Collect Google Cloud Audit Logs

This document describes how you can export Cloud Audit Logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how Cloud Audit Logs fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview .

A typical deployment consists of Cloud Audit Logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

The deployment contains the following components:

• Google Cloud: The Google Cloud services and products from which you collect logs

• Cloud Audit Logs: The Cloud Audit Logs that are enabled for ingestion to Google Security Operations

• Google Workspace audit logs: The Google Workspace audit logs that are enabled for ingestion to Google Security Operations

• Google Security Operations: Retains and analyzes Cloud Audit Logs and Google Workspace audit logs

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with GCP_CLOUDAUDIT ingestion label.

Before you begin

• Ensure that you have set up a Google Cloud .

• Ensure that you have set up access control for your organization and resources using Identity and Access Management (IAM). For more information about access control, see Access control for organizations with IAM .

• Configure data access audit logs for your Google Cloud resources and services.

• Ensure that all systems in the deployment architecture are configured in the UTC time zone.

• Verify the log types that the Cloud Audit Logs parser supports. The following table lists the log sources and types supported by the Cloud Audit Logs parser:

Configure ingestion of Cloud Audit Logs

To ingest Cloud Audit Logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.

If you encounter issues when you ingest Cloud Audit Logs, contact Google Security Operations support .

Supported Cloud Audit Logs log formats

The Cloud Audit Logs parser supports logs in JSON format.

Supported Cloud Audit Logs sample logs

• JSON:

   {
    "protoPayload": {
      "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
      "authenticationInfo": {
        "principalEmail": "dummyuser@mail.com"
      },
      "requestMetadata": {
        "callerIp": "198.51.10.0",
        "callerSuppliedUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)",
        "requestAttributes": {
          "time": "2025-02-26T16:35:37.410328Z",
          "auth": {}
        },
        "destinationAttributes": {}
      },
      "serviceName": "compute.googleapis.com",
      "methodName": "beta.compute.securityPolicies.patchRule",
      "authorizationInfo": [
        {
          "resource": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
          "permission": "compute.securityPolicies.update",
          "granted": true,
          "resourceAttributes": {
            "service": "compute",
            "name": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
            "type": "compute.securityPolicies"
          },
          "permissionType": "ADMIN_WRITE"
        }
      ],
      "resourceName": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
      "request": {
        "description": "SQL injection",
        "priority": "10100",
        "match": {
          "expr": {
            "expression": "evaluatePreconfiguredExpr(\\u0027sqli-v33-stable\\u0027)"
          }
        },
        "action": "deny(403)",
        "preview": false,
        "validateOnly": true,
        "@type": "type.googleapis.com/compute.securityPolicies.patchRule"
      },
      "response": {
        "id": "4332115325946625078",
        "name": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f",
        "operationType": "PatchRule",
        "targetLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
        "targetId": "6935975992577010740",
        "status": "DONE",
        "user": "dummyuser@domain.com",
        "progress": "100",
        "insertTime": "2025-02-26T08:35:37.278-08:00",
        "startTime": "2025-02-26T08:35:37.279-08:00",
        "endTime": "2025-02-26T08:35:37.279-08:00",
        "selfLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/operation-1740587736928-62f0e29c291e2-b0056719-3023c13f",
        "selfLinkWithId": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/4332115325946625078",
        "@type": "type.googleapis.com/operation"
      },
      "resourceLocation": {
        "currentLocations": [
          "global"
        ]
      }
    },
    "insertId": "-5srtt8e1oe7o",
    "resource": {
      "type": "network_security_policy",
      "labels": {
        "policy_name": "hashtag-ext",
        "project_id": "icd-gcp-prod-net-landing-0",
        "location": "global"
      }
    },
    "timestamp": "2025-02-26T16:35:36.961863Z",
    "severity": "NOTICE",
    "labels": {
      "compute.googleapis.com/root_trigger_id": "f0fe0460-63df-4978-8256-e70ce093effa"
    },
    "logName": "projects/icd-gcp-prod-net-landing-0/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
      "id": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f",
      "producer": "compute.googleapis.com",
      "first": true,
      "last": true
    },
    "receiveTimestamp": "2025-02-26T16:35:38.342438110Z"
  } 
  

Field mapping reference

This section explains how the Google Security Operations parser maps Cloud Audit Logs fields to Google Security Operations Unified Data Model (UDM) fields.

GCP_CLOUDAUDIT log types to UDM event type

Field mapping reference: GCP_CLOUDAUDIT