Skip to content

GCP Cloud Audit

GCP Cloud Audit

About

Cloud Audit Logs helps security teams maintain audit trails in Google Cloud Platform (GCP). With this tool, enterprises can attain the same level of transparency over administrative activities and accesses to data in Google Cloud Platform as in on-premises environments. Every administrative activity is recorded on a hardened, always-on audit trail, which cannot be disabled by any rogue actor. Data access logs can be customized to best suit your organization’s need around monitoring and compliance.

Product Details

Vendor URL: Cloud Audit Logs Overview

Product Type: Audit

Product Tier: Tier III

Integration Method: Viewing audit logs

Parser Details

Log Format: JSON

Expected Normalization Rate: 95%-100%

Data Label: GCP_CLOUDAUDIT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
insertId metadata.product_log_id
logName metadata.url_back_to_product
logName security_result.category_details
protoPayload.@type about.resource.attribute.labels
protoPayload.metadata.@type about.resource.attribute.labels
protoPayload.metadata.ingressViolations.servicePerimeter security_result.detection_fields
protoPayload.metadata.ingressViolations.targetResource security_result.detection_fields
protoPayload.metadata.resourceNames target.resource.name
protoPayload.metadata.securityPolicyInfo.organizationId security_result.detection_fields
protoPayload.metadata.violationReason security_result.rule_name
protoPayload.metadata.vpcServiceControlsUniqueId security_result.rule_id
protoPayload.methodName metadata.product_event_type
protoPayload.methodName target.resource.attribute.labels
protoPayload.principalEmail principal.user.userid
protoPayload.principalEmail target.user.userid
protoPayload.resourceName security_result.detection_fields
protoPayload.serviceName target.resource.attribute.labels
protoPayload.serviceName target.application
protoPayload.status.code security_result.detection_fields
protoPayload.status.message security_result.description
requestMetadata.callerIp principal.hostname
requestMetadata.callerIp principal.ip
resource.labels.project_id target.cloud.project.name
resource.labels.project_id target.resource_ancestors.name
resource.subtype target.resource_subtype
severity security_result.severity
timestamp metadata.event_timestamp

Product Event Types

Event Type
GENERIC_EVENT
RESOURCE_CREATION
RESOURCE_DELETION
RESOURCE_READ
RESOURCE_WRITTEN
STATUS_UNCATEGORIZED
STATUS_UPDATE
USER_CHANGE_PASSWORD
USER_LOGIN
USER_LOGOUT
USER_RESOURCE_ACCESS
USER_RESOURCE_CREATION
USER_RESOURCE_UPDATE_CONTENT
USER_RESOURCE_UPDATE_PERMISSIONS

Log Sample

{"protoPayload":{"@type":"website.domain.com","status":{"code":7,"message":"Request is prohibited by organization\u0027s policy. vpcServiceControlsUniqueIdentifier: L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"VPC_SERVICE_CONTROLS","description":"L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw"}]}]},"authenticationInfo":{"principalEmail":"johndoe@domain.com"},"requestMetadata":{"callerIp":"10.64.27.40","requestAttributes":{},"destinationAttributes":{}},"serviceName":"website4.domain.com","methodName":"google.storage.objects.list","resourceName":"projects/532452139372","metadata":{"ingressViolations":[{"targetResource":"projects/532452139372","servicePerimeter":"accessPolicies/285566393133/servicePerimeters/gw_rb_sp_7845"}],"deviceState":"Unknown","vpcServiceControlsUniqueId":"L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw","accessLevels":["accessPolicies/285566393133/accessLevels/adm_pltops_prod_policy_adm_pltops","accessPolicies/285566393133/accessLevels/adm_conhub_preprod_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_cas_gptdev_policy_adm_cas","accessPolicies/285566393133/accessLevels/adm_cas_prod_policy_adm_cas","accessPolicies/285566393133/accessLevels/adm_conhub_dev_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_conhub_qa_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_conhub_mgmt_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_conhub_prod_policy_adm_conhub","accessPolicies/285566393133/accessLevels/cct_dsp_dev_vpc_sc_1309_al","accessPolicies/285566393133/accessLevels/adm_pltops_nonprd_policy_adm_pltops"],"securityPolicyInfo":{"organizationId":"701374442558","servicePerimeterName":"accessPolicies/285566393133/servicePerimeters/gw_rb_sp_7845"},"@type":"website2.domain.com","violationReason":"NO_MATCHING_ACCESS_LEVEL","resourceNames":["projects/_/buckets/gw-mgmt-prod-stbs-eu-bms-rollbk"]},"redactions":[{"type":"PARTIAL","field":"authenticationInfo.principalEmail","reason":"VPC-SC partial redaction"},{"type":"CLEARED","field":"authenticationInfo.principalSubject","reason":"VPC-SC partial redaction"}]},"insertId":"utaa1nd1kq8","resource":{"type":"audited_resource","labels":{"service":"website4.domain.com","project_id":"gw-core-prod-priv-rollbk-2055","method":"google.storage.objects.list"}},"timestamp":"2023-06-13T15:17:33.666015312Z","severity":"ERROR","logName":"website3.domain.com","receiveTimestamp":"2023-06-13T15:17:34.423164686Z"}

Sample Parsing

about.labels.key = type
about.labels.value = "website.domain.com"
about.labels.key = metadata_type
about.labels.value = "website2.domain.com"
metadata.event_timestamp = "2023-06-13T15:17:33.666015312Z"
metadata.event_type = "RESOURCE_READ"
metadata.product_event_type = "google.storage.objects.list"
metadata.product_log_id = "utaa1nd1kq8"
metadata.url_back_to_product = "website3.domain.com"
principal.hostname = "10.64.27.40"
principal.ip = "10.64.27.40"
principal.user.userid = "johndoe@domain.com"
security_result.category_details = "website.domain.com"
security_result.description = "Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw"
security_result.detection_fields.key = "organization_id"
security_result.detection_fields.value = "701374442558"
security_result.detection_fields.key = "protoPayload_metadata_ingressViolations_servicePerimeter"
security_result.detection_fields.value = "accessPolicies/285566393133/servicePerimeters/gw_rb_sp_7845"
security_result.detection_fields.key = "protoPayload_metadata_ingressViolations_targetResource"
security_result.detection_fields.value = "projects/532452139372"
security_result.detection_fields.key = "resource_name"
security_result.detection_fields.value = "projects/532452139372"
security_result.detection_fields.key = "status_code"
security_result.detection_fields.value = "7"
security_result.rule_id = "L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw"
security_result.rule_name = "NO_MATCHING_ACCESS_LEVEL"
security_result.severity = ERROR
target.application = "website4.domain.com"
target.cloud.project.name = "gw-core-prod-priv-rollbk-2055"
target.resource_ancestors.name = "gw-core-prod-priv-rollbk-2055"
target.resource_subtype = "audited_resource"
target.resource.attribute.labels.key = "rc_method"
target.resource.attribute.labels.value = "google.storage.objects.list"
target.resource.attribute.labels.key = "rc_service"
target.resource.attribute.labels.value = "website4.domain.com"
target.user.userid = "johndoe@domain.com"