All Articles

GCP Audit Logs: A Security Monitoring Overview 

Mark Stone

If your organization has resources in the Google Cloud Platform (GCP), understanding the role the platform’s audit logs play in helping you gain visibility into your cloud security is crucial.

With Google Cloud audit logs, your security team gains extensive insight into what’s happening within your cloud projects. Plus, Cloud audit logs help teams maintain audit trails in Google Cloud Platform (GCP). 

An overview of Google Cloud Platform from a security perspective  

Audit logs in Google Cloud Platform keep a record of everything that is occurring within your GCP resources. The GCP audit logs tell you who did it, when they did it, and where.

Combined with Identity and Access Management, audit logs are perhaps the two most important security systems in GCP. While Identity and Access Management allows you to establish what people in your organization can do, Cloud Audit Logging informs you what they did.

GCP audit logs fall into three categories: Admin Activity logs, Data Access logs and Access Transparency logs. 

The most common log type is the Admin Activity logs, which record administrative changes to your cloud resources. An event is logged when a cloud resource is created, modified, or updated. These logs are free for all users and cannot be disabled. 

Data Access logs tell you the “who” about your data: who accessed it, read it, changed it or modified it. It’s important to note that by default, Data Access logs are not turned on due to the potential of creating a very large volume of data.

Data Access audit logs are further divided into three sub-types: 

  • Admin read: records operations that read metadata or configuration information
  • Data read: records operations that read data within a service
  • Data write: records operations that write data to a service

Each sub-type must be explicitly enabled for any service you wish to monitor (as they are also not turned on by default). 
The third type of log is the Access Transparency log, which allows companies to see what Google is doing to their cloud environment. These logs will tell you why Google accessed a cloud resource.

Why GCP audit logs support your visibility

GCP audit logs help you gain the same level of transparency about cloud resource activity as a typical on-premises environment. When audit logs are enabled, your security, auditing, and compliance entities capture the activity on all relevant Google Cloud resources for potential vulnerabilities or external data misuse.

When combined with a modern SIEM, audit logs enable you to identify potential security threats in real-time with preset detection rules. 

With more people working from home than ever before, along with the shift to a hybrid workplace, identifying compromised accounts is crucial. GCP audit logs allow you to map the locations of those logins and identify where the accounts are used. 

GCP audit logs also enable you to spot malicious insiders by tracking IAM policy changes. If an employee changes a policy by accident — or worse, gives him or herself administrative privileges to a database and downloads the contents — having the audit trail to track these changes is critical to security. 

The capability to ​​correlate with data access logs makes this even more powerful.

How to pull Google Cloud Platform logs into Panther

In a recent software update, Panther shipped Google Cloud Storage as a data transport. For security teams, this means that you can send GCP Audit Logs to Panther without having to set up an AWS S3 bucket.

However, it’s important to note that Panther is not hosted on GCP. Panther’s solution and the data sent to it are still hosted on AWS.

For detailed instructions on how to configure the GCP integration, set up the GCS source, and view collected logs, view Panther’s documentation – https://docs.panther.com/data-onboarding/data-transports/gcs

Using Panther for GCP Log Monitoring

GCP Audit logs contain detailed events of activity inside of your cloud accounts, but to obtain true visibility, you need a robust monitoring tool. With Panther, you can collect, normalize, and monitor GCP logs data to help you identify suspicious activity in real-time. 

Once your normalized data is retained, Panther empowers you to conduct future security investigations in a serverless data lake — whether it’s powered by AWS or the cloud-native data platform, Snowflake.

With Panther’s built-in rules, monitoring activity is simple. We even make it easy for you to write your own detections in Python to fit your internal business use cases.

With GCP audit log data, Panther enables several key real-time monitoring use cases:

  • Detect compromised IAM access keys
  • Ensure adversaries don’t access data objects from improperly secured cloud storage
  • Check if a Gmail account is being used instead of a corporate email

Request a demo today and learn why Panther is trusted by customers like GitLab, Snowflake, Dropbox, and more.