Chronicle audit logging information

This page describes the audit logs created by Chronicle as part of Cloud Audit Logs.

Overview

Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources.

Your Google Cloud projects contain only the audit logs for resources that are directly within the Cloud project. Other Google Cloud resources, such as folders, organizations, and billing accounts, contain the audit logs for the entity itself.

For a general overview of Cloud Audit Logs, see Cloud Audit Logs overview. For a deeper understanding of the audit log format, see Understanding audit logs.

Enabling audit logging

To enable audit logs for your organization, contact Chronicle Support. You will need to provide a Google group containing the users authorized to access Cloud Audit Logs. You can administer access to your users in the selected group.

Once Cloud Audit Logs has been enabled, Chronicle Support will provide you with a Google Cloud project ID which you can use to view your logs.

Available audit logs

The following types of audit logs are available for Chronicle:

Audit log type Description
Admin Activity audit logs Includes "admin write" operations that write metadata or configuration information.
Data Access audit logs Includes "admin read" operations that read metadata or configuration information. Also includes "data read" and "data write" operations that read or write user-provided data.

If you have enabled Cloud Audit Logs, Admin Activity and Data Access audit logs are always enabled. You cannot disable Chronicle Data Access audit logs.

For complete descriptions of the audit log types, see Types of audit logs.

Audited operations

Chronicle Frontend API operations provide data to and from the Chronicle UI. The Chronicle Frontend API broadly consists of data access operations, but UpdateRole and UpdateSubject appear under admin activity. ListRoles and ListSubjects appear under data access logs.

Audit log format

Audit log entries include the following objects:

  • Log entry itself, which is an object of type LogEntry. Useful fields include the following:

    • logName contains the resource ID and audit log type.
    • resource contains the target of the audited operation.
    • timeStamp contains the time of the audited operation.
    • protoPayload contains the audited information.
  • Audit logging data, which is an AuditLog object held in the protoPayload field of the log entry.

  • Optional service-specific audit information, which is a service-specific object. For older integrations, this object is held in the serviceData field of the AuditLog object; newer integrations use the metadata field.

  • protoPayload.authenticationInfo.principalSubject field contains the user principal. This indicates who performed the action.

  • protoPayload.methodName field contains the API method name invoked by the UI on behalf of the user.

  • protoPayload.status field contains the status of the API call. An empty status value indicates success. A non-empty status value indicates failure and contains a description of the error. Status code 7 indicates permission denied.

For other fields in these objects, and how to interpret them, review Understand audit logs.

Log name

The following example shows log names for project-level Admin Activity audit logs and Data Access audit logs. The variables denote Cloud project identifiers.

projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity
projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access

Service name

Chronicle audit logs use the service name malachitefrontend-pa.googleapis.com.

Resource type

Chronicle audit logs use the resource type audited_resource for all audit logs.

View logs

To find and view audit logs, use the Google Cloud project ID provided to you by Chronicle Support. You can further specify other indexed LogEntry fields, like resource.type. For more information, see Find log entries quickly.

You can view audit logs in Cloud Logging by using the console.

In the console, you can use the Logs Explorer to retrieve your audit log entries for your Cloud project, folder, or organization:

  1. In the console, go to the Logging > Logs Explorer page.

    Go to Logs Explorer

  2. On the Logs Explorer page, select an existing Cloud project, folder, or organization.

  3. In the Query builder pane, do the following:

    • In Resource type, select the Google Cloud resource whose audit logs you want to see.

    • In Log name, select the audit log type that you want to see:

      • For Admin Activity audit logs, select activity.
      • For Data Access audit logs, select data_access.

    If you do not see these options, no audit logs of that type are available in the Cloud project, folder, or organization.

    For more information about querying by using the Logs Explorer, see Build log queries.

For an example of an audit log entry and how to find the most important information in it, see Sample audit log entry.

Use cases

The following sections describe common use cases for Cloud Audit Logs.

Listing actions taken by a specific user

To find the actions taken by a given user, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.authenticationInfo.principalSubject=USER

Identifying users who took a specific action

To find the users who updated an access control subject, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.methodName="malachite.frontend.v1.MalachiteFrontendService.UpdateSubject"

To find the users who updated an access control role, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.methodName="malachite.frontend.v1.MalachiteFrontendService.UpdateRole"

To find the users who updated a detection rule, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.methodName="malachite.frontend.v1.MalachiteFrontendService.UpdateRule"