GCP Audit Logs

Connect GCP Audit Logs to Radiant Security to forward Google Cloud activity logs for AI triage.

Google Cloud Audit Logs record administrative and data-access activity across your Google Cloud organization, capturing the user, service, and resource behind every API call. Connecting GCP Audit Logs forwards these logs to Radiant Security through a BigQuery sink that Radiant polls for new records. Radiant uses GCP audit activity during the Enrichment stage to attribute alerts to specific principals, projects, and resources, giving analysts a verifiable trail of who did what in your cloud environment.

GCP Audit Logs record every access made by users and services in your environment, which can drive unexpected costs for both Cloud Logging and BigQuery storage. Review the Cloud Logging pricing guide and the Bigtable audit log cost guide before enabling, and monitor Logging Storage usage under Monitoring > Logs Storage after rollout.

Prerequisites

Owner or Editor role on your Google Cloud organization
Logging Admin role at the organization level
BigQuery Admin role in the target project

Enable audit logs

As previously noted, some services may generate high volumes of logs, potentially increasing your billing costs. We recommend enabling logging for all services by following steps 4 and 5. If you later find that specific services are generating excessive logs, you can disable logging for them. To disable a specific log, follow step 6.

Open the Google Cloud console.
At the top of the page, set the scope to your Organization.
From the navigation menu, go to IAM & Admin > Audit Logs.
At the bottom of the page, set rows per page to 200 so every service is visible on one screen.

Select the checkbox in the column header to select all services. In the panel that appears, under Permission Types, select Admin Read, Data Read, and Data Write, then click Save.

(Optional) To disable logging for a specific service (e.g., Bigtable):
- Search for and select the service.
- In the panel that appears, under Permission Types, clear all log types and click Save.

Create a service account

The service account must live in the same project as the BigQuery dataset you will create in the next section. If you already have a service account for the GCP Security Command Center (SCC) connector in that project, you can reuse it and skip ahead to Create a BigQuery dataset.

Go to IAM & Admin > Service Accounts.
Click Create Service Account.

Enter the following:
- Service account name: radiant-audit-logs-connector
- Service account description: a description that identifies the account's purpose
Copy the Email address generated for the account. You will need it in a later step.

Click Create and Continue.
Under Grant this service account access to project, add both of the following roles:
- Log Viewer
- BigQuery Admin

Click Continue, then click Done.

Create service account keys

On the Service Accounts page, click the account you created in the previous section.
Open the Keys tab, then click Add Key > Create New Key.

Select JSON and click Create.
The JSON file downloads automatically. Save it in a secure location. You will upload it to Radiant in the final step.

Create a BigQuery dataset

From the navigation menu, open BigQuery.
In the Explorer panel, open the menu next to your project and click Create dataset.

Enter the following:
- Dataset ID: radiant_connector
- Default maximum table age: 30 Days

Click Create Dataset.

Double-check the spelling of the Dataset ID. You will reference this exact value when configuring the log sink in the next section.

Create a log sink

Confirm the scope at the top of the page is set to your Organization before continuing. The sink must capture logs from the entire organization, not a single project.

Go to Logging > Log Router.
Click Create sink.
Enter the following:
- Sink name: radiant_audit_logs
- Sink description: a description that identifies the sink's purpose
Click Next.

Under Select sink service, select BigQuery.
For Sink destination, select Use a BigQuery dataset in a project. GCP auto-populates the destination as bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]. Replace [PROJECT_ID] with the ID of the project that holds the dataset, and [DATASET_ID] with radiant_connector.

Leave Use partitioned tables unselected and click Next.
Select Include logs ingested by this organization and all child resources. Leave Build inclusion filter empty and click Next.

Leave Build exclusion filter empty and click Create Sink.

If GCP returns a Permission Denied error, confirm you hold the Logging Admin role at the organization level. The Organization Admin role alone is not sufficient.

Verify logs in BigQuery

Return to BigQuery.
Open the radiant_connector dataset.
Confirm that new tables appear and contain recent rows. The first tables typically appear within a few minutes of sink creation.

Add the data connector in Radiant Security

Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors, then click + Add Connector.
Search for and select GCP Audit Logs, then click Data Feeds.
Under Select your data feeds, select the GCP Cloud Audit Logs feed and click Credentials.
Under Credential Name, enter an identifiable name (e.g., GCP Audit Logs Credentials).
Under Required Credentials, in the GCP project ID field, enter the ID of the project that holds the radiant_connector dataset.
Under Upload JSON File, drag and drop the service account JSON key you downloaded earlier, or click browse file to select it.
Click Add Connector.

Verify ingestion

After GCP Audit Logs begins forwarding, confirm events are reaching Radiant.

In Radiant, navigate to Log Management.
Filter by rs_connectorType:"gcp_audit_logs".
Confirm recent events appear.

Allow several minutes for events to be parsed, indexed, and available for search.

PreviousGoogle Cloud NextGoogle Cloud Security Command Center (SCC)

Last updated 19 days ago

Was this helpful?