GCP Log Monitoring

Integration Overview

Google Cloud Platform, or GCP, is a widely used suite of computing, networking, data, machine learning, storage, and management services provided by Google. Panther can collect, normalize, and monitor GCP logs to help you identify suspicious activity across your Google Cloud services in real time. Your normalized data is then retained to power future security investigations in a data lake powered by Snowflake.

Use Cases for GCP Logs

Panther supports the ingestion of both GCP Audit and HTTP Load Balancer logs, which contain detailed events of activity inside of your cloud accounts. Common SIEM use cases for GCP logs include:

  • Monitoring for any IAM role or permission changes
  • Ensuring adversaries don’t access data objects from improperly secured cloud storage
  • Detecting updates or deletions of Google cloud storage buckets
  • Checking if a Gmail account is being used instead of a corporate email

Onboarding Google Cloud Logs in Panther

Panther’s integration makes it fast and easy to ingest Google Cloud logs. Simply select Google Cloud from the list of pre-defined log sources, select your preferred data transport method (AWS S3, AWS SQS, or Google Cloud Storage), and configure GCP to push logs to your data transport source.

For more details on onboarding GCP logs or for supported log schema, you can view our GCP documentation here.

Parsing, Normalizing, & Analyzing GCP Logs

As Panther ingests GCP logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to build detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.

Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all of your log sources. Panther’s intuitive search tools - such as Query Builder, Data Explorer, and Indicator Search - allow you to conduct investigations for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.

Built-in and Easily Customizable Detections

Pre-built detections for GCP Audit and HTTP Load Balancer logs are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for GCP logs here.

With Panther, you aren’t confined to restrictive detections or proprietary languages like most legacy SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, scalable, and reusable scripting of detections for your security team.

Configuring Alerts

Panther generates alerts when your detection rules or policies for GCP logs are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.

Alerts are categorized by five severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring GCP logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring GCP logs here, or customers can sign up for the Panther Community to share best practices or custom detections.

The Ideal SIEM for GCP Logs

With Panther, your team doesn’t have to pay excessive costs to keep up with the growth of cloud app data, waste time and resources on operational overhead, or struggle with limited detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for an ideal SIEM solution for GCP, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo