DEVELOPER BLOG

HOME > DEVELOPER BLOG > 【Introduction to Automated Monitoring】Anomaly detection in GCP with Audit Logs (Audit Logs) - PrismScaler

【Introduction to Automated Monitoring】Anomaly detection in GCP with Audit Logs (Audit Logs) - PrismScaler

1. Introduction

Hello! We are a writer team from Definer Inc. In this issue, you are wondering about the use of Anomaly detection. Let's take a look at the actual screens and resources to explain in detail.

2. Purpose/Use Cases

This article summarizes information and practices that can be helpful when you want to use Audit Logs (Audit Logs) to detect anomalies in GCP.   Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources. Audit logs help you answer "who did what, where, and when?" within your Google Cloud resources with the same level of transparency as in on-premises environments. Enabling audit logs helps your security, auditing, and compliance entities monitor Google Cloud data and systems for possible vulnerabilities or external data misuse.

3. About Audit Logs in Google Cloud

Google Cloud's Audit Logs include four types of logs.   ・Admin Activity audit logs These logs are related to API calls that modify resource settings or metadata. For example, a user creating a VM instance or changing Identity and Access Management (IAM) permissions. Admin Activity audit logs are always written; you can't configure, exclude, or disable them. Even if you disable the Cloud Logging API, Admin Activity audit logs are still generated.   ・Data Access Audit Log Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. This log is turned off by default due to the possibility of data size bloat and cost.   ・System Event Audit Log System Event audit logs contain log entries for Google Cloud actions that modify the configuration of resources. System Event audit logs are generated by Google systems; they aren't driven by direct user action. System Event audit logs are always written; you can't configure, exclude, or disable them.   ・Policy Rejection Audit Log Logs when a user or service account is denied access by Google Cloud due to a security policy violation. Policy Denied audit logs are generated by default and your Google Cloud project is charged for the logs storage. You can't disable Policy Denied audit logs, but you can use exclusion filters to prevent Policy Denied audit logs from being ingested and stored in Cloud Logging.   For a list of services that write audit logs and detailed information about which activities generate those logs, see Google Cloud services with audit logs.

4. Query and view audit logs

(1) In the Google Cloud console, go to the Logging> Logs Explorer page.   (2) Select your organization.   (3) In the Query pane, do the following: In Resource type, select the Google Cloud resource whose audit logs you want to see. In Log name, select the audit log type that you want to see: - For Admin Activity audit logs, select activity. - For Data Access audit logs, select data_access. - For System Event audit logs, select system_event. - For Policy Denied audit logs, select policy. If you don't see these options, then there aren't any audit logs of that type available in the organization.   (4) Click Run query.   Example, I want to view admin activity audit logs of VM instances, the below picture shows you step-by-step I will do:  

5. Audit Logs monitoring alert settings

When you want to know when an audit log records a particular data-access message, you can create a log-based alert that matches the message and notifies you when it appears. Next, we will set up monitoring for specific API calls.   (1) Create an alert Log in to Google Cloud and access "Log Explorer". Filter specific API calls and go to "Create Alert". Under Notification Channels, select the channels you wish to be notified about and click "Save".     There are many options for notification channels, including Slack, Email, SMS and Pub/Sub. In this case, we chose Email.     (2) Confirmation of Notification We have confirmed that you can receive an Email when you call the corresponding API!

6. Cited/Referenced Articles

7. About the proprietary solution "PrismScaler"

・PrismScaler is a web service that enables the construction of multi-cloud infrastructures such as AWS, Azure, and GCP in just three steps, without requiring development and operation. ・PrismScaler is a web service that enables multi-cloud infrastructure construction such as AWS, Azure, GCP, etc. in just 3 steps without development and operation. ・The solution is designed for a wide range of usage scenarios such as cloud infrastructure construction/cloud migration, cloud maintenance and operation, and cost optimization, and can easily realize more than several hundred high-quality general-purpose cloud infrastructures by appropriately combining IaaS and PaaS.  

8. Contact us

This article provides useful introductory information free of charge. For consultation and inquiries, please contact "Definer Inc".

9. Regarding Definer

・Definer Inc. provides one-stop solutions from upstream to downstream of IT. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition/design development/implementation, and maintenance and operation. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition, design development, implementation, maintenance, and operation. ・PrismScaler is a high-quality, rapid, "auto-configuration," "auto-monitoring," "problem detection," and "configuration visualization" for multi-cloud/IT infrastructure such as AWS, Azure, and GCP.