GCP Cloud Audit¶
About¶
Cloud Audit Logs helps security teams maintain audit trails in Google Cloud Platform (GCP). With this tool, enterprises can attain the same level of transparency over administrative activities and accesses to data in Google Cloud Platform as in on-premises environments. Every administrative activity is recorded on a hardened, always-on audit trail, which cannot be disabled by any rogue actor. Data access logs can be customized to best suit your organization’s need around monitoring and compliance.
Product Details¶
Vendor URL: Cloud Audit Logs Overview
Product Type: Audit
Product Tier: Tier III
Integration Method: Viewing audit logs
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%-100%
Data Label: GCP_CLOUDAUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| insertId | metadata.product_log_id |
| logName | metadata.url_back_to_product |
| logName | security_result.category_details |
| protoPayload.@type | about.labels |
| protoPayload.metadata.@type | about.labels |
| protoPayload.metadata.ingressViolations.servicePerimeter | security_result.detection_fields |
| protoPayload.metadata.ingressViolations.targetResource | security_result.detection_fields |
| protoPayload.metadata.resourceNames | target.resource.name |
| protoPayload.metadata.securityPolicyInfo.organizationId | security_result.detection_fields |
| protoPayload.metadata.violationReason | security_result.rule_name |
| protoPayload.metadata.vpcServiceControlsUniqueId | security_result.rule_id |
| protoPayload.methodName | metadata.product_event_type |
| protoPayload.methodName | target.resource.attribute.labels |
| protoPayload.principalEmail | principal.user.userid |
| protoPayload.principalEmail | target.user.userid |
| protoPayload.resourceName | security_result.detection_fields |
| protoPayload.serviceName | target.resource.attribute.labels |
| protoPayload.serviceName | target.application |
| protoPayload.status.code | security_result.detection_fields |
| protoPayload.status.message | security_result.description |
| requestMetadata.callerIp | principal.hostname |
| requestMetadata.callerIp | principal.ip |
| resource.labels.project_id | target.cloud.project.name |
| resource.labels.project_id | target.resource_ancestors.name |
| resource.subtype | target.resource_subtype |
| severity | security_result.severity |
| timestamp | metadata.event_timestamp |
Product Event Types¶
| Event Type |
|---|
| GENERIC_EVENT |
| RESOURCE_CREATION |
| RESOURCE_DELETION |
| RESOURCE_READ |
| RESOURCE_WRITTEN |
| STATUS_UNCATEGORIZED |
| STATUS_UPDATE |
| USER_CHANGE_PASSWORD |
| USER_LOGIN |
| USER_LOGOUT |
| USER_RESOURCE_ACCESS |
| USER_RESOURCE_CREATION |
| USER_RESOURCE_UPDATE_CONTENT |
| USER_RESOURCE_UPDATE_PERMISSIONS |
Log Sample¶
{"protoPayload":{"@type":"website.domain.com","status":{"code":7,"message":"Request is prohibited by organization\u0027s policy. vpcServiceControlsUniqueIdentifier: L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"VPC_SERVICE_CONTROLS","description":"L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw"}]}]},"authenticationInfo":{"principalEmail":"johndoe@domain.com"},"requestMetadata":{"callerIp":"10.64.27.40","requestAttributes":{},"destinationAttributes":{}},"serviceName":"website4.domain.com","methodName":"google.storage.objects.list","resourceName":"projects/532452139372","metadata":{"ingressViolations":[{"targetResource":"projects/532452139372","servicePerimeter":"accessPolicies/285566393133/servicePerimeters/gw_rb_sp_7845"}],"deviceState":"Unknown","vpcServiceControlsUniqueId":"L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw","accessLevels":["accessPolicies/285566393133/accessLevels/adm_pltops_prod_policy_adm_pltops","accessPolicies/285566393133/accessLevels/adm_conhub_preprod_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_cas_gptdev_policy_adm_cas","accessPolicies/285566393133/accessLevels/adm_cas_prod_policy_adm_cas","accessPolicies/285566393133/accessLevels/adm_conhub_dev_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_conhub_qa_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_conhub_mgmt_policy_adm_conhub","accessPolicies/285566393133/accessLevels/adm_conhub_prod_policy_adm_conhub","accessPolicies/285566393133/accessLevels/cct_dsp_dev_vpc_sc_1309_al","accessPolicies/285566393133/accessLevels/adm_pltops_nonprd_policy_adm_pltops"],"securityPolicyInfo":{"organizationId":"701374442558","servicePerimeterName":"accessPolicies/285566393133/servicePerimeters/gw_rb_sp_7845"},"@type":"website2.domain.com","violationReason":"NO_MATCHING_ACCESS_LEVEL","resourceNames":["projects/_/buckets/gw-mgmt-prod-stbs-eu-bms-rollbk"]},"redactions":[{"type":"PARTIAL","field":"authenticationInfo.principalEmail","reason":"VPC-SC partial redaction"},{"type":"CLEARED","field":"authenticationInfo.principalSubject","reason":"VPC-SC partial redaction"}]},"insertId":"utaa1nd1kq8","resource":{"type":"audited_resource","labels":{"service":"website4.domain.com","project_id":"gw-core-prod-priv-rollbk-2055","method":"google.storage.objects.list"}},"timestamp":"2023-06-13T15:17:33.666015312Z","severity":"ERROR","logName":"website3.domain.com","receiveTimestamp":"2023-06-13T15:17:34.423164686Z"}
Sample Parsing¶
about.labels.key = type
about.labels.value = "website.domain.com"
about.labels.key = metadata_type
about.labels.value = "website2.domain.com"
metadata.event_timestamp = "2023-06-13T15:17:33.666015312Z"
metadata.event_type = "RESOURCE_READ"
metadata.product_event_type = "google.storage.objects.list"
metadata.product_log_id = "utaa1nd1kq8"
metadata.url_back_to_product = "website3.domain.com"
principal.hostname = "10.64.27.40"
principal.ip = "10.64.27.40"
principal.user.userid = "johndoe@domain.com"
security_result.category_details = "website.domain.com"
security_result.description = "Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw"
security_result.detection_fields.key = "organization_id"
security_result.detection_fields.value = "701374442558"
security_result.detection_fields.key = "protoPayload_metadata_ingressViolations_servicePerimeter"
security_result.detection_fields.value = "accessPolicies/285566393133/servicePerimeters/gw_rb_sp_7845"
security_result.detection_fields.key = "protoPayload_metadata_ingressViolations_targetResource"
security_result.detection_fields.value = "projects/532452139372"
security_result.detection_fields.key = "resource_name"
security_result.detection_fields.value = "projects/532452139372"
security_result.detection_fields.key = "status_code"
security_result.detection_fields.value = "7"
security_result.rule_id = "L_JmCU23dWVDsxrjTuSJpzpRf0timWI4nTwXpHMDkmpSZVoJVayeqw"
security_result.rule_name = "NO_MATCHING_ACCESS_LEVEL"
security_result.severity = ERROR
target.application = "website4.domain.com"
target.cloud.project.name = "gw-core-prod-priv-rollbk-2055"
target.resource_ancestors.name = "gw-core-prod-priv-rollbk-2055"
target.resource_subtype = "audited_resource"
target.resource.attribute.labels.key = "rc_method"
target.resource.attribute.labels.value = "google.storage.objects.list"
target.resource.attribute.labels.key = "rc_service"
target.resource.attribute.labels.value = "website4.domain.com"
target.user.userid = "johndoe@domain.com"
Rules¶
Coming Soon