How to Get User Creation Events from GCP Logs

One part of securing your GCP account is by monitoring user creation events since bad actors may try to expand their access. These events in your GCP logs are the record of actions for when new users are created, including information like when, by whom, by with what permissions.

In this guide, we’ll show you how to get user creation events from your GCP logs.

How to Get User Creation Events From the GCP Logs

You can retrieve User Creation Events from GCP Logs in two ways: Google Cloud Command Line Interface (gcloud CLI) or Google Cloud Console (GCP Console).

Using the GCP Console:

1. Open GCP Console at https://console.cloud.google.com/.
2. Choose the project for which you want to find the User Creation Events record.
3. In the top left corner, press (≡) to navigate to the “Stackdriver Logging page.”
4. Select “Logging” under “Observability.”
5. In the “Logs Viewer” page there enter the following filter command in the search bar at the top of the page:

resource.type=audited_resource AND protoPayload.methodName=google.cloud.iam.credentials.v1.CreateIAMUserKey AND jsonPayload.event_subtype=google.cloud.iam.credentials.v1.user_key.create 

6. This filter will search for User Creation Events logs with the method name “google.cloud.resourcemanager.v1.Projects.Create” in the “Logs Viewer” page. They are created when a GCP user creates a new project. Next, press “Submit” to apply the filter.
7. Once the logs are displayed, you can choose any to view their details.
8. You can also download the logs in various formats like CSV and JSON. Press the “download button (⤓)” located in the top-right corner of the “Logs Viewer page” and export the logs in the file format you need.
9. The above steps are for retrieving User Creation Events from the default GCP Logs. However, if you want to find the Events in a different log, you can choose a specific record from the drop-down menu located at the top-right corner of the “Logs Viewer” page.

Using the gcloud CLI:

Access your GCP account by typing

gcloud auth login

Or

 gcloud auth application-default login

gcloud auth application-default login 

Use the following command to set your default project, with <PROJECT_1> indicating your project ID:

gcloud config set project <PROJECT_1>

To retrieve the User Creation Events from GCP Logs type:

gcloud logging read "resource.type=audited_resource AND
protoPayload.methodName=google.cloud.iam.credentials.v1.CreateIAMUserKey AND
jsonPayload.event_subtype=google.cloud.iam.credentials.v1.user_key.create"
--limit=50

This command will find the most recent 50 entries of user activities from the log data. You can change the --limit parameter to retrieve fewer or more entries.

You can also write the above command by adding the --format option and file path. Type:

gcloud logging read "resource.type=audited_resource AND 
protoPayload.methodName=google.cloud.iam.credentials.v1.CreateIAMUserKey
AND jsonPayload.event_subtype=google.cloud.iam.credentials.v1.user_key.create"
--limit=50 --format=json > user_creation_events.json.

 This command will save the output to a file named user_creation_events.json.

The above step is for retrieving User Creation Events from default GCP logs. If you are looking for user activity records in another log, you can specify a name for a log by using the option --log-name.

Using the Google Cloud Reports API:

You can also get user creation events by calling the Google Cloud Reports API with the activities.list method, and specifying the eventName=CREATE_USER.

You can run a GET request like this for all user creation events across your account:

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CREATE_USER&maxResults=10&access_token=[YOUR_ACCESS_TOKEN]

If you want to search if a certain user has created new users, you can specify a primary email address in the GET request like this:

GET https://admin.googleapis.com/admin/reports/v1/activity/users/[USER-EMAIL]/applications/admin?eventName=CREATE_USER&maxResults=10&access_token=[YOUR_ACCESS_TOKEN]

If you are dealing with a security incident and a compromised account, these results will enable you to better understand the scope of a risk.

Querying User Creation Events in GCP Faster with Blink

With Blink, you can run this automation to quickly get this information.

This GCP automation in the Blink library makes getting this information easy. When you input the time range you want information for, the automation does the following steps:

1. Gets all “Create User” events from the GCP API.
2. Formats the data to make it easier to read.
3. Sends it to an email address you choose.

It is a simple automation, but it can also be incorporated into more complex workflows. For example, what if you want to pull user creation events automatically as part of an incident response process? You can add this automation as a subflow that is kicked off whenever suspicious GCP activity is detected.

You could also set up a regular scan of user creation events and verify them against your other tools to ensure that no one external has received unauthorized access.

It’s easy to import this automation from the library into your Blink account and customize it based on your organization’s needs. Just drag-and-drop new actions into the canvas or set up no-code conditional subflows.

Build your own automations from scratch or use one of the 5K pre-built automations in the library today.

Get started with Blink today to see how easy automation can be.