GCPAuditLogs

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index

Reference for GCPAuditLogs table in Azure Monitor Logs.

Attribute	Value
Category	GCP
Basic Logs Eligible	✓ Yes (source)
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✓ Yes
Lake-Only Ingestion	✓ Yes (source)
Azure Monitor Tables Reference	View Documentation
Azure Monitor Logs Ingestion API	View Documentation

Schema
Solutions
Connectors
Content Items

Schema (29 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account
AuthenticationInfo	dynamic	Authentication information.
AuthorizationInfo	dynamic	Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple.
GCPResourceName	string	The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name.
GCPResourceType	string	The identifier of the type associated with this resource, such as 'pubsub_subscription'.
InsertId	string	Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result.
LogName	string	Information including a suffix identifying the log sub-type (e.g., admin activity, system access, data access) and where in the hierarchy the request was made.
Metadata	dynamic	Other service-specific data about the request, response, and other information associated with the current audited event.
MethodName	string	The name of the service method or operation. For API calls, this should be the name of the API method.
NumResponseItems	string	The number of items returned from a list or query API method, if applicable.
PrincipalEmail	string	The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the principalSubject field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted.
ProjectId	string	The identifier of the Google Cloud Platform (GCP) project associated with this resource, such as "my-project".
Request	dynamic	The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.
RequestMetadata	dynamic	Metadata about the operation.
ResourceLocation	dynamic	The resource location information.
ResourceOriginalState	dynamic	The resource original state before mutation. Present only for operations which have successfully modified the targeted resource(s). In general, this field should contain all changed fields, except those that are already been included in request, response, metadata or serviceData fields. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.
Response	dynamic	The operation response. This may not include all response elements, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.
ServiceData	dynamic	An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.
ServiceName	string	The name of the API service performing the operation. For example, 'compute.googleapis.com'.
Severity	string	Optional. The severity of the log entry. For example, the following filter expression will match log entries with severities INFO, NOTICE, and WARNING.
SourceSystem	string	The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics
Status	dynamic	The status of the overall operation.
StatusMessage	string	The message status of the overall operation.
Subscription	string	A named resource representing the stream of messages from a single, specific topic, to be delivered to the subscribing application.
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The time the log entry was received by logging.
Timestamp	datetime	The time the event described by the log entry occurred.
Type	string	The name of the table

Solutions (2)

This table is used by the following solutions:

Connectors (2)

This table is ingested by the following connectors:

Connector	Selection Criteria
GCP Pub/Sub Audit Logs
GCP Pub/Sub Audit Logs

Content Items Using This Table (14)

Analytic Rules (9)

In solution Google Cloud Platform Audit Logs:

Analytic Rule	Selection Criteria
GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone	`GCPResourceType == "dns_managed_zone"` `MethodName in "dns.managedZones.patch,dns.managedZones.update"` `ServiceName == "dns.googleapis.com"` `Severity == "NOTICE"`
GCP Audit Logs - Data Access Logging Exemption Added for Principal	`GCPResourceType == "project"` `MethodName == "SetIamPolicy"` `ServiceName == "cloudresourcemanager.googleapis.com"`
GCP Audit Logs - Detect Bulk VM Snapshot Deletion	`GCPResourceType == "gce_snapshot"` `MethodName has "compute.snapshots.delete"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`
GCP Audit Logs - Detect Organization Policy Deletion or Updation	`MethodName has_any "OrgPolicy.DeletePolicy"` `ServiceName == "orgpolicy.googleapis.com"`
GCP Audit Logs - Open Firewall Rule Created or Modified	`GCPResourceType == "gce_firewall_rule"` `MethodName has "insert"` `MethodName has "patch"` `MethodName has_any "firewalls.insert"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`
GCP Audit Logs - Storage Bucket Made Public	`GCPResourceType == "gcs_bucket"` `MethodName == "storage.setIamPermissions"` `ServiceName == "storage.googleapis.com"`
GCP Audit Logs - VPC Flow Logs Disabled	`MethodName has "DeleteVpcFlowLogsConfig"` `MethodName has_any "VpcFlowLogsService.UpdateVpcFlowLogsConfig"` `ServiceName == "networkmanagement.googleapis.com"`

In solution Multi Cloud Attack Coverage Essentials - Resource Abuse:

Analytic Rule	Selection Criteria
Cross-Cloud Suspicious Compute resource creation in GCP
Cross-Cloud Suspicious user activity observed in GCP Envourment	`AuthenticationInfo !has "system:"` `PrincipalEmail !endswith "gserviceaccount.com"`

Hunting Queries (5)

In solution Google Cloud Platform Audit Logs:

Hunting Query	Selection Criteria
GCP Audit Logs - List Activities Disabling Data Access Logging for GCP Services	`GCPResourceType == "project"` `MethodName == "SetIamPolicy"` `ServiceName == "cloudresourcemanager.googleapis.com"`
GCP Audit Logs - List All GCP Firewall Operations by Principal	`GCPResourceType == "gce_firewall_rule"` `MethodName has "delete"` `MethodName has "insert"` `MethodName has "patch"` `MethodName has "update"` `MethodName has_any "compute.firewalls.insert"` `ServiceName == "compute.googleapis.com"`
GCP Audit Logs - List All GCP VPN Tunnels Created	`GCPResourceType == "vpn_tunnel"` `MethodName has "compute.vpnTunnels.insert"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`
GCP Audit Logs - List All GCP VPN Tunnels Deleted	`GCPResourceType == "vpn_tunnel"` `MethodName has "compute.vpnTunnels.delete"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`
GCP Audit Logs - List GCP Organization Policy Modifications by Principal	`MethodName has "DeletePolicy"` `MethodName has "UpdatePolicy"` `MethodName has_any "OrgPolicy.DeletePolicy"` `ServiceName == "orgpolicy.googleapis.com"`

Selection Criteria Summary (12 criteria, 13 total references)

References by type: 0 connectors, 13 content items, 0 ASIM parsers, 0 other parsers.

Selection Criteria	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`GCPResourceType == "project"` `MethodName == "SetIamPolicy"` `ServiceName == "cloudresourcemanager.googleapis.com"`	-	2	-	-	2
`GCPResourceType == "gce_snapshot"` `MethodName has "compute.snapshots.delete"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`	-	1	-	-	1
`GCPResourceType == "dns_managed_zone"` `MethodName in "dns.managedZones.patch,dns.managedZones.update"` `ServiceName == "dns.googleapis.com"` `Severity == "NOTICE"`	-	1	-	-	1
`GCPResourceType == "gce_firewall_rule"` `MethodName has "insert"` `MethodName has "patch"` `MethodName has_any "firewalls.insert"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`	-	1	-	-	1
`MethodName has_any "OrgPolicy.DeletePolicy"` `ServiceName == "orgpolicy.googleapis.com"`	-	1	-	-	1
`GCPResourceType == "gcs_bucket"` `MethodName == "storage.setIamPermissions"` `ServiceName == "storage.googleapis.com"`	-	1	-	-	1
`MethodName has "DeleteVpcFlowLogsConfig"` `MethodName has_any "VpcFlowLogsService.UpdateVpcFlowLogsConfig"` `ServiceName == "networkmanagement.googleapis.com"`	-	1	-	-	1
`AuthenticationInfo !has "system:"` `PrincipalEmail !endswith "gserviceaccount.com"`	-	1	-	-	1
`GCPResourceType == "gce_firewall_rule"` `MethodName has "delete"` `MethodName has "insert"` `MethodName has "patch"` `MethodName has "update"` `MethodName has_any "compute.firewalls.insert"` `ServiceName == "compute.googleapis.com"`	-	1	-	-	1
`MethodName has "DeletePolicy"` `MethodName has "UpdatePolicy"` `MethodName has_any "OrgPolicy.DeletePolicy"` `ServiceName == "orgpolicy.googleapis.com"`	-	1	-	-	1
`GCPResourceType == "vpn_tunnel"` `MethodName has "compute.vpnTunnels.insert"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`	-	1	-	-	1
`GCPResourceType == "vpn_tunnel"` `MethodName has "compute.vpnTunnels.delete"` `ServiceName == "compute.googleapis.com"` `Severity == "NOTICE"`	-	1	-	-	1
Total	0	13	0	0	13

AuthenticationInfo

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`!has system:`	-	1	-	-	1

GCPResourceType

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`project`	-	2	-	-	2
`gce_firewall_rule`	-	2	-	-	2
`vpn_tunnel`	-	2	-	-	2
`gce_snapshot`	-	1	-	-	1
`dns_managed_zone`	-	1	-	-	1
`gcs_bucket`	-	1	-	-	1

MethodName

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`SetIamPolicy`	-	2	-	-	2
`has insert`	-	2	-	-	2
`has patch`	-	2	-	-	2
`has_any OrgPolicy.DeletePolicy`	-	2	-	-	2
`has compute.snapshots.delete`	-	1	-	-	1
`dns.managedZones.patch`	-	1	-	-	1
`dns.managedZones.update`	-	1	-	-	1
`has_any firewalls.insert`	-	1	-	-	1
`storage.setIamPermissions`	-	1	-	-	1
`has DeleteVpcFlowLogsConfig`	-	1	-	-	1
`has_any VpcFlowLogsService.UpdateVpcFlowLogsConfig`	-	1	-	-	1
`has delete`	-	1	-	-	1
`has update`	-	1	-	-	1
`has_any compute.firewalls.insert`	-	1	-	-	1
`has DeletePolicy`	-	1	-	-	1
`has UpdatePolicy`	-	1	-	-	1
`has compute.vpnTunnels.insert`	-	1	-	-	1
`has compute.vpnTunnels.delete`	-	1	-	-	1

PrincipalEmail

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`!endswith gserviceaccount.com`	-	1	-	-	1

ServiceName

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`compute.googleapis.com`	-	5	-	-	5
`cloudresourcemanager.googleapis.com`	-	2	-	-	2
`orgpolicy.googleapis.com`	-	2	-	-	2
`dns.googleapis.com`	-	1	-	-	1
`storage.googleapis.com`	-	1	-	-	1
`networkmanagement.googleapis.com`	-	1	-	-	1

Severity

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`NOTICE`	-	5	-	-	5