I´m trying to figure it out how to detect if someone deactivate the audit logs on GCP. Right now I´m monitoring audit logs from GCP from different services and this logs are been sent to a SIEM, but if someone deactivate the audit logs option I can not detect it on my SIEM because it stops arriving.
I tried to detect it from the SIEM side and try to alert if the pipelines in this case were empty but it didn´t work. Is there a way to alert on GCP if this logs have been disabled? I searched on internet but I didn´t get anything clear.
Will put my answer here so it's helpful to other people.
Data Audit Logs can be enabled for each service independently. You can do that either from the console (IAM & Admin > Audit Logs > Select Service and Enable Logs).
What way to alert if logs are disabled is to use the API. You can query the Project and see which logs are enabled. Example below using gcloud
➜ ~ gcloud projects get-iam-policy $PROJECT
auditConfigs:
- auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
- logType: DATA_WRITE
service: storage.googleapis.com
So this can be done either with gcloud wrapped in a script or using the GCP API.