GCP Audit Log Detections Mod

Tailpipe is an open-source CLI tool that allows you to collect logs and query them with SQL.

GCP provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.

The GCP Audit Log Detections Mod contains pre-built dashboards and detections, which can be used to monitor and analyze activity across your GCP projects.

Documentation

• Dashboards →
• Benchmarks and detections →

Getting Started

Install Powerpipe from the downloads page:

# MacOS
brew install turbot/tap/powerpipe

# Linux or Windows (WSL)
sudo /bin/sh -c "$(curl -fsSL https://powerpipe.io/install/powerpipe.sh)"

This mod also requires GCP audit logs to be collected using Tailpipe with the GCP plugin:

• Get started with the GCP plugin for Tailpipe →

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod install github.com/turbot/tailpipe-mod-gcp-audit-log-detections

Browsing Dashboards

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Benchmarks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run gcp_audit_log_detections.benchmark.mitre_attack_v161

Different output formats are also available, for more information please see Output Formats.