# GCP Audit Logs

Google Cloud Audit Logs record administrative and data-access activity across your Google Cloud organization, capturing the user, service, and resource behind every API call. Connecting GCP Audit Logs forwards these logs to Radiant Security through a BigQuery sink that Radiant polls for new records. Radiant uses GCP audit activity during the Enrichment stage to attribute alerts to specific principals, projects, and resources, giving analysts a verifiable trail of who did what in your cloud environment.

{% hint style="warning" %}
GCP Audit Logs record every access made by users and services in your environment, which can drive unexpected costs for both Cloud Logging and BigQuery storage. Review the [Cloud Logging pricing guide](https://cloud.google.com/stackdriver/pricing) and the [Bigtable audit log cost guide](https://cloud.google.com/bigtable/docs/audit-log-estimate-costs) before enabling, and monitor Logging Storage usage under **Monitoring > Logs Storage** after rollout.
{% endhint %}

### Prerequisites

* [ ] Owner or Editor role on your Google Cloud organization
* [ ] Logging Admin role at the organization level
* [ ] BigQuery Admin role in the target project

### Enable audit logs

As previously noted, some services may generate high volumes of logs, potentially increasing your billing costs. We recommend enabling logging for all services by following **steps 4** and **5**. If you later find that specific services are generating excessive logs, you can disable logging for them. To disable a specific log, follow **step 6**.

1. Open the [Google Cloud console](https://console.cloud.google.com/).
2. At the top of the page, set the scope to your **Organization**.
3. From the navigation menu, go to **IAM & Admin > Audit Logs**.
4. At the bottom of the page, set rows per page to **200** so every service is visible on one screen.

<figure><img src="/files/bXEjjvNJx6QQfXi6YqiY" alt=""><figcaption></figcaption></figure>

5. Select the checkbox in the column header to select all services. In the panel that appears, under **Permission Types**, select **Admin Read**, **Data Read**, and **Data Write**, then click **Save**.

<figure><img src="/files/EvavyDbghbq4k2KDXjWW" alt=""><figcaption></figcaption></figure>

6. (Optional) To disable logging for a specific service (e.g., Bigtable):
   * Search for and select the service.
   * In the panel that appears, under **Permission Types**, clear all log types and click **Save**.

<figure><img src="/files/dPrrJzAhbnqUqnzNZBjP" alt=""><figcaption></figcaption></figure>

### Create a service account

The service account must live in the same project as the BigQuery dataset you will create in the next section. If you already have a service account for the GCP Security Command Center (SCC) connector in that project, you can reuse it and skip ahead to Create a BigQuery dataset.

1. Go to **IAM & Admin > Service Accounts**.
2. Click **Create Service Account**.

<figure><img src="/files/7IWMsdhjNA4z2P84oItv" alt=""><figcaption></figcaption></figure>

3. Enter the following:
   * **Service account name**: `radiant-audit-logs-connector`
   * **Service account description**: a description that identifies the account's purpose
4. Copy the **Email address** generated for the account. You will need it in a later step.

<div align="left"><figure><img src="/files/YCGobHBQ5yIpbXJgcXp3" alt="" width="563"><figcaption></figcaption></figure></div>

5. Click **Create and Continue**.
6. Under **Grant this service account access to project**, add both of the following roles:
   * **Log Viewer**
   * **BigQuery Admin**

<div align="left"><figure><img src="/files/ZtDMXaZPV5RjwXXqM3gC" alt="" width="563"><figcaption></figcaption></figure></div>

7. Click **Continue**, then click **Done**.

### Create service account keys

1. On the **Service Accounts** page, click the account you created in the previous section.
2. Open the **Keys** tab, then click **Add Key > Create New Key**.

<div align="left"><figure><img src="/files/NmtK6LccrxvQrAEuYCRu" alt="" width="563"><figcaption></figcaption></figure></div>

3. Select **JSON** and click **Create**.
4. The JSON file downloads automatically. Save it in a secure location. You will upload it to Radiant in the final step.

### Create a BigQuery dataset

1. From the navigation menu, open **BigQuery**.
2. In the **Explorer** panel, open the menu next to your project and click **Create dataset**.

<div align="left"><figure><img src="/files/prTy7lT81MtyvWTP039q" alt="" width="563"><figcaption></figcaption></figure></div>

3. Enter the following:
   * **Dataset ID**: `radiant_connector`
   * **Default maximum table age**: `30 Days`

<div align="left"><figure><img src="/files/x5Xmayn9meK87wpqZrvC" alt="" width="563"><figcaption></figcaption></figure></div>

4. Click **Create Dataset**.

{% hint style="info" %}
Double-check the spelling of the **Dataset ID**. You will reference this exact value when configuring the log sink in the next section.
{% endhint %}

### Create a log sink

{% hint style="warning" %}
Confirm the scope at the top of the page is set to your **Organization** before continuing. The sink must capture logs from the entire organization, not a single project.
{% endhint %}

1. Go to **Logging > Log Router**.
2. Click **Create sink**.
3. Enter the following:
   * **Sink name**: `radiant_audit_logs`
   * **Sink description**: a description that identifies the sink's purpose
4. Click **Next**.

<div align="left"><figure><img src="/files/7KO9fqriKuX8rkoDRqRi" alt="" width="563"><figcaption></figcaption></figure></div>

5. Under **Select sink service**, select **BigQuery**.
6. For **Sink destination**, select **Use a BigQuery dataset in a project**. GCP auto-populates the destination as `bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]`. Replace `[PROJECT_ID]` with the ID of the project that holds the dataset, and `[DATASET_ID]` with `radiant_connector`.

<div align="left"><figure><img src="/files/XgTseFGwihysMW21AQRo" alt="" width="563"><figcaption></figcaption></figure></div>

7. Leave **Use partitioned tables** unselected and click **Next**.
8. Select **Include logs ingested by this organization and all child resources**. Leave **Build inclusion filter** empty and click **Next**.

<div align="left"><figure><img src="/files/ZBPglhAE58NeygRvtD8x" alt="" width="563"><figcaption></figcaption></figure></div>

9. Leave **Build exclusion filter** empty and click **Create Sink**.

{% hint style="info" %}
If GCP returns a **Permission Denied** error, confirm you hold the **Logging Admin** role at the organization level. The **Organization Admin** role alone is not sufficient.
{% endhint %}

### Verify logs in BigQuery

1. Return to **BigQuery**.
2. Open the `radiant_connector` dataset.
3. Confirm that new tables appear and contain recent rows. The first tables typically appear within a few minutes of sink creation.

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings > Data Connectors**, then click **+ Add Connector**.
3. Search for and select **GCP Audit Logs**, then click **Data Feeds**.
4. Under **Select your data feeds**, select the **GCP Cloud Audit Logs** feed and click **Credentials**.
5. Under **Credential Name**, enter an identifiable name (e.g., `GCP Audit Logs Credentials`).
6. Under **Required Credentials**, in the **GCP project ID** field, enter the ID of the project that holds the `radiant_connector` dataset.
7. Under **Upload JSON File**, drag and drop the service account JSON key you downloaded earlier, or click **browse file** to select it.
8. Click **Add Connector**.

### Verify ingestion

After GCP Audit Logs begins forwarding, confirm events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"gcp_audit_logs"`.
3. Confirm recent events appear.

{% hint style="info" %}
Allow several minutes for events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/google-cloud/gcp-audit-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.