Now in beta · GCP Audit Logs

Your cloud logs are hiding something.
Flare finds it first.

Connects to GCP Audit Logs and surfaces anomalous patterns. Runs on a schedule. Triggers after every deploy. Catches what rules miss.

Get startedSee live demo →
prod-gcp-audit · Dec 14 2024 · 03:15 UTC
complete
3 anomalies detected14,832 logs analyzed
#1protoPayload.methodNameSetIamPolicy
Critical
97

SetIamPolicy called 847× in this window vs. baseline of 3/day. A service account granted Owner access to 12 production projects at 2:14 AM.

Baseline
0.4% of events
Observed
67% of events
#2httpRequest.remoteIp185.220.101.47
Critical
91

Known Tor exit node (Proofpoint dataset). First appearance in 90-day history. All 23 API calls succeeded.

Baseline
Never seen
Observed
23 calls
#3protoPayload.status.codePERMISSION_DENIED
High
76

340 PERMISSION_DENIED errors in 15 min · 98× the daily average. Consistent with automated credential stuffing.

Baseline
0.1% of events
Observed
12% of events
Ask Flare: "Why is SetIamPolicy anomalous?"
How it works

From connected to findings in minutes

AI Analysis

Plain-English explanations

Every anomaly comes with a human-readable explanation of what happened and why it matters. No raw JSON, no guesswork.

CriticalprotoPayload.methodNameSetIamPolicy

SetIamPolicy was called 847 times vs. a baseline of 3-4/day. A single service account granted Owner access to 12 production projects between 02:00-03:15 UTC.

GCP
Flare

IAM: Read-Only Access

Connecting via OAuth...

Zero data retention

Read-only access. Logs analyzed in memory and discarded. Only findings are stored.

Conversational

Investigate with follow-ups

Ask questions about any finding. Flare remembers the full analysis context.

Why is this suspicious?

This service account has a 90-day history of read-only storage operations. Executing SetIamPolicy and CreateServiceAccountKey is completely outside its behavioral baseline. The account is likely compromised.

Continuous protection

Set it once. Flare watches forever.

Scheduled runs monitor around the clock. Deploy webhooks compare before and after every deployment. PR Security Check catches misconfigurations before they merge. Incident Scope reconstructs what happened during a security event. All automatic.

Scheduled runs

Flare scans your audit logs every hour, every 6 hours, or once a day. Each run compares against your historical baseline and flags what changed. No manual triggering needed.

Every hourEvery 6hDaily

Deploy webhooks

NEW

One line in your CI/CD pipeline. Every deploy triggers an automatic security review that compares pre-deploy and post-deploy audit logs. New service accounts, IAM changes, and permission shifts surface immediately.

curl -X POST https://tryflare.ai/api/webhooks/deploy \
  -H "Authorization: Bearer $FLARE_TOKEN"

PR Security Check

NEW

Catch IAM misconfigurations, overly broad permissions, and privilege escalation paths before they reach production. Reviews Terraform, CloudFormation, and IAM policy changes on every pull request.

- uses: tryflare-ai/pr-security-check@v1
  with:
    token: $${{ secrets.FLARE_API_KEY }}

Incident Scope

NEW

When something goes wrong, trigger an on-demand analysis of any time window. Flare reconstructs the timeline across services, identifies lateral movement, and creates a GitHub Issue with findings.

- uses: tryflare-ai/incident-scope@v1
  with:
    token: $${{ secrets.FLARE_API_KEY }}
    time-from: $${{ inputs.time_from }}
Built different

A completely different approach

Pricing

No ingestion fees. Ever.

Traditional SIEMs charge per GB. Flare reads logs directly from GCP, analyzes on demand, and stores only findings.

Logs stay in your GCP project
Only findings stored, never raw data
Flat cost, not tied to log volume

Traditional SIEMs

Ingest & store all logs
Per-GB pricing
Data on their servers
AI-Native

LLM-first detection

No rules to write. No thresholds to tune. Flare understands context: rare IPs, odd timing, unusual operations.

0
rules to write
Privacy

Zero data retention

Logs stay in GCP. Analyzed in memory, only findings stored.

Focus

Ranked by impact

Every anomaly scored 0-100. Know exactly where to focus first.

Clarity

Plain English, always

Every finding comes with a clear explanation you can act on.

Interactive

Conversational follow-up

Chat with Flare about any anomaly. Full context persists.

24/7

Automated monitoring

Scheduled runs, deploy webhooks, and incident scope. Configure once.

HourlyDeployIncident

Ready to get started?

Connect your GCP project. Set up automated monitoring in under two minutes. No credit card required.

Get startedSee live demo →

GCP Audit Logs · No credit card · AWS & Azure coming soon