Google Cloud Platform Audit Logs
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.2 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2023-03-29 |
| Last Updated | 2026-01-29 |
| Solution Folder | Google Cloud Platform Audit Logs |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (72%) |
The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.
Additional Information
📖 Setup Guide: Google Cloud Platform connectors - Connect GCP logs to Microsoft Sentinel
Contents
Data Connectors
This solution provides 1 data connector(s) (plus 1 discovered⚠️):
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
GCPAuditLogs |
GCP Pub/Sub Audit Logs, GCP Pub/Sub Audit Logs | Analytics, Hunting |
Content Items
This solution includes 12 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 7 |
| Hunting Queries | 5 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone | High | DefenseEvasion, CommandAndControl, ResourceDevelopment | GCPAuditLogs |
| GCP Audit Logs - Data Access Logging Exemption Added for Principal | High | DefenseEvasion, PrivilegeEscalation | GCPAuditLogs |
| GCP Audit Logs - Detect Bulk VM Snapshot Deletion | High | Impact, DefenseEvasion | GCPAuditLogs |
| GCP Audit Logs - Detect Organization Policy Deletion or Updation | High | DefenseEvasion | GCPAuditLogs |
| GCP Audit Logs - Open Firewall Rule Created or Modified | High | DefenseEvasion, Persistence, InitialAccess | GCPAuditLogs |
| GCP Audit Logs - Storage Bucket Made Public | High | Collection, InitialAccess, Exfiltration | GCPAuditLogs |
| GCP Audit Logs - VPC Flow Logs Disabled | High | DefenseEvasion | GCPAuditLogs |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| GCP Audit Logs - List Activities Disabling Data Access Logging for GCP Services | DefenseEvasion | GCPAuditLogs |
| GCP Audit Logs - List All GCP Firewall Operations by Principal | DefenseEvasion, InitialAccess | GCPAuditLogs |
| GCP Audit Logs - List All GCP VPN Tunnels Created | Persistence, CommandAndControl, DefenseEvasion | GCPAuditLogs |
| GCP Audit Logs - List All GCP VPN Tunnels Deleted | Impact, DefenseEvasion | GCPAuditLogs |
| GCP Audit Logs - List GCP Organization Policy Modifications by Principal | DefenseEvasion | GCPAuditLogs |
Additional Documentation
GCP Audit logs configuration
The following are the steps for GCP Audit logs configuration.
Configure GCP project.
There are two things you need to set up in your GCP environment:
Set up Microsoft Sentinel authentication in GCP by creating the following resources in the GCP IAM service:
Workload identity pool Workload identity provider Service account Role Set up log collection in GCP and ingestion into Microsoft Sentinel by creating the following resources in the GCP Pub/Sub service:
Topic Subscription for the topic
You can set up the environment in one of two ways:
-
Create GCP resources via the Terraform API: Terraform provides APIs for resource creation and for Identity and Access Management (see Prerequisites). Microsoft Sentinel provides Terraform scripts that issue the necessary commands to the APIs.
-
Set up GCP environment manually, creating the resources yourself in the GCP console.
In order to create fresh projects and GCP PUB/Sub service ,subscription,please follow below steps
GCP Authentication Setup
Please follow terraform script steps mentioned in below link as may miss some steps in GCP while adding manually * https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#tabpanel_1_terraform
if you don't want to perform above steps please use the below link for manual set up
- https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs#tabpanel_2_manual
GCP Audit Logs Setup
Please follow terraform script steps mentioned in below link to set up GCP audit logs
- https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#tabpanel_2_terraform
if you don't want to perform above steps please use the below link for manual set up
- https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs#tabpanel_2_manual
Note
- if want to use existing project/account details need to modify the above scripts accordingly and run in GCP cloud console.
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.2 | 19-01-2026 | Added new GCP security Analytic Rules and Hunting Queries |
| 3.0.1 | 28-04-2025 | Updated Data Connector definition file and fixed overlapping collector issue. |
| 3.0.0 | 15-01-2024 | Created CCP Package |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊