Threat detection and monitoring capabilities are provided using a combination of built-in security controls from Security Command Center and custom solutions that let you detect and respond to security events.
Centralized logging for security and audit
The blueprint configures logging capabilities to track and analyze changes to your Google Cloud resources with logs that are aggregated to a single project.
The following diagram shows how the blueprint aggregates logs from multiple sources in multiple projects into a centralized log sink.
The diagram describes the following:
- Log sinks are configured at the organization node to aggregate logs from all projects in the resource hierarchy.
- Multiple log sinks are configured to send logs that match a filter to different destinations for storage and analytics.
- The
prj-c-loggingproject contains all the resources for log storage and analytics. - Optionally, you can configure additional tooling to export logs to a SIEM.
The blueprint uses different log sources and includes these logs in the log sink filter so that the logs can be exported to a centralized destination. The following table describes the log sources.
Log source |
Description |
|---|---|
You cannot configure, disable, or exclude Admin Activity audit logs. |
|
You cannot configure, disable, or exclude System Event audit logs. |
|
You cannot configure or disable Policy Denied audit logs, but you can optionally exclude them with exclusion filters. |
|
By default, the blueprint doesn't enable data access logs because the volume and cost of these logs can be high. To determine whether you should enable data access logs, evaluate where your workloads handle sensitive data and consider whether you have a requirement to enable data access logs for each service and environment working with sensitive data. |
|
The blueprint enables VPC Flow Logs for every subnet. The blueprint configures log sampling to sample 50% of logs to reduce cost. If you create additional subnets, you must ensure that VPC Flow Logs are enabled for each subnet. | |
The blueprint enables Firewall Rules Logging for every firewall policy rule. If you create additional firewall policy rules for workloads, you must ensure that Firewall Rules Logging is enabled for each new rule. | |
The blueprint enables Cloud DNS logs for managed zones. If you create additional managed zones, you must enable those DNS logs. | |
Requires a one-time enablement step that is not automated by the blueprint. For more information, see Share data with Google Cloud services. |
|
Requires a one-time enablement step that is not automated by the blueprint. For more information, see Enable Access Transparency. |
The following table describes the log sinks and how they are used with supported destinations in the blueprint.
Sink | Destination |
Purpose |
|---|---|---|
| Logs routed to Cloud Logging buckets with Log Analytics and a linked BigQuery dataset enabled |
Actively analyze logs. Run ad hoc investigations by using Logs Explorer in the console, or write SQL queries, reports, and views using the linked BigQuery dataset. |
|
Store logs long-term for compliance, audit, and incident-tracking purposes. Optionally, if you have compliance requirements for mandatory data retention, we recommend that you additionally configure Bucket Lock. |
|
|