turbot/tailpipe-mod-gcp-audit-log-detections

Dashboard: Audit Log Activity Dashboard

This dashboard answers the following questions:

  • How many GCP Audit Logs are recorded?
  • How many logs are generated per project?
  • How many logs are generated per log type?
  • Who are the top actors initiating activities?
  • What are the top source IPs (excluding GCP internal sources)?
  • What are the top GCP services generating logs?
  • What are the top events recorded in the audit logs?
This dashboard contains 1 card.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/tailpipe-mod-gcp-audit-log-detections

Start the Powerpipe server:

powerpipe server

Open http://localhost:9033 in your browser and select Audit Log Activity Dashboard dashboard.

You could also snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe dashboard run gcp_audit_log_detections.dashboard.activity_dashboard --share

Queries

This dashboard uses the the following queries:
select
authentication_info.principal_email as "Actor",
count(*) as "Logs"
from
gcp_audit_log
where
authentication_info.principal_email is not null
group by
authentication_info.principal_email
order by
count(*) desc
limit 10;

Tags