Log type | Enabled by default | Exportable directly to Chronicle | Event Threat Detection rules | CIS GCP Benchmark 1.1 | MITRE ATT&CK tactics and techniques | |
---|---|---|---|---|---|---|
Cloud Audit Logs - Admin Activity | Impair Defenses, Persistence, Exfiltration, Anomalous IAM Grant, Anomalous Behavior | 1, 2, 3, 4, 5, 6, 7 | Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Collection, Exfiltration, Impact | |||
Cloud Audit Logs - Data Access | Enable | Initial Access, Discovery, Privilege Escalation, Exfiltration | 1.1, 1.2, 1.3, 1.4 | Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Collection, Impact | ||
Cloud Audit Logs - System Events | Defense Evasion, Discovery, Impact | |||||
Cloud Audit Logs - Policy Denied | Initial Access, Persistence, Privilege Escalation, Defense Evasion, Discovery, Exfiltration | |||||
Access Transparency Logs | Enable | Initial Access | ||||
Cloud DNS Logs | Enable | Active Scan, Malware, Cryptomining | Exfiltration, Impact | |||
Cloud NAT Logs | Enable | Malware, Cryptomining | Discovery, Exfiltration, Impact | |||
Firewall Rules Logs | Enable | Malware, Cryptomining | 3.6, 3.7, 4.9 | Reconnaissance, Initial Access, Exfiltration, Impact | ||
VPC Flow Logs | Enable | Malware, Cryptomining, Outgoing DoS | 3.1, 3.2, 3.6, 3.7, 3.8, 4.9, 4.10 | Reconnaissance, Initial Access, Credential Access, Discovery, Collection, Exfiltration, Impact | ||
Cloud IDS Logs | Enable | 3.1, 3.2, 3.6, 3.7, 3.8, 4.9, 4.10 | Reconnaissance, Initial Access, Credential Access, Discovery, Collection, Command And Control, Exfiltration, Impact | |||
HTTP(S) LB Logs | Enable | Initial Access | Initial Access, Impact | |||
VM Syslog | Enable | Brute Force SSH | 3.6 | Credential Access, Discovery | ||
VM Windows Event Logs | Enable | 3.7 | Credential Access, Discovery |
log_id("cloudaudit.googleapis.com/activity") OR log_id("cloudaudit.googleapis.com/data_access") OR log_id("cloudaudit.googleapis.com/system_event") OR log_id("cloudaudit.googleapis.com/policy") OR log_id("cloudaudit.googleapis.com/access_transparency") OR log_id("dns.googleapis.com/dns_queries") OR (log_id("compute.googleapis.com/nat_flows") AND resource.type="nat_gateway") OR (log_id("compute.googleapis.com/firewall") AND resource.type="gce_subnetwork") OR (log_id("compute.googleapis.com/vpc_flows") AND resource.type="gce_subnetwork") OR ((log_id("ids.googleapis.com/threat") OR log_id("ids.googleapis.com/traffic")) AND resource.type="ids.googleapis.com/Endpoint") OR (log_id("requests") AND resource.type="http_load_balancer") OR (log_id("syslog") AND resource.type="gce_instance") OR ((log_id("winevt.raw") OR log_id("windows_event_log")) AND resource.type="gce_instance")