Skip to content

Latest commit

 

History

History
39 lines (27 loc) · 1.81 KB

4.20.md

File metadata and controls

39 lines (27 loc) · 1.81 KB

4.20 - Resource access by certain user identities in the past month

List all actions by certain user(s) or service account(s) in the last 30 days, in reverse chronological order. Results include the actor, the action performed, and the resource acted on. In case the actor is a service account, results also include the service account's impersonator if any.

You can use this query as part of your threat investigation or remediation efforts. For example, in case of a service account credential leak, use this query to identify the specific actions performed including unauthorized access by that compromised service account.

Note: Results are limited to actions that are audited. While Admin Activity audit is enabled by default, Data Access audit is enabled manually as they incur additional costs. To help you get started and evaluate which Data Access audit logs to enable, refer to Enable the Data Access audit logs.

Category: Cloud Workload Usage
Use Cases: Audit, Respond
Data Sources: Audit Logs

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

No log samples provided. Contribute log samples to this use case.

References