For SOCs and SREs, Looker’s GCP Audit Log Analysis Block provides a means for easily exploring and reporting and alerting on GCP audit log data. It contains dashboards covering an Admin Activity overview, account investigation, and one using the MITRE ATT&CK framework to view activities that map to attack tactics. These dashboards identify brute force attacks, accounts accessing many services in a period of time, IAM escalations, and more. As with all Looker dashboards, they can be configured and modified for your analytical needs.

GCP logs can be exported to BigQuery using Aggregated Sinks in Cloud Logging, This will allow you to create export log entries from all the projects, folders, and billing accounts of a Google Cloud organization.