Skip to content

Latest commit

 

History

History
41 lines (29 loc) · 2.07 KB

4.21.md

File metadata and controls

41 lines (29 loc) · 2.07 KB

4.21 - Resource access by certain user identities in the past month (aggregated by day)

List distinct actions by certain user(s) or service account(s) per day in the last 30 days. This is equivalent to CSA 4.20 except identical user actions are aggregated and collapsed into one item per day in order to account for high-volume repeated actions by the same user. Results include the actor, the action performed, the resources acted on, and how many times that user action occured in a day. In case the actor is a service account, results also include the service account's impersonator if any.

You can use this query as part of your threat investigation or remediation efforts. For example, in case of a service account credential leak, use this query to identify the specific actions performed including unauthorized access by that compromised service account.

Note: Results are limited to actions that are audited. While Admin Activity audit is enabled by default, Data Access audit is enabled manually as they incur additional costs. To help you get started and evaluate which Data Access audit logs to enable, refer to Enable the Data Access audit logs.

Category: Cloud Workload Usage
Use Cases: Audit, Respond
Data Sources: Audit Logs

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

No log samples provided. Contribute log samples to this use case.

References