Lacework provides visibility into your account security through the continued monitoring and analysis of Audit Log. The Audit Log page provides graphs and panels that summarize the Audit Log data collected during this monitoring and analysis. Lacework ingests only admin activity audit logs and system event audit logs, see Log Types for more information.
Select Cloud logs > GCP Audit Log in the Lacework Console to display the GCP Audit Log page.
To populate the Google Cloud data viewed in this page, you must configure an integration with at least one Google Cloud account. For more information, see Integrate Lacework with Google Cloud.
Use the organization filter to limit the results displayed to a single specific Google Cloud account or all Google Cloud accounts integrated with Lacework. Use the project filter to narrow the results to a specific project within the organization, or select All Projects (default).
Use the following methods to further refine the data displayed on the CloudTrail page.
- Use the search bar or filters at the top of the page to filter by specific fields, operators, and values. You can specify the * wildcard to match one or more characters. Additionally, some table's column values let you add a filter by selecting the adjacent funnel icon.
- To remove an active filter, click its filter and then click Reset or x. To remove all filters, click Reset, which is next to the filters.
To change the time range, use the horizontal arrows to move to another period, select a different period, or select Custom.
Only information found during the specified date range is reported. For example, if 9 days ago there was specific behavior and the specified range is latest week, this behavior is not listed.
The following visual graphs are displayed on the left:
- Unique Users
- Unique Methods
- Unique Projects
- Unique Regions
- Unique Resource Types
- Unique Errors
All data, including these graphs, correlates with the date range and parameters set in the global filter.
All Audit Log alerts broken out by severity.
In the Polygraph panel, you can visualize your data in a streamlined way that can help identify any misconfigurations or events that both should and should not be occurring. For Audit Log, the Polygraph displays API behavior in the following order from left to right:
Google Cloud Account > Region > CallType > User/Role > Region > Google Cloud Service > Action > Resource
In the Lacework Console you can search and utilize filters to identify and analyze actions within your Google Cloud accounts.
For some values in this panel, you can click the funnel icon to add a filter, for example, click the funnel next to a service to create a filter to only show data from a specific service. The new filter appears at the top of the panel. You can use multiple filters, including includes and excludes, to isolate what you really want to view and inspect.
The User Details panel displays a list of Audit Log user information in reference to User Name, Region, Account Number, Account Alias, Caller Account, City, State, and Country. This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and region a user engaged in an activity, as well as information such as whether or not MFA is enabled on a particular account.
API Error Events
The API Error Events panel displays Service, Error Code, User, API, and Error Count information. This panel can be helpful when attempting to isolate what API calls are being made to your Google Cloud account(s), the associated errors that are occurring, and how many, for example, sort on the Error Count column in descending order to view a list of the API errors occurring within your Google Cloud account. This can potentially raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.
Google Cloud Anomaly Alerting
Google Cloud anomaly-based alerting generates alerts when there are behavioral changes. For the list of Google Cloud alerts, see Alert Types.