← All controls

66 Detection engineering on exported logs

Scheduled Sigma rules or BigQuery SQL run over the exported audit logs (31 Audit-log export to SIEM/BigQuery), one rule per hypothesis, version-controlled, each with a documented false-positive rate: an OAuth grant to a new client id, a domain-wide delegation change, a mass Drive download, an admin role grant, a forwarding rule added. These are the API-level attacks no console screen shows you, and the hits are routed into the same alert pipeline the heartbeat (№52) proves is alive.

Caveats

Setup steps

  1. open ↗ Reporting › Data integrations › BigQuery Export
    BigQuery export
    On
    dataset
    the one your rules query

    Set up service log exports to BigQuery ↗

  2. One rule
    one hypothesis, version-controlled, with a documented false-positive rate

    Example queries for reporting logs in BigQuery ↗

  3. Scheduled query cadence
    15min–1h depending on the rule

    Scheduling queries ↗

Ongoing maintenance

How to verify

  1. Replay a known-bad event pattern (e.g. a mass-download simulation from a test account) into the pipeline and confirm the detection fires end to end — the query alone proves nothing.

v0.0.3Detectedition Ent/Edu/Frontline Std+, Ent Essentials Plus policy #33 · #18 ↗