Google Cloud Audit Logs
Location
Google Cloud Logging > Logs Explorer > cloudaudit.googleapis.com/*Description
Control-plane audit logs for Google Cloud resources, including Admin Activity, Data Access, Policy Denied, and System Event logs routed through Cloud Logging.
Forensic Value
Cloud Audit Logs are the primary source for reconstructing attacker actions in Google Cloud. They identify the principal, service, method, resource name, and request metadata behind IAM changes, service configuration changes, and destructive actions across projects and folders.
Tools Required
Collection Commands
gcloud CLI
gcloud logging read "logName:("cloudaudit.googleapis.com%2Factivity" OR "cloudaudit.googleapis.com%2Fdata_access") AND timestamp>="2026-03-01T00:00:00Z"" --format=json > gcp_audit_logs.jsonLogs Explorer
Query cloudaudit.googleapis.com/activity and cloudaudit.googleapis.com/data_access for the incident window, then export the results to JSON or BigQuery
Collection Constraints
- •Admin Activity and System Event logs are available by default, but many Data Access events must be explicitly enabled before the incident.
- •Retention depends on Cloud Logging sinks, buckets, or downstream exports; the console alone may not preserve long-term history.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.