Cyscale
Back to controls

Ensure log metric filter and alerts exist for Audit Configuration Changes

Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, "who did what, where, and when?" within GCP projects.

Category

Controls

Low

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, "who did what, where, and when?" within GCP projects.

Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.

Rationale

Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.

Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.

Remediation guidance

Google Cloud Remediation

Service-wide fix (recommended): define a standard set of log-based metrics and alert policies for high-value audit events, then deploy the same pack to every production project.

Google Cloud console

Create the log-based metric:

  1. Open Logging -> Logs-based metrics.
  2. Create a new counter metric.
  3. Use this filter:
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
  1. Save the metric.
  2. Create an alert from that metric and attach at least one notification channel.

Google Cloud CLI

Create the metric:

gcloud logging metrics create audit-config-changes --description="Audit config changes" --log-filter='protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*'

Example alert policy definition:

displayName: Audit configuration changes
combiner: OR
conditions:
- displayName: Audit config change detected
  conditionThreshold:
    filter: 'metric.type="logging.googleapis.com/user/audit-config-changes" AND resource.type="global"'
    comparison: COMPARISON_GT
    thresholdValue: 0
    duration: 0s
    aggregations:
    - alignmentPeriod: 60s
      perSeriesAligner: ALIGN_DELTA
enabled: true
notificationChannels:
- projects/<project-id>/notificationChannels/<channel-id>

gcloud monitoring policies create --policy-from-file=policy.yaml

References

  • https://cloud.google.com/logging/docs/logs-based-metrics
  • https://docs.cloud.google.com/sdk/gcloud/reference/monitoring/policies/create

Query logic

These are the stored checks tied to this control.

Log metric filter and alerts exist for Audit Configuration Changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging5{...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon