[New Example]Adding Cloud Audit Log Examples (GoogleCloudPlatform#717)

* Initial log commit

* Updated readme

* Updated readme file with correct links and description

* Updated main readme with link and description

* Small edit to folder-level readme

README.md

@@ -9,6 +9,7 @@ The examples folder contains example solutions across a variety of Google Cloud
 * [Anthos Service Mesh Multi-Cluster](examples/anthos-service-mesh-multicluster) - Solution to federate two private GKE clusters using Anthos Service Mesh.
 * [Anthos CICD with Gitlab](examples/anthos-cicd-with-gitlab) - A step-by-step guide to create an example CI/CD solution using Anthos and Gitlab.
 * [Audio Content Profiling](examples/ml-audio-content-profiling) - A tool that builds a pipeline to scale the process of moderating audio files for inappropriate content using machine learning APIs.
+* [Cloud Audit Log Samples](examples/audit-log-examples/) - A sample collection of Audit Logs for Users and Customers to better the structure, contents, and values contained in various log events.
 * [BigQuery Audit Log Dashboard](examples/bigquery-audit-log) - Solution to help audit BigQuery usage using Data Studio for visualization and a sample SQL script to query the back-end data source consisting of audit logs.
 * [BigQuery Audit Log Anomaly Detection](examples/bigquery-auditlog-anomaly-detection) - Sample of using BigQuery audit logs for automated anomaly detection and outlier analysis. Generates user friendly graphs for quick bq environment analysis.
 * [BigQuery Automated Email Exports](examples/bq-email-exports) - Serverless solution to automate the sending of BigQuery export results via email on a scheduled interval. The email will contain a link to a signed or unsigned URL, allowing the recipient to view query results as a JSON, CSV, or Avro file.

examples/audit-log-examples/README.md

@@ -0,0 +1,53 @@
+# GCP Sample Logs 
+## Overview
+This is a sample repository of GCP Audit Logs intended to help Operations and Security teams understand the structure and fields of logs for a variety of services. Each log file contains the log event, a brief description of the event, and the Cloud Logging query used to find events of that type.
+
+Sample GCP logs for include logs for:
+- [Google Workspace / Identity](./cloud-identity)
+  - [Adding Groupmember](./cloud-identity/identity-add-groupmember.log)
+  - [User Creation](./cloud-identity/identity-create-user.log)
+  - [User Login](./cloud-identity/identity-user-login.log)
+- [Cloud Storage ](./compute-engine)
+  - [Create Bucket (Admin Activity)](./cloud-storage/gcs-admin-activity.log)
+  - [Set Bucket IAM Permissions](./cloud-storage/gcs-admin-set-iam-permissions.log)
+  - [Create Object (Data Write)](./cloud-storage/gcs-data-access-object-create.log)
+  - [Get Object (Data Read)](./cloud-storage/gcs-data-access-object-get.log)
+  - [List Object (Data Read)](./cloud-storage/gcs-data-access-object-list.log)
+  - [Enable/Disable Object Versioning](./cloud-storage/gcs-obj-vers.log)
+  - [Public Bucket Usage](./cloud-storage/gcs-usage.log)
+- [Compute Engine](./compute-engine)
+  - [Set Instance Metadata](./compute-engine/gce-admin-set-instance-metadata-instance.log)
+  - [Set Instance Project Metadata (1)](./compute-engine/gce-admin-set-instance-metadata-project.log)
+  - [Set Instance Project Metadata (2)](./compute-engine/gce-admin-set-instance-metadata-project-2.log)
+  - [Compute Engine Logging Agent](./compute-engine/gce-os-agent-logging.log)
+- [Kubernetes Engine](./kubernetes-engine)
+  - [Create GKE Cluster (Admin Activity)](./kubernetes-engine/gke-admin-create-cluster.log)
+  - [AuditD Logs](./kubernetes-engine/gke-auditD.log)
+  - [View GKE Config (Admin Read)](./kubernetes-engine/gke-data-access-admin-read.log)
+  - [Intranode Visibility (Flow Log)](./kubernetes-engine/gke-intranode-visibility.log)
+  - [Kubernetes Log](./kubernetes-engine/gke-k8s.log)
+- [Network Telemetry](./network)
+  - [Cloud CDN](./network/cloud-cdn-response.log)
+  - [Cloud DNS Record Creation](./network/create-dns-record.log)
+  - [Cloud DNS Query](./network/dns-query.log)
+  - [HTTPS Load Balancer](./network/https-load-balancer-response.log)
+  - [Identity Aware Proxy](./network/identity-aware-proxy.log)
+  - [Cloud NAT](./network/network-cloud-nat.log)
+  - [Firewall](./network/firewall-rule.log)
+  - [VPC Flow](./network/network-vpc-flow.log)
+- [GCP Organization](./organization)
+  - [Org Policy Deny Service Account Creation](./organization/org-policy-deny-service-account-creation.log)
+  - [Org Policy Deny Service Account Key Creation](./organization/org-policy-deny-service-account-key-creation.log)
+- [Security Command Center](./security-command-center)
+  - [Bad Domain Finding](./security-command-center/scc-bad-domain.log)
+  - [Bad IP Finding](./security-command-center/scc-bad-ip.log)
+  - [Cryptocurrency Mining Finding](./security-command-center/scc-coin-mining.log)
+  - [Leaked Credential Finding](./security-command-center/scc-leaked-credentials.log)
+  - [Outgoing Intrusion Attempt Finding](./security-command-center/scc-outgoing-intrusion-attempt.log)
+  - [Account Self Investigation Finding](./security-command-center/scc-self-account-investigation.log)
+- [VPC Service Controls](./vpc-service-controls)
+  - [VPC Service Control Violation](./vpc-service-controls/vpc-sc-policy-violation.log)
+
+Coming Soon:
+- Cloud IDS
+- and more!

examples/audit-log-examples/cloud-identity/identity-add-groupmember.log

@@ -0,0 +1,57 @@
+Query: protoPayload.methodName: "google.admin.AdminService.addGroupMember"
+Adding User to Google Group:
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "authenticationInfo": {
+      "principalEmail": "service-identity@customer.com"
+    },
+    "requestMetadata": {
+      "callerIp": "8.8.8.8",
+      "requestAttributes": {},
+      "destinationAttributes": {}
+    },
+    "serviceName": "admin.googleapis.com",
+    "methodName": "google.admin.AdminService.addGroupMember",
+    "resourceName": "organizations/[ORG_ID]/groupSettings",
+    "metadata": {
+      "activityId": {
+        "timeUsec": "1620835547006000",
+        "uniqQualifier": "-5039467235533442123"
+      },
+      "event": [
+        {
+          "eventType": "GROUP_SETTINGS",
+          "eventName": "ADD_GROUP_MEMBER",
+          "parameter": [
+            {
+              "type": "TYPE_STRING",
+              "label": "LABEL_OPTIONAL",
+              "name": "USER_EMAIL",
+              "value": "newuser@customer.com"
+            },
+            {
+              "label": "LABEL_OPTIONAL",
+              "value": "group@customer.com",
+              "type": "TYPE_STRING",
+              "name": "GROUP_EMAIL"
+            }
+          ]
+        }
+      ],
+      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
+    }
+  },
+  "insertId": "3cg7gzd4pni",
+  "resource": {
+    "type": "audited_resource",
+    "labels": {
+      "method": "google.admin.AdminService.addGroupMember",
+      "service": "admin.googleapis.com"
+    }
+  },
+  "timestamp": "2021-05-12T16:05:47.006Z",
+  "severity": "NOTICE",
+  "logName": "organizations/[ORG_ID]/logs/cloudaudit.googleapis.com%2Factivity",
+  "receiveTimestamp": "2021-05-12T16:05:47.688372541Z"
+}

examples/audit-log-examples/cloud-identity/identity-create-user.log

@@ -0,0 +1,51 @@
+Query: protoPayload.methodName:"google.admin.AdminService.createUser"
+Workspace Create User:
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "authenticationInfo": {
+      "principalEmail": "garrettwong@organization.com"
+    },
+    "requestMetadata": {
+      "callerIp": "8.8.8.8",
+      "requestAttributes": {},
+      "destinationAttributes": {}
+    },
+    "serviceName": "admin.googleapis.com",
+    "methodName": "google.admin.AdminService.createUser",
+    "resourceName": "organizations/358329783625/userSettings",
+    "metadata": {
+      "event": [
+        {
+          "eventName": "CREATE_USER",
+          "eventType": "USER_SETTINGS",
+          "parameter": [
+            {
+              "value": "ben@organization.com",
+              "type": "TYPE_STRING",
+              "name": "USER_EMAIL",
+              "label": "LABEL_OPTIONAL"
+            }
+          ]
+        }
+      ],
+      "activityId": {
+        "uniqQualifier": "-8375579481294953117",
+        "timeUsec": "1628889268267000"
+      },
+      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
+    }
+  },
+  "insertId": "5u1wmtcnbb",
+  "resource": {
+    "type": "audited_resource",
+    "labels": {
+      "service": "admin.googleapis.com",
+      "method": "google.admin.AdminService.createUser"
+    }
+  },
+  "timestamp": "2021-08-13T21:14:28.267Z",
+  "severity": "NOTICE",
+  "logName": "organizations/358329783625/logs/cloudaudit.googleapis.com%2Factivity",
+  "receiveTimestamp": "2021-08-13T21:14:29.314977415Z"
+}

examples/audit-log-examples/cloud-identity/identity-user-login.log

@@ -0,0 +1,71 @@
+Query: protoPayload.methodName:"google.login.LoginService.loginSuccess"
+Workspace Login:
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "authenticationInfo": {
+      "principalEmail": "admin@gsecurity.net"
+    },
+    "requestMetadata": {
+      "callerIp": "2600::111",
+      "requestAttributes": {},
+      "destinationAttributes": {}
+    },
+    "serviceName": "login.googleapis.com",
+    "methodName": "google.login.LoginService.loginSuccess",
+    "resourceName": "organizations/614830067722",
+    "metadata": {
+      "activityId": {
+        "timeUsec": "1628808070524169",
+        "uniqQualifier": "556196293031"
+      },
+      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
+      "event": [
+        {
+          "parameter": [
+            {
+              "type": "TYPE_STRING",
+              "label": "LABEL_OPTIONAL",
+              "name": "login_type",
+              "value": "google_password"
+            },
+            {
+              "multiStrValue": [
+                "password"
+              ],
+              "label": "LABEL_REPEATED",
+              "name": "login_challenge_method",
+              "type": "TYPE_STRING"
+            },
+            {
+              "name": "is_suspicious",
+              "type": "TYPE_BOOL",
+              "boolValue": false,
+              "label": "LABEL_OPTIONAL"
+            },
+            {
+              "type": "TYPE_STRING",
+              "value": "IIPB-JS7s6ibgwE",
+              "label": "LABEL_OPTIONAL",
+              "name": "dusi"
+            }
+          ],
+          "eventName": "login_success",
+          "eventType": "login"
+        }
+      ]
+    }
+  },
+  "insertId": "ezipchda58s",
+  "resource": {
+    "type": "audited_resource",
+    "labels": {
+      "service": "login.googleapis.com",
+      "method": "google.login.LoginService.loginSuccess"
+    }
+  },
+  "timestamp": "2021-08-12T22:41:10.524169Z",
+  "severity": "NOTICE",
+  "logName": "organizations/614830067722/logs/cloudaudit.googleapis.com%2Fdata_access",
+  "receiveTimestamp": "2021-08-13T00:07:51.992089275Z"
+}

examples/audit-log-examples/cloud-storage/gcs-admin-activity.log

@@ -0,0 +1,91 @@
+Query: protoPayload.methodName: "storage.buckets.create"
+Creating Bucket:
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "status": {},
+    "authenticationInfo": {
+      "principalEmail": "benyan@organization.com"
+    },
+    "requestMetadata": {
+      "callerIp": "8.8.8.8",
+      "callerSuppliedUserAgent": "apitools Python/3.7.3 gsutil/4.66 (linux) analytics/disabled interactive/True command/mb google-cloud-sdk/352.0.0,gzip(gfe)",
+      "requestAttributes": {
+        "time": "2021-08-13T20:52:17.413982948Z",
+        "auth": {}
+      },
+      "destinationAttributes": {}
+    },
+    "serviceName": "storage.googleapis.com",
+    "methodName": "storage.buckets.create",
+    "authorizationInfo": [
+      {
+        "resource": "projects/_/buckets/usage-logs-test-benyan",
+        "permission": "storage.buckets.create",
+        "granted": true,
+        "resourceAttributes": {}
+      }
+    ],
+    "resourceName": "projects/_/buckets/usage-logs-test-benyan",
+    "serviceData": {
+      "@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
+      "policyDelta": {
+        "bindingDeltas": [
+          {
+            "action": "ADD",
+            "role": "roles/storage.legacyBucketOwner",
+            "member": "projectEditor:testproject-320520"
+          },
+          {
+            "action": "ADD",
+            "role": "roles/storage.legacyBucketOwner",
+            "member": "projectOwner:testproject-320520"
+          },
+          {
+            "action": "ADD",
+            "role": "roles/storage.legacyBucketReader",
+            "member": "projectViewer:testproject-320520"
+          }
+        ]
+      }
+    },
+    "request": {
+      "defaultObjectAcl": {
+        "@type": "type.googleapis.com/google.iam.v1.Policy",
+        "bindings": [
+          {
+            "members": [
+              "projectViewer:testproject-320520"
+            ],
+            "role": "roles/storage.legacyObjectReader"
+          },
+          {
+            "role": "roles/storage.legacyObjectOwner",
+            "members": [
+              "projectOwner:testproject-320520",
+              "projectEditor:testproject-320520"
+            ]
+          }
+        ]
+      }
+    },
+    "resourceLocation": {
+      "currentLocations": [
+        "us"
+      ]
+    }
+  },
+  "insertId": "yz4x09e8y5hc",
+  "resource": {
+    "type": "gcs_bucket",
+    "labels": {
+      "bucket_name": "usage-logs-test-benyan",
+      "location": "us",
+      "project_id": "testproject-320520"
+    }
+  },
+  "timestamp": "2021-08-13T20:52:17.406366080Z",
+  "severity": "NOTICE",
+  "logName": "projects/testproject-320520/logs/cloudaudit.googleapis.com%2Factivity",
+  "receiveTimestamp": "2021-08-13T20:52:18.480958763Z"
+}