GCP Audit Log Analysis
Google BigQuery Export
For SOCs and SREs, Looker’s GCP Audit Log Analysis Block provides a means for easily exploring and reporting and alerting on GCP audit log data. It contains dashboards covering an Admin Activity overview, account investigation, and one using the MITRE ATT&CK framework to view activities that map to attack tactics. These dashboards identify brute force attacks, accounts accessing many services in a period of time, IAM escalations, and more. As with all Looker dashboards, they can be configured and modified for your analytical needs.
GCP logs can be exported to BigQuery using Aggregated Sinks in Cloud Logging, This will allow you to create export log entries from all the projects, folders, and billing accounts of a Google Cloud organization.
IMPORTANT NOTE: NEWER AUDIT LOG BLOCK NOW AVAILABLE
Apr 2023 - This block leverages the older "log sink" to BigQuery methodology. There is a new and improved "Log Analytics" method that would be recommended for any new projects going forward. Compare the 2 methods here. Please refer to the new Cloud Logging - Log Analytics block for the updated lookml and dashboards.