access_context_manager_access_level_deletedaccess_context_manager_policy_deletedactivity_dashboard_logs_by_actoractivity_dashboard_logs_by_eventactivity_dashboard_logs_by_projectactivity_dashboard_logs_by_serviceactivity_dashboard_logs_by_source_ipactivity_dashboard_logs_by_typeactivity_dashboard_total_logsapigee_security_action_disabledapp_engine_firewall_ingress_rule_createdapp_engine_firewall_ingress_rule_deletedapp_engine_firewall_ingress_rule_updatedartifact_registry_package_deletedartifact_registry_repository_deletedcloud_run_function_deletedcompute_disk_iam_policy_setcompute_firewall_rule_deletedcompute_image_iam_policy_setcompute_instance_with_public_network_interfacecompute_snapshot_iam_policy_setcompute_subnetwork_flow_logs_disabledcompute_vpn_tunnel_deleteddlp_reidentify_contentdns_managed_zone_deleteddns_managed_zone_updateddns_record_set_deleteddns_record_set_updatediam_organization_policy_updatediam_owner_role_policy_setiam_service_account_access_token_generatediam_service_account_creatediam_service_account_deletediam_service_account_disablediam_service_account_key_creatediam_service_account_key_deletediam_service_account_token_creator_role_assignedlogging_bucket_deletedlogging_sink_deletedmonitoring_alert_policy_deletedmonitoring_metric_descriptor_deletedresource_manager_iam_policy_setsecurity_command_center_notification_config_deletedsql_ssl_certificate_deletedsql_user_deletedstorage_bucket_iam_permission_granted_public_accessstorage_bucket_iam_permission_set
Query: Top 10 Actors
Usage
powerpipe query gcp_audit_log_detections.query.activity_dashboard_logs_by_actorTailpipe Tables
SQL
select authentication_info.principal_email as "Actor", count(*) as "Logs"from gcp_audit_logwhere authentication_info.principal_email is not nullgroup by authentication_info.principal_emailorder by count(*) desclimit 10;
Dashboards
The query is used in the dashboards: