Skip to main content

GCP Audit Log Page

Overview

Lacework provides visibility into your account security through the continued monitoring and analysis of Audit Log. The Audit Log page provides graphs and panels that summarize the Audit Log data collected during this monitoring and analysis. Lacework ingests only admin activity audit logs and system event audit logs, see Log Types for more information.

Select Cloud logs > GCP Audit Log in the Lacework Console to display the GCP Audit Log page.

To populate the Google Cloud data viewed in this page, you must configure an integration with at least one Google Cloud account. For more information, see Integrate Lacework with Google Cloud.

Filters

Use the organization filter to limit the results displayed to a single specific Google Cloud account or all Google Cloud accounts integrated with Lacework. Use the project filter to narrow the results to a specific project within the organization, or select All Projects (default).

Use the following methods to further refine the data displayed on the CloudTrail page.

  • Use the search bar or filters at the top of the page to filter by specific fields, operators, and values. You can specify the * wildcard to match one or more characters. Additionally, some table's column values let you add a filter by selecting the adjacent funnel icon.
  • To remove an active filter, click its filter and then click Reset or x. To remove all filters, click Reset, which is next to the filters.

Time Range

To change the time range, use the horizontal arrows to move to another period, select a different period, or select Custom.

Only information found during the specified date range is reported. For example, if 9 days ago there was specific behavior and the specified range is latest week, this behavior is not listed.

Visual Graphs

The following visual graphs are displayed on the left:

  • Unique Users
  • Unique Methods
  • Unique Projects
  • Unique Regions
  • Unique Resource Types
  • Unique Errors

All data, including these graphs, correlates with the date range and parameters set in the global filter.

All Audit Log alerts broken out by severity.

Polygraph

In the Polygraph panel, you can visualize your data in a streamlined way that can help identify any misconfigurations or events that both should and should not be occurring. For Audit Log, the Polygraph displays API behavior in the following order from left to right:

Google Cloud Account > Region > CallType > User/Role > Region > Google Cloud Service > Action > Resource

Audit Logs

In the Lacework Console you can search and utilize filters to identify and analyze actions within your Google Cloud accounts.

For some values in this panel, you can click the funnel icon to add a filter, for example, click the funnel next to a service to create a filter to only show data from a specific service. The new filter appears at the top of the panel. You can use multiple filters, including includes and excludes, to isolate what you really want to view and inspect.

User Details

The User Details panel displays a list of Audit Log user information in reference to User Name, Region, Account Number, Account Alias, Caller Account, City, State, and Country. This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and region a user engaged in an activity, as well as information such as whether or not MFA is enabled on a particular account.

API Error Events

The API Error Events panel displays Service, Error Code, User, API, and Error Count information. This panel can be helpful when attempting to isolate what API calls are being made to your Google Cloud account(s), the associated errors that are occurring, and how many, for example, sort on the Error Count column in descending order to view a list of the API errors occurring within your Google Cloud account. This can potentially raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.

Google Cloud Anomaly Alerting

Google Cloud anomaly-based alerting generates alerts when there are behavioral changes. For the list of Google Cloud alerts, see Alert Types.

Last updated on