List all actions by certain user(s) or service account(s) in the last 30 days, in reverse chronological order. Results include the actor, the action performed, and the resource acted on. In case the actor is a service account, results also include the service account's impersonator if any.
You can use this query as part of your threat investigation or remediation efforts. For example, in case of a service account credential leak, use this query to identify the specific actions performed including unauthorized access by that compromised service account.
Note: Results are limited to actions that are audited. While Admin Activity audit is enabled by default, Data Access audit is enabled manually as they incur additional costs. To help you get started and evaluate which Data Access audit logs to enable, refer to Enable the Data Access audit logs.
Category: Cloud Workload Usage
Use Cases: Audit, Respond
Data Sources: Audit Logs
| BigQuery | Log Analytics | Google SecOps |
|---|---|---|
| SQL | SQL | Contribute rule |
No event generation steps provided. Contribute emulation test to this use case.
No log samples provided. Contribute log samples to this use case.