← All controls

31 Audit-log export to SIEM/BigQuery

Workspace keeps its audit logs for a bounded period and offers only a console search over them. BigQuery Export streams the activity and usage events — login, admin, Drive, token — into a GCP project you control, where they outlive Google's retention window and can be queried properly. It is the substrate the WORM archive (№58) and the detection rules (№66) are built on, and the dataset region should match your data-region policy.

Caveats

Setup steps

  1. open ↗ Reporting › Data integrations

    BigQuery Export = On; Project = <dedicated logging project>; grant gapps-reports@system.gserviceaccount.com the project Editor role (or an equivalent IAM editor role) on that project

    Set up service log exports to BigQuery ↗ Set up a BigQuery project for reporting logs ↗

  2. Reporting › Data integrations
    Dataset region
    matching your data-region policy (№24)
    export
    the date-partitioned activity + usage tables

    Set up service log exports to BigQuery ↗

  3. open ↗ Reporting › Audit and investigation

    Verify the day's partition exists in the activity table (query _PARTITIONTIME)

    About the audit and investigation tool ↗ Example queries for reporting logs in BigQuery ↗

  4. Dataset default table expiration = never (or > your retention policy); onward sink to Bucket-Locked GCS

    Data retention and lag times ↗

Ongoing maintenance

How to verify

  1. Query the newest partition and check freshness — an export that silently stopped is the failure mode that matters.

    bq query --use_legacy_sql=false 'SELECT MAX(time_usec) FROM `<project>.<dataset>.activity`'

v0.1.3Detectedition Ent/Edu/Frontline Std+, Ent Ess Plus policy #18 · #33 ↗