You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google
Cloud resources. Your export must meet the following requirements:
✑ Export related logs for all projects in the Google Cloud organization.
✑ Export logs in near real-time to an external SIEM.
What should you do? (Choose two.)
To meet the requirement of exporting and auditing security logs for login activity events and API calls that modify configurations to Google Cloud resources for all projects in the organization, you should create a Log Sink at the organization level with the includeChildren parameter. This will ensure that logs from all projects under the organization are included. Setting the destination to a Pub/Sub topic allows near real-time export of logs. Additionally, ensuring that the SIEM processes the AuthenticationInfo field in the audit log entry is crucial for gathering identity information, which is essential for auditing login activities.
B because for all projects D "Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only record the login event. They don't record which system was used to perform the login action." https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#services
Google cloud logs is different from Google Workspace logs. D is definitely incorrect.
There is no mentioning anything like "Google Workspace", why is D correct?
Ans:B,C https://cloud.google.com/logging/docs/export/aggregated_sinks: To use aggregated sinks, you create a sink in a Google Cloud organization or folder, and set the sink's includeChildren parameter to True. That sink can then route log entries from the organization or folder, plus (recursively) from any contained folders, billing accounts, or Cloud projects. https://cloud.google.com/logging/docs/audit#data-access Data Access audit logs-- except for BigQuery Data Access audit logs-- are disabled by default because audit logs can be quite large. If you want Data Access audit logs to be written for Google Cloud services other than BigQuery, you must explicitly enable them
There is no mention about 'data access logs' in question
API calls are tracked in Data access logs
The question state: "API calls that modify configurations to Google Cloud resources". From the documentation: "Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions." Therefore, cannot be C
Correct answers are : B,D B : to respond to the "logs for all projects" requirement and " near real-time "requirement D: to be able de log "login activities" we need to export audit logs from Google Workspace to Google Cloud.
To export and audit security logs for login activity events in the Google Cloud Console and API calls that modify configurations to Google Cloud resources with the specified requirements, you should take the following steps: B. Create a Log Sink at the organization level with the includeChildren parameter and set the destination to a Pub/Sub topic: This step will export related logs from all projects within the Google Cloud organization, including the logs you need. The use of Pub/Sub allows near real-time export of logs. C. Enable Data Access audit logs at the organization level to apply to all projects: Enabling Data Access audit logs at the organization level ensures that logs related to API calls that modify configurations to Google Cloud resources are captured.
The other options are not relevant or necessary for meeting the specified requirements: D. "Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console" is not directly related to exporting logs for Google Cloud Console and API calls. E. "Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information" is a consideration for how the SIEM system processes logs but is not a configuration step for exporting logs.
B&C For C: https://cloud.google.com/logging/docs/audit#data-access Publicly available resources that have the Identity and Access Management policies allAuthenticatedUsers or allUsers don't generate audit logs. Resources that can be accessed without logging into a Google Cloud, Google Workspace, Cloud Identity, or Drive Enterprise account don't generate audit logs. This helps protect end-user identities and information. It literally says it wont generate logs for non login events. Which of course means it generates logs for all events that involve logging in. D just handles cloud identity since their implementation on the workspace side. How they tied in workspace sucks. That wouldnt let you know who deleted or modified something like a vm or spun up a composer instance.
BC looks lik ans
Not mention og Google Workspace, definitely not D
No mention of Google Workspace
change to BE
Can someone explain how or why 'D' can be correct? The logs are Google Cloud not Workspace...
B & E B. Organization Level Log Sink with includeChildren parameter: Creating a log sink at the organization level with the includeChildren parameter ensures that you capture logs from all projects within the organization. Setting the destination to a Pub/Sub topic is suitable for real-time log export, meeting the requirement to export logs in near real-time to an external SIEM. E. Processing the AuthenticationInfo field: The AuthenticationInfo field in the audit log entries contains identity information, which is crucial for auditing security logs for login activity. Ensuring that the SIEM processes this field allows for a detailed analysis of who is accessing what, fulfilling the requirement to audit login activity events and API calls that modify configurations.
why the other options are not as suitable: A: While creating a log sink at the organization level is correct, it won't include logs from child projects unless the includeChildren parameter is set to true. D: Google Workspace audit logs are separate from Google Cloud audit logs and won't provide the required information about Google Cloud console logins or API calls. E: While processing the AuthenticationInfo field is essential for identifying actors, it is not a step in the setup of the log export itself.
B,D is right
"B", "D" B because you need an aggregate sink to recursively pull from children entities otherwise scope is limited to the specific level where it's created. So this also excludes A. https://cloud.google.com/logging/docs/export/aggregated_sinks#create_an_aggregated_sink C - Data Access Audit Logs - Even though they include API events, they don't explicitly say they also include log-in events. https://cloud.google.com/logging/docs/audit#data-access D - For Workspace Audit Logs, they explicitly say that API calls and log-in events are captured which makes it a more complete option than "C". Also, cloud identity, which is used to manage users of GCP, is a workspace service. It would make sense that workspace logging providing cloud identity related sign-in logs. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging https://support.google.com/cloudidentity/answer/7319251
ANS: B,D Api calls that modify configuration of resources are in Admin Activity audit logs, which are on by default (along with System Events and Deny Policies). Thus not C. You can also enable Google Workspace logs to be forwarded to Google cloud at the Org Level Same Link. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#log-types
AE A: Setting up a Log Sink at the organization level with Pub/Sub as the destination guarantees you capture logs from all projects within your organization. E: The AuthenticationInfo field within audit log entries provides valuable details about the user or service that made the configuration change or login attempt. Your SIEM needs to be able to process this field to extract identity information for security audit purposes. B. IncludeChildren Parameter (Not Required) C. Data Access Audit Logs (Not Specific)
No Workspace