66 Detection engineering on exported logs
Scheduled Sigma rules or BigQuery SQL run over the exported audit logs (31 Audit-log export to SIEM/BigQuery), one rule per hypothesis, version-controlled, each with a documented false-positive rate: an OAuth grant to a new client id, a domain-wide delegation change, a mass Drive download, an admin role grant, a forwarding rule added. These are the API-level attacks no console screen shows you, and the hits are routed into the same alert pipeline the heartbeat (№52) proves is alive.
Documentation: About reporting logs and BigQuery ↗
Caveats
Setup steps
- open ↗

https://admin.google.com/ac/reporting/bigqueryexport · captured 2026-07-15
Reporting › Data integrations › BigQuery Export- BigQuery export
On- dataset
the one your rules query
-
- One rule
one hypothesis, version-controlled, with a documented false-positive rate
-
- Scheduled query cadence
15min–1h depending on the rule
-
Ongoing maintenance
- automatable: script Per schedule: the detection queries run against the exported logs.
- automatable: AI agent Monthly: tune rules against false-positive/negative feedback and new TTPs.
How to verify
Replay a known-bad event pattern (e.g. a mass-download simulation from a test account) into the pipeline and confirm the detection fires end to end — the query alone proves nothing.
v0.0.3Detectedition Ent/Edu/Frontline Std+, Ent Essentials Plus policy #33 · #18 ↗