuration - GCS Bucket

  1. Create a new GCS bucket for the Cloud Audit logs to be stored in. A pre-existing GCS bucket may be used. GCP Guide.
  2. In GCP, Cloud Audit logs are not enabled by default. Follow this GCP Guide to enable them.
  3. Once the VPC Flow Logs have been enabled, follow this GCP Guide to export them into a GCS bucket. The resource needed to be exported for this step is resource.type="audited_resource"".
  4. Once Cloud Audit logging is working and confirmed to be flowing into the GCS bucket, follow the GCP GCS Bucket guide to configure the GCS bucket so that Cyderes that can access the logs