Chronicle audit logging information

Google Cloud services write audit logs to help tell you who did what, where, and when within your Google Cloud resources. This page describes the audit logs created by Chronicle and written as Cloud Audit Logs.

For a general overview of Cloud Audit Logs, see Cloud Audit Logs overview. For a deeper understanding of the audit log format, see Understanding audit logs.

Available audit logs

The audit log service name and audited operations are different depending on which preview program you are enrolled in. Chronicle audit logs use one of the following service names:

• chronicle.googleapis.com
• chronicleservicemanager.googleapis.com
• malachitefrontend-pa.googleapis.com

Audit operations use the resource type audited_resource for all audit logs written, regardless of the preview program. There is no difference based on the preview program you are enrolled in.

Logs with service name chronicle.googleapis.com

The following log types are available for Chronicle audit logs with the chronicle.googleapis.com service name.

For more information, see Chronicle permissions in IAM.

Audit log type	Description
Admin Activity audit logs	Includes admin write operations that write metadata or configuration information. Actions in Chronicle that generate this type of log include updating feeds and creating rules. chronicle.googleapis.com/feeds.update chronicle.googleapis.com/rules.create chronicle.googleapis.com/parsers.activate
Data Access audit logs	Includes admin read operations that read metadata or configuration information. Also includes data read and data write operations that read or write user-provided data. Actions in Chronicle that generate this type of log include getting feeds and listing rules. chronicle.googleapis.com/feeds.get chronicle.googleapis.com/rules.list chronicle.googleapis.com/curatedRuleSets.countCuratedRuleSetDetections

Logs with service name chronicleservicemanager.googleapis.com

Chronicle audit logs written using the chronicleservicemanager.googleapis.com service name are only available at the organization level, not at the project level.

The following log types are available for Chronicle audit logs written using the chronicleservicemanager.googleapis.com service name.

Audit log type	Description
Admin Activity audit logs	Includes admin write operations that write metadata or configuration information. Actions in Chronicle that generate this type of log include creating a Google Cloud Association and updating Google Cloud log filters. chronicleservicemanager.googleapis.com/gcpAssociations.create chronicleservicemanager.googleapis.com/gcpAssociations.delete chronicleservicemanager.googleapis.com/gcpSettings.delete
Data Access audit logs	Includes admin read operations that read metadata or configuration information. Also includes data read and data write operations that read or write user-provided data. Actions in Chronicle that generate this type of log include listing instances and customer metadata. chronicleservicemanager.googleapis.com/gcpAssociations.get chronicleservicemanager.googleapis.com/gcpSettings.get

Logs with service name malachitefrontend-pa.googleapis.com

The following log types are available for Chronicle audit logs with the malachitefrontend-pa.googleapis.com service name.

Chronicle Frontend API operations provide data to and from the Chronicle UI. The Chronicle Frontend API broadly consists of data access operations.

Audit log type	Chronicle operations
Admin Activity audit logs	Includes update-related activity, such as UpdateRole and UpdateSubject.
Data Access audit logs	Includes view-related activity, such as ListRoles and ListSubjects.

Audit log format

Audit log entries include the following objects:

• Log entry itself, which is an object of type LogEntry. Useful fields include the following:

  • logName contains the resource ID and audit log type.
  • resource contains the target of the audited operation.
  • timeStamp contains the time of the audited operation.
  • protoPayload contains the audited information.

• Audit logging data, which is an AuditLog object held in the protoPayload field of the log entry.

• Optional service-specific audit information, which is a service-specific object. For older integrations, this object is held in the serviceData field of the AuditLog object; newer integrations use the metadata field.

• protoPayload.authenticationInfo.principalSubject field contains the user principal. This indicates who performed the action.

• protoPayload.methodName field contains the API method name invoked by the UI on behalf of the user.

• protoPayload.status field contains the status of the API call. An empty status value indicates success. A non-empty status value indicates failure and contains a description of the error. Status code 7 indicates permission denied.

• The chronicle.googleapis.com service includes the protoPayload.authorizationInfo field. This contains the name of the resource requested, the permission name that was checked, and whether the access was granted or denied.

For other fields in these objects, and how to interpret them, review Understand audit logs.

The following example shows log names for project-level Admin Activity audit logs and Data Access audit logs. The variables denote Google Cloud project identifiers.

projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity

projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access

Enable audit logging

To enable audit logging for the chronicle.googleapis.com service, see Enable Data Access audit logs.

Chronicle audit logs are written to a Google Cloud project after enabling the Chronicle API surface in a project you own. Legacy audit logs, including those in the malachitefrontend-pa.googleapis.com, are written to a project that Google Cloud owns.

To view your Admin Activity audit logs, you must first migrate your Chronicle instance to IAM for access control.

Admin Activity audit logs are always enabled. You cannot disable them. Data Access audit logs are enabled by default. If you want to disable Data Access audit logs in your customer-owned project, contact your Chronicle representative who can disable this for you. For information about Cloud Logging pricing, see Google Cloud Observability pricing: Cloud Logging.

To enable audit logging for the other services, contact Chronicle Support.

For a description of the type of logs written, see Available audit logs.

View logs

To find and view audit logs, use the Google Cloud project ID. For legacy audit logging of malachitefrontend-pa.googleapis.com configured using a Google Cloud-owned project, Chronicle Support provided you with this information. You can further specify other indexed LogEntry fields, like resource.type. For more information, see Find log entries quickly.

In the Google Cloud console, use the Logs Explorer to retrieve your audit log entries for the Google Cloud project:

1. In the Google Cloud console, go to the Logging > Logs Explorer page.

   Go to Logs Explorer

2. On the Logs Explorer page, select an existing Google Cloud project, folder, or organization.

3. In the Query builder pane, do the following:

   • In Resource type, select the Google Cloud resource whose audit logs you want to see.

   • In Log name, select the audit log type that you want to see:

   • For Admin Activity audit logs, select activity.

   • For Data Access audit logs, select data_access.

   If you don't see these options, no audit logs of that type are available in the Google Cloud project, folder, or organization.

   For more information about querying by using the Logs Explorer, see Build log queries.

For an example of an audit log entry and how to find the most important information in it, see Sample audit log entry.

Examples: chronicle.googleapis.com service name logs

The following sections describe common use cases for Cloud Audit Logs that use the chronicle.googleapis.com service name.

Listing actions taken by a specific user

To find the actions taken by a given user, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="chronicle.googleapis.com"
protoPayload.authenticationInfo.principalSubject=USER

Identifying users who took a specific action

To find the users who updated a detection rule, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="chronicle.googleapis.com"
protoPayload.methodName="google.cloud.chronicle.v1main.RuleService.UpdateRule"

Example: cloudresourcemanager.googleapis.com service name log

To find the users who updated an access control role or subject, run the following query in the Logs Explorer:

resource.type="project"
resource.labels.service="cloudresourcemanager.googleapis.com"
protoPayload.methodName="SetIamPolicy"

Examples: malachitefrontend-pa.googleapis.com service name logs

The following sections describe common use cases for Cloud Audit Logs that use the malachitefrontend-pa.googleapis.com service name.

Listing actions taken by a specific user

To find the actions taken by a given user, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.authenticationInfo.principalSubject=USER

Identifying users who took a specific action

To find the users who updated an access control subject, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.methodName="malachite.frontend.v1.MalachiteFrontendService.UpdateSubject"

To find the users who updated an access control role, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.methodName="malachite.frontend.v1.MalachiteFrontendService.UpdateRole"

To find the users who updated a detection rule, run the following query in the Logs Explorer:

resource.type="audited_resource"
resource.labels.service="malachitefrontend-pa.googleapis.com"
protoPayload.methodName="malachite.frontend.v1.MalachiteFrontendService.UpdateRule"