Skip to main content

GCP Integration Types

Lacework onboarding offers the following types of GCP integration with your Lacework account, depending on your specific cloud environment and whether you are interested in configuration compliance or audit log monitoring:

Integration TypeDescription
ConfigurationIntegrates with your GCP environment to analyze configuration compliance and reports alerts for anomalous behavior.
You can set up the configuration integration using Terraform or the GCP Console. For more information, see:
Audit LogIntegrates with your GCP environment to analyze cloud audit logs and reports alerts for anomalous behavior. You can use one of the following methods to integrate GCP audit logs with Lacework.Note: Lacework recommends using the Pub/Sub-based audit log integration method. For more information, see GCP Audit Log Integration Methods.

You can set up the audit log integration using Terraform or the GCP Console. For more information, see:
GKE Audit LogIntegrates with your GCP account to monitor and baseline Kubernetes audit logs and reports alerts for anomalous behavior. For more information, see GKE Audit Log Integrations.
Agentless Workload ScanningIntegrates with your GCP environment to scan vulnerabilities on your hosts and containers. For more information, see GCP Agentless Workload Scanning Integrations.

GCP Audit Log Integration Methods

You can use the following methods to integrate GCP audit logs with Lacework.

Pub/Sub-Based Audit Log Integration

In this method, you create a log sink to route specific audit logs to a Pub/Sub topic in GCP. The Lacework platform ingests the logs by subscribing to the Pub/Sub topic. Lacework recommends this method for the following reasons:

  • The logs routed to the Pub/Sub topic are available for ingestion in a few minutes. This enables the Lacework platform to provide alerts for anomalous behavior faster than the Storage-based audit log integration method.
  • You can use the LW_ACT_GCP_ACTIVITY Lacework Query Language (LQL) datasource to create custom LQL policies to trigger alerts when policy-based violations are found in the audit logs. For more information, see Create Custom Policies.
    note

    The Pub/Sub-based audit log integration does not support the default GCP audit log policies. You must use the LW_ACT_GCP_ACTIVITY LQL datasource to create custom LQL policies.

For instructions on setting up a Pub/Sub-based audit log integration, see the following topics:

For instructions on migrating an existing Storage-based audit log integration to a Pub/Sub-based audit log integration, see the following topics:

Storage-Based Audit Log Integration

Important

Starting from September 25, 2023, you cannot create a new Storage-based audit log integration. Lacework recommends that you do the following:

In this method, you create a log sink to route specific audit logs to a Cloud Storage bucket in GCP. The Lacework platform ingests the logs from the storage bucket. Lacework does not recommend this method for the following reasons:

  • When you route logs to a storage bucket, the logs are available for ingestion every hour. This results in the Lacework platform taking more time to provide alerts for anomalous behavior compared to the Pub/Sub-based audit log integration method.
  • Lacework provides default GCP audit log policies to trigger alerts when policy-based violations are found. However, you cannot create custom policies. For more information on the default policies, see GCP Audit Log Policies.

For instructions on setting up a Storage-based audit log integration, see the following topics: