Knowledge BasePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Data Transports
Supported Logs
1Password Logs
Apache Logs
Asana Logs
Atlassian Logs
AWS Logs
Box Logs
Cisco Umbrella Logs
Cloudflare Logs
CrowdStrike Logs
Dropbox Logs
Duo Security Logs
Fastly Logs
Fluentd Logs
GCP Logs
Github Logs
GitLab Logs
G Suite Logs
JAMF Pro Logs
Juniper Logs
Lacework Logs
Microsoft 365 Logs
Microsoft Graph Logs (Beta)
Nginx Logs
Okta Logs
OneLogin Logs
Osquery Logs
OSSEC Logs
Salesforce Logs
Sophos Logs
Slack Logs
Snyk Logs
Suricata Logs
Syslog Logs
Teleport Logs
Zeek Logs
Zoom Logs
Zendesk Logs
Custom Logs
Monitoring Log Sources
Writing Detections
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Panther API (Beta)
Guides
Help
Powered By GitBook
GCP Logs
Connecting GCP logs to your Panther Console

Overview

Panther supports ingesting Google Cloud Platform (GCP) logs via common Data Transport options: Amazon Web Services (AWS) S3, AWS SQS, and Google Cloud Storage (GCS).

How to onboard GCP logs to Panther

To connect these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure GCP to push logs to the Data Transport source.
    • See GCP's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in the table are in bold.

GCP.AuditLog

Cloud Audit Logs maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, and System Event. Google Cloud services writes audit log entries to these logs to help answer the questions of "who did what, where, and when?" within your Google Cloud resources.
Column
Type
Description
logName
string
The resource name of the log to which this log entry belongs.
severity
string
The severity of the log entry. The default value is LogSeverity.DEFAULT.
insertId
string
A unique identifier for the log entry.
resource
{ "type":string, "labels":{ string:string } }
The monitored resource that produced this log entry.
timestamp
timestamp
The time the event described by the log entry occurred.
receiveTimestamp
timestamp
The time the log entry was received by Logging.
labels
{ string:string }
A set of user-defined (key, value) data that provides additional information about the log entry.
operation
{ "id":string, "producer":string, "first":boolean, "last":boolean }
Information about an operation associated with the log entry, if applicable.
trace
string
Resource name of the trace associated with the log entry, if any.
httpRequest
{ "requestMethod":string, "requestURL":string, "requestSize":bigint, "status":smallint, "responseSize":bigint, "userAgent":string, "remoteIP":string, "serverIP":string, "referer":string, "latency":string, "cacheLookup":boolean, "cacheHit":boolean, "cacheValidatedWithOriginServer":boolean, "cacheFillBytes":bigint, "protocol":string }
Information about the HTTP request associated with this log entry, if applicable.
spanId
string
The span ID within the trace associated with the log entry.
traceSampled
boolean
The sampling decision of the trace associated with the log entry.
sourceLocation
{ "file":string, "line":bigint, "function":string }
Source code location information associated with the log entry, if any.
protoPayload
{ "at_sign_type":string, "serviceName":string, "methodName":string, "resourceName":string, "numResponseItems":bigint, "status":{ "code":int, "message":string, "details":string }, "authenticationInfo":{ "principalSubject":string, "serviceAccountKeyName":string, "principalEmail":string, "authoritySelector":string, "thirdPartyPrincipal":string, "serviceAccountDelegationInfo":[{ "firstPartyPrincipal":{ "principalEmail":string, "serviceMetadata":string }, "thirdPartyPrincipal":{ "thirdPartyClaims":string } }] }, "authorizationInfo":[{ "resource":string, "permission":string, "granted":boolean, "resourceAttributes":{ "service":string, "name":string, "type":string, "labels":string, "uid":string } }], "requestMetadata":{ "callerIP":string, "callerSuppliedUserAgent":string, "callerNetwork":string, "requestAttributes":string, "destinationAttributes":string }, "request":string, "response":string, "serviceData":string, "metadata":string }
The AuditLog payload
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
Previous
Fluentd Logs
Next
Github Logs
Last modified 1mo ago
Copy link
Outline
Overview
How to onboard GCP logs to Panther
Supported log types
GCP.AuditLog