log-scoping-tool
Log typeEnabled
by default
Exportable directly to ChronicleEvent Threat Detection rulesCIS GCP Benchmark 1.1MITRE ATT&CK tactics and techniques

Cloud Audit Logs - Admin Activity

Impair Defenses, Persistence, Exfiltration, Anomalous IAM Grant, Anomalous Behavior1, 2, 3, 4, 5, 6, 7Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Collection, Exfiltration, Impact

Cloud Audit Logs - Data Access

EnableInitial Access, Discovery, Privilege Escalation, Exfiltration1.1, 1.2, 1.3, 1.4Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Collection, Impact

Cloud Audit Logs - System Events

Defense Evasion, Discovery, Impact

Cloud Audit Logs - Policy Denied

Initial Access, Persistence, Privilege Escalation, Defense Evasion, Discovery, Exfiltration

Access Transparency Logs

EnableInitial Access

Cloud DNS Logs

EnableActive Scan, Malware, CryptominingExfiltration, Impact

Cloud NAT Logs

EnableMalware, CryptominingDiscovery, Exfiltration, Impact

Firewall Rules Logs

EnableMalware, Cryptomining3.6, 3.7, 4.9Reconnaissance, Initial Access, Exfiltration, Impact

VPC Flow Logs

EnableMalware, Cryptomining, Outgoing DoS3.1, 3.2, 3.6, 3.7, 3.8, 4.9, 4.10Reconnaissance, Initial Access, Credential Access, Discovery, Collection, Exfiltration, Impact

Cloud IDS Logs

Enable3.1, 3.2, 3.6, 3.7, 3.8, 4.9, 4.10Reconnaissance, Initial Access, Credential Access, Discovery, Collection, Command And Control, Exfiltration, Impact

HTTP(S) LB Logs

EnableInitial AccessInitial Access, Impact

VM Syslog

EnableBrute Force SSH3.6Credential Access, Discovery

VM Windows Event Logs

Enable3.7Credential Access, Discovery

Auto-generated log filter

log_id("cloudaudit.googleapis.com/activity")
OR log_id("cloudaudit.googleapis.com/data_access")
OR log_id("cloudaudit.googleapis.com/system_event")
OR log_id("cloudaudit.googleapis.com/policy")
OR log_id("cloudaudit.googleapis.com/access_transparency")
OR log_id("dns.googleapis.com/dns_queries")
OR (log_id("compute.googleapis.com/nat_flows") AND resource.type="nat_gateway")
OR (log_id("compute.googleapis.com/firewall") AND resource.type="gce_subnetwork")
OR (log_id("compute.googleapis.com/vpc_flows") AND resource.type="gce_subnetwork")
OR ((log_id("ids.googleapis.com/threat") OR log_id("ids.googleapis.com/traffic")) AND resource.type="ids.googleapis.com/Endpoint")
OR (log_id("requests") AND resource.type="http_load_balancer")
OR (log_id("syslog") AND resource.type="gce_instance")
OR ((log_id("winevt.raw") OR log_id("windows_event_log")) AND resource.type="gce_instance")