Skip to content

Latest commit

 

History

History
99 lines (84 loc) · 3.09 KB

1.30.md

File metadata and controls

99 lines (84 loc) · 3.09 KB
Raw

1.30 - Cloud Console accesses

List Cloud Console accesses and approximate user sessions over time grouped by user, user agent and IP address. This query helps you audit who's accessing Cloud Console and from where. This query relies primarily on audited 'GetProject' actions as a proxy for a login event. Therefore: Data Access logs (ADMIN_READ) for Cloud Resource Manager API must be enabled on all your projects.

A 'GetProject' action is executed as part of every successful login event, whether it's from Cloud Console, gcloud CLI or cloud SDKs including third-party tools like Terraform. The specific channel is not recorded in the audit log, but is rather inferred by this query based on the user agent.

Note the following limitations:

  • This audit query only returns successful Console accesses. No audit logs are generated when a user doesn't have the right permissions to load the page.
  • This audit query does not return discrete login events, but approximate session times as user navigates through Cloud Console pages.
  • This audit query does not return specific page or resources accessed since these details are not captured in the audit logs.

Category: Login & Access Patterns
Use Cases: Audit
Data Sources: Audit Logs - Data Access

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

google.cloud.audit.AuditLog.GetProject

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {
    },
    "authenticationInfo": {
      "principalEmail": "[email protected]"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "callerSuppliedUserAgent": "<REDACTED>",
      "requestAttributes": {
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "cloudresourcemanager.googleapis.com",
    "methodName": "GetProject",
    "authorizationInfo": [
      {
        "resource": "projects/1234",
        "permission": "resourcemanager.projects.get",
        "granted": true,
        "resourceAttributes": {
          "service": "cloudresourcemanager.googleapis.com",
          "name": "projects/1234",
          "type": "cloudresourcemanager.googleapis.com/Project"
        }
      }
    ],
    "resourceName": "projects/1234",
    "request": {
      "projectId": "1234",
      "@type": "type.googleapis.com/google.cloudresourcemanager.v1.GetProjectRequest"
    }
  },
  "insertId": "-efcvyje10pfm",
  "resource": {
    "type": "project",
    "labels": {
      "project_id": "1234"
    }
  },
  "timestamp": "2023-04-03T20:17:41.985083Z",
  "severity": "INFO",
  "logName": "projects/1234/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2023-04-03T20:17:42.269032579Z"
}

References