LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Configuring Snowflake for Cloud Connected
        • Configuring AWS for Cloud Connected
        • Pre-Deployment Tools
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • How to onboard GCP logs to Panther
  • Prerequisite
  • Step 1: Create a Google Cloud source in Panther
  • Step 2: Configure GCP to push logs to the Data Transport source
  • Video walkthrough: Setup using GCS
  • Panther-managed detections
  • Supported log types
  • GCP.AuditLog
  • GCP.HTTPLoadBalancer

Was this helpful?

  1. Data Sources & Transports
  2. Supported Logs

GCP Logs

Connecting GCP logs to your Panther Console

PreviousFluentd LogsNextGitHub Logs

Last updated 1 year ago

Was this helpful?

Overview

Panther supports ingesting logs via common options.

To connect GCP logs with Panther, it's recommended to use the with a , as it results in the lowest latency—roughly five minutes.

Alternatively, using the with a log sink will result in logs being delivered to Panther only on an hourly basis.

How to onboard GCP logs to Panther

Prerequisite

  • Set a default Data Access audit logging configuration for your Google Cloud services:

    1. In your GCP console, navigate to the IAM & Admin service. In the navigation bar, click Audit Logs.

    2. Click Set Default Configuration.

    3. In the Log Types tab, check the boxes for the following types: Admin Read, Data Read, and Data Write.

    4. Click Save.

These instructions for setting a default Data Access audit log configuration for your Google Cloud services are also found in the GCP documentation: .

Step 1: Create a Google Cloud source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "GCP" then click the Google Cloud tile.

  4. In the slide-out panel, in the Transport Mechanism dropdown in the upper right corner, select Google Cloud Pub/Sub.

    • It is possible to use any of the options, but is recommended to use Pub/Sub in conjunction with a , which you will configure in the next step.

  5. Follow the Panther documentation for configuring your selected .

    • If you selected Pub/Sub, follow the .

Step 2: Configure GCP to push logs to the Data Transport source

  • See GCP's documentation for instructions on how to forward logs to your selected Data Transport source.

Video walkthrough: Setup using GCS

Panther-managed detections

Supported log types

GCP.AuditLog

The GCP.AuditLog schema supports ingesting all four types of Google Cloud audit logs:

schema: GCP.AuditLog
description: |
    Cloud Audit Logs maintains audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, System Event, and Policy Denied.
    Google Cloud services write audit log entries to these logs to help you answer the questions of "who did what, where, and when?" within your Google Cloud resources.
referenceURL: https://cloud.google.com/logging/docs/audit
fields:
    - name: logName
      required: true
      description: The resource name of the log to which this log entry belongs.
      type: string
    - name: severity
      description: The severity of the log entry. The default value is LogSeverity.DEFAULT.
      type: string
    - name: insertId
      description: A unique identifier for the log entry.
      type: string
    - name: resource
      description: The monitored resource that produced this log entry.
      type: object
      fields:
        - name: type
          required: true
          description: Type of resource that produced this log entry
          type: string
        - name: labels
          description: Labels describing the resource
          type: json
    - name: timestamp
      description: The time the event described by the log entry occurred.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: receiveTimestamp
      required: true
      description: The time the log entry was received by Logging.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: labels
      description: A set of user-defined (key, value) data that provides additional information about the log entry.
      type: json
    - name: operation
      description: Information about an operation associated with the log entry, if applicable.
      type: object
      fields:
        - name: id
          description: Log entries with the same identifier are assumed to be part of the same operation.
          type: string
        - name: producer
          description: An arbitrary producer identifier. The combination of id and producer must be globally unique.
          type: string
        - name: first
          description: This is the first entry in an operation
          type: boolean
        - name: last
          description: This is the last entry in an operation
          type: boolean
    - name: trace
      description: Resource name of the trace associated with the log entry, if any. The trace field provides the link between logs and traces.
      type: string
    - name: httpRequest
      description: Information about the HTTP request associated with this log entry, if applicable.
      type: object
      fields:
        - name: requestMethod
          description: The request HTTP method.
          type: string
        - name: requestURL
          description: The scheme (http, https), the host name, the path and the query portion of the URL that was requested.
          type: string
          indicators:
            - url
        - name: requestSize
          description: The size of the HTTP request message in bytes, including the request headers and the request body.
          type: bigint
        - name: status
          description: The response HTTP status code
          type: smallint
        - name: responseSize
          description: The size of the HTTP response message sent back to the client, in bytes, including the response headers and the response body.
          type: bigint
        - name: userAgent
          description: The user agent sent by the client.
          type: string
        - name: remoteIP
          description: The IP address (IPv4 or IPv6) of the client that issued the HTTP request.
          type: string
          indicators:
            - ip
        - name: serverIP
          description: The IP address (IPv4 or IPv6) of the origin server that the request was sent to.
          type: string
          indicators:
            - ip
        - name: referer
          description: The referer URL of the request
          type: string
          indicators:
            - url
        - name: latency
          description: The request processing latency in seconds on the server, from the time the request was received until the response was sent.
          type: string
        - name: cacheLookup
          description: Whether or not a cache lookup was attempted.
          type: boolean
        - name: cacheHit
          description: Whether or not an entity was served from cache (with or without validation).
          type: boolean
        - name: cacheValidatedWithOriginServer
          description: Whether or not an entity was served from cache (with or without validation).
          type: boolean
        - name: cacheFillBytes
          description: Whether or not an entity was served from cache (with or without validation).
          type: bigint
        - name: protocol
          description: Protocol used for the request.
          type: string
    - name: spanId
      description: The span ID within the trace associated with the log entry.
      type: string
    - name: traceSampled
      description: The sampling decision of the trace associated with the log entry.
      type: boolean
    - name: sourceLocation
      description: Source code location information associated with the log entry, if any.
      type: object
      fields:
        - name: file
          description: Source file name. Depending on the runtime environment, this might be a simple name or a fully-qualified name.
          type: string
        - name: line
          description: Line within the source file. 1-based; 0 indicates no line number available.
          type: bigint
        - name: function
          description: Human-readable name of the function or method being invoked, with optional context such as the class or package name. The format can vary by language
          type: string
    - name: protoPayload
      required: true
      description: The AuditLog payload
      type: object
      fields:
        - name: '@type'
          required: true
          description: The type of payload
          type: string
        - name: serviceName
          description: The name of the API service performing the operation
          type: string
        - name: methodName
          description: The name of the service method or operation. For API calls, this should be the name of the API method.
          type: string
        - name: resourceName
          description: The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name.
          type: string
        - name: numResponseItems
          description: The number of items returned from a List or Query API method, if applicable.
          type: bigint
        - name: status
          description: The status of the overall operation.
          type: object
          fields:
            - name: code
              description: The status code, which should be an enum value of google.rpc.Code.
              type: int
            - name: message
              description: A developer-facing error message, which should be in English.
              type: string
            - name: details
              description: A list of messages that carry the error details. There is a common set of message types for APIs to use.
              type: json
        - name: authenticationInfo
          description: Authentication information.
          type: object
          fields:
            - name: principalSubject
              description: String representation of identity of requesting party. Populated for both first and third party identities.
              type: string
            - name: serviceAccountKeyName
              description: The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name.
              type: string
              indicators:
                - domain
            - name: principalEmail
              description: The email address of the authenticated user making the request.
              type: string
              indicators:
                - email
            - name: authoritySelector
              description: The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority.
              type: string
            - name: thirdPartyPrincipal
              description: The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.
              type: json
            - name: serviceAccountDelegationInfo
              description: Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.
              type: array
              element:
                type: object
                fields:
                    - name: firstPartyPrincipal
                      description: First party (Google) identity as the real authority.
                      type: object
                      fields:
                        - name: principalEmail
                          description: The email address of a Google account.
                          type: string
                          indicators:
                            - email
                        - name: serviceMetadata
                          description: Metadata about the service that uses the service account.
                          type: json
                    - name: thirdPartyPrincipal
                      description: Third party identity as the real authority.
                      type: object
                      fields:
                        - name: thirdPartyClaims
                          description: Metadata about third party identity.
                          type: json
                    - name: principalSubject
                      description: String representation of identity of requesting party.
                      type: string
        - name: authorizationInfo
          description: Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple.
          type: array
          element:
            type: object
            fields:
                - name: resource
                  description: The resource being accessed, as a REST-style string.
                  type: string
                - name: permission
                  description: The required IAM permission
                  type: string
                - name: granted
                  description: Whether or not authorization for resource and permission was granted.
                  type: boolean
                - name: resourceAttributes
                  description: Resource attributes used in IAM condition evaluation. This field contains resource attributes like resource type and resource name. To get the whole view of the attributes used in IAM condition evaluation, the user must also look into AuditLog.request_metadata.request_attributes.
                  type: object
                  fields:
                    - name: service
                      description: The name of the service that this resource belongs to, such as pubsub.googleapis.com. The service may be different from the DNS hostname that actually serves the request.
                      type: string
                    - name: name
                      description: The stable identifier (name) of a resource on the service.
                      type: string
                    - name: type
                      description: The type of the resource. The syntax is platform-specific because different platforms define their resources differently.
                      type: string
                    - name: labels
                      description: The labels or tags on the resource, such as AWS resource tags and Kubernetes resource labels.
                      type: string
                    - name: uid
                      description: The unique identifier of the resource. UID is unique in the time and space for this resource within the scope of the service. It is typically generated by the server on successful creation of a resource and must not be changed. UID is used to uniquely identify resources with resource name reuses. This should be a UUID4.
                      type: string
        - name: requestMetadata
          description: Metadata about the request
          type: object
          fields:
            - name: callerIP
              description: The IP address of the caller.
              type: string
              indicators:
                - ip
            - name: callerSuppliedUserAgent
              description: The user agent of the caller. This information is not authenticated and should be treated accordingly.
              type: string
            - name: callerNetwork
              description: The network of the caller. Set only if the network host project is part of the same GCP organization (or project) as the accessed resource.
              type: string
            - name: requestAttributes
              description: Request attributes used in IAM condition evaluation. This field contains request attributes like request time and access levels associated with the request.
              type: json
            - name: destinationAttributes
              description: The destination of a network activity, such as accepting a TCP connection.
              type: json
        - name: request
          description: The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.
          type: json
        - name: response
          description: The operation response. This may not include all response parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.
          type: json
        - name: metadata
          description: Other service-specific data about the request, response, and other information associated with the current audited event.
          type: json
        - name: serviceData
          description: Other service-specific data about the request, response, and other activities.
          type: json

GCP.HTTPLoadBalancer

External HTTP(S) Load Balancing distributes HTTP and HTTPS traffic to backends hosted on a variety of Google Cloud platforms (such as Compute Engine, Google Kubernetes Engine (GKE), Cloud Storage, and so on), as well as external backends connected over the internet or via hybrid connectivity. HTTP(S) load balancing logs provide information for monitoring and debugging web traffic.

schema: GCP.HTTPLoadBalancer
parser:
  native:
    name: GCP.HTTPLoadBalancer
fields:
  - name: httpRequest
    required: true
    description: httpRequest
    type: object
    fields:
      - name: referer
        description: referer
        type: string
        indicators:
          - url
      - name: latency
        required: true
        description: latency
        type: string
      - name: remoteIp
        required: true
        description: remoteIp
        type: string
        indicators:
          - ip
      - name: requestMethod
        required: true
        description: requestMethod
        type: string
      - name: requestSize
        required: true
        description: requestSize
        type: bigint
      - name: requestUrl
        required: true
        description: requestUrl
        type: string
        indicators:
          - url
      - name: responseSize
        description: responseSize
        type: bigint
      - name: serverIp
        description: serverIp
        type: string
        indicators:
          - ip
      - name: status
        description: status
        type: bigint
      - name: userAgent
        description: userAgent
        type: string
  - name: insertId
    required: true
    description: insertId
    type: string
  - name: jsonPayload
    required: true
    description: jsonPayload
    type: json
  - name: logName
    required: true
    description: logName
    type: string
  - name: receiveTimestamp
    required: true
    description: receiveTimestamp
    type: timestamp
    timeFormat: rfc3339
  - name: resource
    required: true
    description: resource
    type: object
    fields:
      - name: labels
        required: true
        description: labels
        type: object
        fields:
          - name: backend_service_name
            required: true
            description: backend_service_name
            type: string
          - name: forwarding_rule_name
            required: true
            description: forwarding_rule_name
            type: string
          - name: project_id
            required: true
            description: project_id
            type: string
          - name: target_proxy_name
            required: true
            description: target_proxy_name
            type: string
          - name: url_map_name
            required: true
            description: url_map_name
            type: string
          - name: zone
            required: true
            description: zone
            type: string
      - name: type
        required: true
        description: type
        type: string
  - name: severity
    required: true
    description: severity
    type: string
  - name: spanId
    required: true
    description: spanId
    type: string
  - name: timestamp
    required: true
    description: timestamp
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: trace
    required: true
    description: trace
    type: string
    indicators:
      - trace_id

If you are using or as your Data Transport, .

While the video below demonstrates how to forward GCP logs using , it is recommended to use instead of GCS, as it results in lower latency.

See rules for Google Cloud Platform in the .

For more information, see the

For more information, see the documentation.

Pub/Sub
Google Cloud Storage
configure a log sink
GCS
Pub/Sub
Panther-managed
panther-analysis GitHub repository
Admin Activity audit logs
Data Access audit logs
System Event audit logs
Policy Denied audit logs
GCP Documentation on Cloud Audit Logs.
HTTPLoadBalancer
Google Cloud Platform (GCP)
Data Transport
Pub/Sub Data Transport source
log sink
Google Cloud Storage (GCS) Data Transport source
Set the default configuration
Data Transport
log sink
Data Transport
Pub/Sub Source instructions