How to Retrieve User Activity from GCP Logs

Being able to gather user activity in GCP is useful, whether you are dealing with a security incident or just want to fully audit the actions a user has taken.

For example, if you identify that a developer’s device has been compromised, you may want to review their activity in GCP to ensure that their keys were not used to exfiltrate data or make malicious changes.

In this guide, we’ll show you how to get a log of user activity from GCP to enable you to quickly pinpoint any suspicious actions.

Understanding Google Cloud Audit Logs

In Google Cloud, many services automatically write back to audit logs designed to track activities in Google Cloud resources. The audit logs capture the following information:

• Event names
• Event descriptions
• Time event occurred
• User or service that caused the event to occur
• Any impacted systems, devices, applications, or objects
• The source of the actor’s location (hostname, IP address, country, etc.)
• Custom tags set up by users

Google Cloud audit logs differ from system logs used by programmers to troubleshoot errors. They instead document activities that companies track for compliance reasons or policy enforcement. The information captured in GCP logs varies depending on the organization, and the most significant benefit of GCP logs is that they make cloud environments as transparent as on-prem environments.

Types of Audit Logs

• Admin activity — Logs entries from API calls or actions that modify resource configuration or metadata.
• Data access — Capture API calls that read resource configuration or metadata. Data access GCP logs also track entries from API calls used to read, create, or modify user resource data.
• System event — Contain entries for GCP actions that modify system resources.
• Policy denied — Record every time GCP services restrict user or server account access because of a security policy violation.  

How to Locate GCP Logs for Specific Users

There are several ways you can go about getting someone's user activity in GCP.

Using the Google Cloud Console:

Here are the steps to get a specific user’s audit logs using the GCP Console:

1.  In the Console, go to Logging, and then Logs Explorer.

2.  Next, choose if you want to look at a specific project, folder, or at your whole organization.

3.  You can specify what logs you want to get using the Query builder. You can filter by parameters like resource type, resource labels, time range (e.g. last 1 hour, last 1 week, etc.).

You can also filter by these audit log types:

• activity for Admin Activity logs
• data_access for Data Access logs
• system_event  for System Event logs
• policy for Policy logs

4.  If you want to just query the activity for a specific user, you can type their email address into the search bar under the Query tab. This will show all logs related to the user since the field authenticationInfo.principalEmail is on each audit log record.

You can also run a query using this format if you prefer:

protoPayload.authenticationInfo.principalEmail="USER-EMAIL"

5.  Next, export the logs by clicking Download and then selecting the max log entries to export and which format, JSON or CSV.

Using the gCloud CLI:

You can also use the gcloud logging read CLI command to get logs on a specific user:

gcloud logging read "protoPayload.authenticationInfo.principalEmail = [USER-EMAIL]" 
--format json --freshness=[TIME-RANGE] --project [PROJECT-ID] 

Here’s an example command:

gcloud logging read "protoPayload.authenticationInfo.principalEmail = john.smith@blinkops.com" 
--format json --freshness=14d --project blink-demo 

You can see more information about using additional log filters here.

Query Audit Logs Faster with Blink

If your team is responding to a security incident, retrieving user logs manually and adding them to a ticket could waste valuable time.

With Blink, you trigger an automation to pull GCP activity logs and other information for a compromised user right away and enrich the incident ticket.

This automation in the Blink library is set up as a self-service app, where a team member can specify input parameters and get all the activity logs sent to an email address.

When it runs, it executes the following steps:

1. Fetches the logs for a specified email address.
2. Formats the logs for increased legibility.
3. Reports results to the relevant personnel email.

You can import this automation from the library into your account and customize it based on your organization’s needs. For example, you can drag-and-drop new actions into the canvas or set up conditional subflows.

You can build your own automation from scratch or use one of our 5K automations in the Blink library today.

Get started with Blink today to see how easy automation can be.