4.21 - Resource access by certain user identities in the past month (aggregated by day)
April 24, 2024 ยท View on GitHub
List distinct actions by certain user(s) or service account(s) per day in the last 30 days. This is equivalent to CSA 4.20 except identical user actions are aggregated and collapsed into one item per day in order to account for high-volume repeated actions by the same user. Results include the actor, the action performed, the resources acted on, and how many times that user action occured in a day. In case the actor is a service account, results also include the service account's impersonator if any.
You can use this query as part of your threat investigation or remediation efforts. For example, in case of a service account credential leak, use this query to identify the specific actions performed including unauthorized access by that compromised service account.
Note: Results are limited to actions that are audited. While Admin Activity audit is enabled by default, Data Access audit is enabled manually as they incur additional costs. To help you get started and evaluate which Data Access audit logs to enable, refer to Enable the Data Access audit logs.
Category: Cloud Workload Usage
Use Cases: Audit, Respond
Data Sources: Audit Logs
Queries or Rules
| BigQuery | Log Analytics | Google SecOps |
|---|---|---|
| SQL | SQL | Contribute rule |
Event Generation
No event generation steps provided. Contribute emulation test to this use case.
Sample Event
No log samples provided. Contribute log samples to this use case.