GCP Audit Log Page
Overview
Lacework provides visibility into your account security through the continued monitoring and analysis of Audit Log. The Audit Log page provides graphs and panels that summarize the Audit Log data collected during this monitoring and analysis. Lacework ingests only admin activity audit logs and system event audit logs, see Log Types for more information.
Select Resources > Cloud > GCP Audit Log in the Lacework Console to display the GCP Audit Log page.
To populate the GCP data viewed in this page, you must configure an integration with at least one GCP account. For more information, see Integrate Lacework with GCP.
Filters
Use the organization filter to limit the results displayed to a single specific GCP account or all GCP accounts integrated with Lacework. Use the project filter to narrow the results to a specific project within the organization, or select All Projects (default).
Use the following methods to further refine the data displayed on the CloudTrail page.
- Use the search bar or filters at the top of the page to filter by specific fields, operators, and values. You can specify the * wildcard to match one or more characters. Additionally, some table's column values let you add a filter by selecting the adjacent funnel icon .
- To remove an active filter, click its filter and then click Reset or x. To remove all filters, click Reset, which is next to the filters.
Time Range
To change the time range, use the horizontal arrows to move to another period, select a different period, or select Custom.
Only information found during the specified date range is reported. For example, if 9 days ago there was specific behavior and the specified range is latest week, this behavior is not listed.
Visual Graphs
The following visual graphs are displayed on the left:
- Unique Users
- Unique Methods
- Unique Projects
- Unique Regions
- Unique Resource Types
- Unique Errors
All data, including these graphs, correlates with the date range and parameters set in the global filter.
Related Alerts
All Audit Log alerts broken out by severity.
Polygraph
In the Polygraph panel, you can visualize your data in a streamlined way that can help identify any misconfigurations or events that both should and should not be occurring. For Audit Log, the Polygraph displays API behavior in the following order from left to right:
GCP Account > Region > CallType > User/Role > Region > GCP Service > Action > Resource
Audit Logs
In the Lacework Console you can search and utilize filters to identify and analyze actions within your GCP accounts.
For some values in this panel, you can click the funnel icon to add a filter, for example, click the funnel next to a service to create a filter to only show data from a specific service. The new filter appears at the top of the panel. You can use multiple filters, including includes and excludes, to isolate what you really want to view and inspect.
User Details
The User Details panel displays a list of Audit Log user information in reference to User Name, Region, Account Number, Account Alias, Caller Account, City, State, and Country. This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and region a user engaged in an activity, as well as information such as whether or not MFA is enabled on a particular account.
API Error Events
The API Error Events panel displays Service, Error Code, User, API, and Error Count information. This panel can be helpful when attempting to isolate what API calls are being made to your GCP account(s), the associated errors that are occurring, and how many, for example, sort on the Error Count column in descending order to view a list of the API errors occurring within your GCP account. This can potentially raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.
GCP Anomaly Alerting
GCP anomaly-based alerting generates alerts when there are behavioral changes. For the list of GCP alerts, see Alert Types.