# GCP Logs ## Overview Panther supports ingesting Google Cloud Platform (GCP) logs via common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options: Amazon Web Services (AWS) S3, AWS SQS, and Google Cloud Storage (GCS). ## How to onboard GCP logs to Panther To connect these logs into Panther: 1. In the lefthand navigation bar of your Panther Console, click **Configure > Log Sources**. 2. Click **Create New**. 3. Search for "GCP" then click the Google Cloud Platform tile. 4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method: * [AWS S3 bucket](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports/aws/s3) * [AWS SQS](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports/aws/sqs) * [Google Cloud Storage](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports/google/cloud-storage) * The [walkthrough video](#gcp-logs-video-walkthrough) below demonstrates how to onboard GCP using GCS as the data transport. For GCS, Panther uses [Pub/Sub](https://cloud.google.com/storage/docs/pubsub-notifications) to get notified of new data to consume in your bucket. 5. Configure GCP to push logs to the Data Transport source. * See GCP's documentation for instructions on pushing logs to your selected Data Transport source. ### GCP Logs Video Walkthrough The video below walks through a configuration using GCS as the data transport method. {% embed url="" %} Walkthrough video showing how to onboard GCP logs to Panther {% endembed %} ## Panther-Built Detections See Panther's built in rules for GCP in [panther-analysis in Github.](https://github.com/panther-labs/panther-analysis/tree/master/rules) ## Supported log types {% hint style="info" %} Required fields in the table are in **bold.** {% endhint %} ### GCP.AuditLog Cloud Audit Logs maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, and System Event. Google Cloud services writes audit log entries to these logs to help answer the questions of "who did what, where, and when?" within your Google Cloud resources. For more information, see the [GCP Documentation on Cloud Audit Logs. ](https://cloud.google.com/logging/docs/audit) | Column | Type | Description | | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **`logName`** | `string` | The resource name of the log to which this log entry belongs. | | `severity` | `string` | The severity of the log entry. The default value is LogSeverity.DEFAULT. | | `insertId` | `string` | A unique identifier for the log entry. | | `resource` | `{ "type":string, "labels":{ string:string } }` | The monitored resource that produced this log entry. | | `timestamp` | `timestamp` | The time the event described by the log entry occurred. | | **`receiveTimestamp`** | `timestamp` | The time the log entry was received by Logging. | | `labels` | `{ string:string }` | A set of user-defined (key, value) data that provides additional information about the log entry. | | `operation` | `{ "id":string, "producer":string, "first":boolean, "last":boolean }` | Information about an operation associated with the log entry, if applicable. | | `trace` | `string` | Resource name of the trace associated with the log entry, if any. | | `httpRequest` | `{ "requestMethod":string, "requestURL":string, "requestSize":bigint, "status":smallint, "responseSize":bigint, "userAgent":string, "remoteIP":string, "serverIP":string, "referer":string, "latency":string, "cacheLookup":boolean, "cacheHit":boolean, "cacheValidatedWithOriginServer":boolean, "cacheFillBytes":bigint, "protocol":string }` | Information about the HTTP request associated with this log entry, if applicable. | | `spanId` | `string` | The span ID within the trace associated with the log entry. | | `traceSampled` | `boolean` | The sampling decision of the trace associated with the log entry. | | `sourceLocation` | `{ "file":string, "line":bigint, "function":string }` | Source code location information associated with the log entry, if any. | | **`protoPayload`** | `{ "at_sign_type":string, "serviceName":string, "methodName":string, "resourceName":string, "numResponseItems":bigint, "status":{ "code":int, "message":string, "details":string }, "authenticationInfo":{ "principalSubject":string, "serviceAccountKeyName":string, "principalEmail":string, "authoritySelector":string, "thirdPartyPrincipal":string, "serviceAccountDelegationInfo":[{ "firstPartyPrincipal":{ "principalEmail":string, "serviceMetadata":string }, "thirdPartyPrincipal":{ "thirdPartyClaims":string } }] }, "authorizationInfo":[{ "resource":string, "permission":string, "granted":boolean, "resourceAttributes":{ "service":string, "name":string, "type":string, "labels":string, "uid":string } }], "requestMetadata":{ "callerIP":string, "callerSuppliedUserAgent":string, "callerNetwork":string, "requestAttributes":string, "destinationAttributes":string }, "request":string, "response":string, "serviceData":json, "metadata":string }` |

The AuditLog payload

Note: protoPayload.serviceData is type json because Google emits context-dependent logs. By having it as type:json, Panther can account for anything that can be present under this field.

| | **`p_log_type`** | `string` | Panther added field with type of log | | **`p_row_id`** | `string` | Panther added field with unique id (within table) | | **`p_event_time`** | `timestamp` | Panther added standardize event time (UTC) | | **`p_parse_time`** | `timestamp` | Panther added standardize log parse time (UTC) | | `p_source_id` | `string` | Panther added field with the source id | | `p_source_label` | `string` | Panther added field with the source label | | `p_any_ip_addresses` | `[string]` | Panther added field with collection of ip addresses associated with the row | | `p_any_domain_names` | `[string]` | Panther added field with collection of domain names associated with the row | | `p_any_sha1_hashes` | `[string]` | Panther added field with collection of SHA1 hashes associated with the row | | `p_any_md5_hashes` | `[string]` | Panther added field with collection of MD5 hashes associated with the row | | `p_any_sha256_hashes` | `[string]` | Panther added field with collection of SHA256 hashes of any algorithm associated with the row | ### GCP.HTTPLoadBalancer External HTTP(S) Load Balancing distributes HTTP and HTTPS traffic to backends hosted on a variety of Google Cloud platforms (such as Compute Engine, Google Kubernetes Engine (GKE), Cloud Storage, and so on), as well as external backends connected over the internet or via hybrid connectivity. HTTP(S) load balancing logs provide information for monitoring and debugging web traffic. For more information, see the [HTTPLoadBalancer](https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring) documentation. ```yaml schema: GCP.HTTPLoadBalancer parser: native: name: GCP.HTTPLoadBalancer fields: - name: httpRequest required: true description: httpRequest type: object fields: - name: referer description: referer type: string indicators: - url - name: latency required: true description: latency type: string - name: remoteIp required: true description: remoteIp type: string indicators: - ip - name: requestMethod required: true description: requestMethod type: string - name: requestSize required: true description: requestSize type: bigint - name: requestUrl required: true description: requestUrl type: string indicators: - url - name: responseSize description: responseSize type: bigint - name: serverIp description: serverIp type: string indicators: - ip - name: status description: status type: bigint - name: userAgent description: userAgent type: string - name: insertId required: true description: insertId type: string - name: jsonPayload required: true description: jsonPayload type: object fields: - name: '@type' required: true description: '@type' type: string - name: remoteIp required: true description: remoteIp type: string indicators: - ip - name: statusDetails required: true description: statusDetails type: string - name: logName required: true description: logName type: string - name: receiveTimestamp required: true description: receiveTimestamp type: timestamp timeFormat: rfc3339 - name: resource required: true description: resource type: object fields: - name: labels required: true description: labels type: object fields: - name: backend_service_name required: true description: backend_service_name type: string - name: forwarding_rule_name required: true description: forwarding_rule_name type: string - name: project_id required: true description: project_id type: string - name: target_proxy_name required: true description: target_proxy_name type: string - name: url_map_name required: true description: url_map_name type: string - name: zone required: true description: zone type: string - name: type required: true description: type type: string - name: severity required: true description: severity type: string - name: spanId required: true description: spanId type: string - name: timestamp required: true description: timestamp type: timestamp timeFormat: rfc3339 isEventTime: true - name: trace required: true description: trace type: string indicators: - trace_id ```