Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-gcp-audit-log-detections
Overview
3Dashboards
40Benchmarks
47Queries
1Variables
GitHub

Dashboard: Audit Log Activity Dashboard

This dashboard answers the following questions:

  • How many GCP Audit Logs are recorded?
  • How many logs are generated per project?
  • How many logs are generated per log type?
  • Who are the top actors initiating activities?
  • What are the top source IPs (excluding GCP internal sources)?
  • What are the top GCP services generating logs?
  • What are the top events recorded in the audit logs?
This dashboard contains 1 card.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/tailpipe-mod-gcp-audit-log-detections

Start the Powerpipe server:

powerpipe server

Open http://localhost:9033 in your browser and select Audit Log Activity Dashboard dashboard.

You could also snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe dashboard run gcp_audit_log_detections.dashboard.activity_dashboard --share

Queries

This dashboard uses the the following queries:
select
  authentication_info.principal_email as "Actor",
  count(*) as "Logs"
from
  gcp_audit_log
where
  authentication_info.principal_email is not null
group by
  authentication_info.principal_email
order by
  count(*) desc
limit 10;

Tags

service = GCP/AuditLog
type = Dashboard