Skip to main content

Audit Configuration Changed

This alert occurs when Lacework detects a change in the Audit Logs configuration. The Audit Logs configuration defines which Google Cloud services and resources are being logged and how the logs are stored and retained.

Related policy: LW_AT_RESOURCE_46: Audit Configuration Changed

Why this alert is important

When the Audit Logs configuration is changed, it can affect the logging and monitoring of important incidents in Google Cloud. For example, if a service or resource is added to the configuration, it can generate new logs for that service or resource. Conversely, if a service or resource is removed from the configuration, it can result in important incidents not being logged.

By monitoring the Audit Logs configuration, you can ensure that important incidents are properly logged and monitored. This can help with compliance requirements, troubleshooting, and security incident response.

Investigation

Follow these steps to investigate the alert:

  1. In the Google Cloud console, click the hamburger menu in the top left corner, then select Logging > Cloud Audit Logs > Cloud Audit Logs Viewer.
  2. Select the relevant project for which you want to investigate the Audit Logs configuration change.
  3. In the Filter by label or text search field, enter the following query:
    protoPayload.methodName="SetAuditConfig”
    This query filters the Audit Logs to show only the incidents where the configuration was changed.
  4. Once you have applied the filter, you should see a list of "Audit configuration changed" incidents. Click a specific incident to see its details, including the user who made the change, the time of the change, and the new audit configuration.
  5. Review the audit configuration change to ensure it follows your organization's policies and standards. If necessary, take corrective action, such as reverting the change or escalating the issue to a security team.

Resolution

If you discover an unauthorized Audit Logs configuration change, take immediate action to address the situation, including:

  • Determine which configuration settings were modified and how the change was made.
  • Gather any relevant logs, system data, and user activity information to help you identify how the unauthorized change was made.
  • Assess the impact. Determine the extent of the unauthorized change's impact on your organization, such as any potential security risks, regulatory compliance issues, or other impacts.
  • Revert the configuration settings to their original state. If you cannot do so, consider implementing alternative controls to mitigate the impact of the unauthorized change.
  • Determine how the unauthorized change occurred, including the user or entity responsible, the method used to make the change, and any vulnerabilities or weaknesses that allowed the unauthorized change to occur.
  • Address any vulnerabilities or weaknesses in your system or processes that may have allowed the unauthorized change. Consider implementing additional access controls or other security measures to prevent similar incidents
  • Monitor your system to detect any future unauthorized changes to the audit configuration or other settings in your Google Cloud environment.