GCP Cloud Audit Logs
GCP Cloud Audit Logs — API calls across Compute Engine, IAM, Cloud Storage, GKE, BigQuery, and VPC networking from a multi-project organization. Includes console logins, service account operations, error injection, and 3 caller identity types.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/cloud-gcp-audit/generator.yml \
--id gcp-audit \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| v1.compute.instances.list | List Compute Engine instances | ~12% | host |
| GetIamPolicy | Get project IAM policy | ~10% | iam |
| storage.objects.get | Get a Cloud Storage object | ~9% | file |
| v1.compute.instances.get | Get instance details | ~8% | host |
| google.login.LoginService.loginSuccess | Console login | ~8% | authentication |
| google.container.v1.ClusterManager.GetCluster | Get GKE cluster details | ~8% | configuration |
| v1.compute.instances.insert | Create a new VM instance | ~5% | host |
| google.cloud.bigquery.v2.JobService.InsertJob | Run BigQuery query/load job | ~6% | database |
Realism Features
- Jinja2 macros eliminate boilerplate across 22 templates
- 3 caller identity types — Service Account (55%), User (40%), GCP Service (5%)
- Error injection (~4%) — 20 realistic error scenarios mapped to specific API methods
- Console login flow with ~5% failure rate
- Multi-project environment — 3 GCP projects (production, staging, development)
- 10 IAM users across 7 departments, 10 service accounts
- 6 GCP services — Compute, IAM, Storage, GKE, BigQuery, Networking
Sample Output
{
"@timestamp": "2026-03-04T14:22:31+00:00",
"cloud": {
"availability_zone": "us-central1-a",
"project": { "id": "acme-prod-001", "name": "Acme Production" },
"provider": "gcp",
"region": "us-central1"
},
"event": {
"action": "v1.compute.instances.insert",
"category": ["host", "configuration"],
"dataset": "gcp.audit",
"kind": "event",
"module": "gcp",
"outcome": "success",
"provider": "activity",
"type": ["creation", "allowed"]
},
"gcp": {
"audit": {
"authentication_info": {
"principal_email": "michael.chen@acme.io"
},
"authorization_info": [{
"granted": true,
"permission": "compute.instances.create",
"resource_attributes": {
"name": "projects/acme-prod-001/zones/us-central1-a/instances/web-server-a1b2",
"service": "compute",
"type": "compute.instances"
}
}],
"method_name": "v1.compute.instances.insert",
"request_metadata": {
"caller_ip": "198.51.100.25",
"caller_supplied_user_agent": "google-cloud-sdk gcloud/462.0.1"
},
"resource": {
"labels": {
"instance_id": "1234567890123456789",
"project_id": "acme-prod-001",
"zone": "us-central1-a"
},
"type": "gce_instance"
},
"resource_name": "projects/acme-prod-001/zones/us-central1-a/instances/web-server-a1b2",
"service_name": "compute.googleapis.com",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
}
},
"service": { "name": "compute.googleapis.com" },
"source": { "ip": "198.51.100.25" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| agent_id | b2c3d4e5-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
| error_rate | 4 | Error injection rate (percentage, 0-100) |
Related Generators
AWS CloudTrail Management Events
AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.
AWS GuardDuty Findings
AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.
AWS VPC Flow Logs
AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.