GCP Cloud Functions Execution Logs

Cloud & SaaSCloud InfrastructureGoogle CloudGCP Cloud FunctionsServerlessCloud Control PlaneSIEM / Log Aggregator

Location

Cloud Logging with resource type `cloud_function`

Description

Per-invocation logs from GCP Cloud Functions (and Cloud Run functions) with execution ID, severity, and function stdout/stderr. Parallel to Lambda's CloudWatch Logs for the GCP serverless world.

Forensic Value

Execution logs reconstruct individual function invocations, identify abnormal invocation patterns, and capture any stdout-printed attacker output. Combined with Cloud Audit Logs for the function resource, they cover both deployment and runtime phases.

Tools Required

gcloudCloud LoggingSIEM with GCP connector

Collection Commands

gcloud

gcloud logging read 'resource.type="cloud_function" AND resource.labels.function_name="<name>"' --freshness=7d --format=json > gcf_exec.json

gcloud (describe)

gcloud functions describe <name> --region=<region> --format=json > gcf_config.json

Collection Constraints

•Retention configured via log buckets; default 30 days, can be much shorter
•Cloud Run functions (2nd gen) have different log surfaces than 1st gen Cloud Functions

MITRE ATT&CK Techniques

T1648T1496

References

Monitoring Cloud Functions

Used in Procedures

Contain Compromised Serverless Function

contain

Collect Serverless Execution and Management Evidence

collect

Related Blockers

Serverless Workload Cannot Host EDR Agent

The compromised workload is serverless (AWS Lambda, GCP Cloud Functions, Azure Functions, Cloudflare Workers) and cannot host a traditional EDR agent. Execution environments are ephemeral and container-isolated; evidence must come from cloud-provider execution logs, function code/config, trigger/event sources, and attached IAM role activity.

Acquisition Methods

GCP Cloud Functions Source and Logs Export

linux — cloud