Google Cloud Integration Types

Lacework onboarding offers the following types of Google Cloud integration with your Lacework account, depending on your specific cloud environment and whether you are interested in configuration compliance or audit log monitoring:

Integration Type	Description
Configuration	Integrates with your Google Cloud environment to analyze configuration compliance and reports alerts for anomalous behavior. You can set up the configuration integration using Terraform or the Google Cloud Console. For more information, see: Google Cloud Terraform Google Cloud Console
Audit Log	Integrates with your Google Cloud environment to analyze cloud audit logs and reports alerts for anomalous behavior. You can use one of the following methods to integrate Google Cloud audit logs with Lacework. Pub/Sub-based audit log integration Storage-based audit log integration Note: Lacework recommends using the Pub/Sub-based audit log integration method. For more information, see Google Cloud Audit Log Integration Methods. You can set up the audit log integration using Terraform or the Google Cloud Console. For more information, see: Google Cloud Terraform Google Cloud Console
GKE Audit Log	Integrates with your Google Cloud account to monitor and baseline Kubernetes audit logs and reports alerts for anomalous behavior. For more information, see GKE Audit Log Integrations.
Agentless Workload Scanning	Integrates with your Google Cloud environment to scan vulnerabilities on your hosts and containers. For more information, see Google Cloud Agentless Workload Scanning Integrations.

note

Ensure that you are deploying the integration to a supported Google Cloud region.

Google Cloud Audit Log Integration Methods

You can use the following methods to integrate Google Cloud audit logs with Lacework.

Pub/Sub-Based Audit Log Integration

In this method, you create a log sink to route specific audit logs to a Pub/Sub topic in Google Cloud. The Lacework platform ingests the logs by subscribing to the Pub/Sub topic. Lacework recommends this method for the following reasons:

• The logs routed to the Pub/Sub topic are available for ingestion in a few minutes. This enables the Lacework platform to provide alerts for anomalous behavior faster than the Storage-based audit log integration method.
• You can use the LW_ACT_GCP_ACTIVITY Lacework Query Language (LQL) datasource to create custom LQL policies to trigger alerts when policy-based violations are found in the audit logs.
  note

  The Pub/Sub-based audit log integration does not support the default Google Cloud audit log policies. You must use the LW_ACT_GCP_ACTIVITY LQL datasource to create custom LQL policies.

For instructions on setting up a Pub/Sub-based audit log integration, see the following topics:

• Google Cloud Integration - Guided Configuration
• Pub/Sub-Based Google Cloud Integration - Terraform from Any Supported Host
• Pub/Sub-Based Google Cloud Integration - Terraform from Google Cloud Shell
• Pub/Sub-Based Google Cloud Audit Log Integration - Manual Configuration

For instructions on migrating an existing Storage-based audit log integration to a Pub/Sub-based audit log integration, see the following topics:

• Migrate From Storage-Based to Pub/Sub-Based Google Cloud Audit Log Integration Using Terraform
• Migrate From Storage-Based to Pub/Sub-Based Google Cloud Audit Log Integration - Manual Configuration

Storage-Based Audit Log Integration

Important

Starting from September 25, 2023, you cannot create a new Storage-based audit log integration. Lacework recommends that you do the following:

• Create Pub/Sub-based audit log integrations going forward.
• Migrate your existing Storage-based audit log integration to a Pub/Sub-based audit log integration. For more information, see the following topics:
  • Migrate From Storage-Based to Pub/Sub-Based Google Cloud Audit Log Integration Using Terraform
  • Migrate From Storage-Based to Pub/Sub-Based Google Cloud Audit Log Integration - Manual Configuration

In this method, you create a log sink to route specific audit logs to a Cloud Storage bucket in Google Cloud. The Lacework platform ingests the logs from the storage bucket. Lacework does not recommend this method for the following reasons:

• When you route logs to a storage bucket, the logs are available for ingestion every hour. This results in the Lacework platform taking more time to provide alerts for anomalous behavior compared to the Pub/Sub-based audit log integration method.
• Lacework provides default Google Cloud audit log policies to trigger alerts when policy-based violations are found. However, you cannot create custom policies. For more information on the default policies, see Google Cloud Audit Log Policies.
  note

  The Storage-based audit log integration does not support the LW_ACT_GCP_ACTIVITY LQL datasource. Hence, you cannot use the LW_ACT_GCP_ACTIVITY datasource to create custom LQL policies for Storage-based audit log integrations.

For instructions on setting up a Storage-based audit log integration, see the following topics:

• Google Cloud Integration - Guided Configuration
• Storage-based Google Cloud Integration - Terraform from Any Supported Host
• Storage-based Google Cloud Integration - Terraform from Google Cloud Shell
• Storage-based Google Cloud Audit Log Integration - Manual Configuration