Audited resources

Google audit logs

Google Cloud provides four types of audit logs for each Google Cloud project, folder, and organization:

  • Admin Activity audit logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.

  • Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify or read user-provided resource data.

  • System Event audit logs contain log entries for Google Cloud administrative actions that modify the configuration of resources. These audit logs are generated by the Google system, therefore, no direct user action will drive them.

  • Policy Denied audit logs are recorded when a Google Cloud service denies access to a user or service account because of a security policy violation.

ThreatLockDown can collect and analyze these log types using the GCP Pub/Sub integration.

Configure Google audit logs collection

To enable Google audit logs collection, it is necessary to first ingest the audit logs into a Pub/Sub topic defining a custom log router.

  1. Visit the Google Cloud Logging section and click on CREATE SINK.

  2. Provide a descriptive name for the sink and click on NEXT.

  3. Once the name for the sink is chosen, it is necessary to select the sink destination. As sink service, choose Cloud Pub/Sub topic, and then create or choose a topic to be used as destination. Then click on NEXT.

  4. Use the following query to collect all the audit logs from every project. It is possible to edit it to only collect audit logs from a particular project.

    logName=~("projects/.*/logs/cloudaudit.googleapis.com%2F(activity|data_access|system_event|policy)")
    
  5. If it is not necessary to filter any logs out of the sink, click on CREATE SINK.

Once this process is finished, you can configure the ThreatLockDown GCP Pub/Sub integration to process the audit logs of the selected resources as usual.

ThreatLockDown dashboard visualization

After configuring the GCP Pub/Sub module to fetch the audit logs from Google Cloud, it is possible to visualize the alerts generated in the ThreatLockDown dashboard.

Google Cloud logs can be filtered by the data.gcp.logName field:

After selecting the Exists in button, only Google Cloud-related events will appear in the ThreatLockDown dashboard.

Visit the the Google Cloud documentation to learn more about the different Google services capable of writing audit logs.