From 1f7125bb1b168ea80351c188ff138fd665b24961 Mon Sep 17 00:00:00 2001
From: charlesbaer <30347307+charlesbaer@users.noreply.github.com>
Date: Wed, 24 Jan 2024 09:50:37 -0500
Subject: [PATCH 1/4] Remove timestamp in favor of the date/time selector
 implemented in 2023

---
 .../sql/4_20_actions_by_user_identity_over_time.sql          | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/backends/log_analytics/sql/4_20_actions_by_user_identity_over_time.sql b/backends/log_analytics/sql/4_20_actions_by_user_identity_over_time.sql
index 49015c4..fe97d7c 100644
--- a/backends/log_analytics/sql/4_20_actions_by_user_identity_over_time.sql
+++ b/backends/log_analytics/sql/4_20_actions_by_user_identity_over_time.sql
@@ -25,11 +25,10 @@ SELECT
 FROM `[MY_PROJECT_ID].[MY_LOG_BUCKET_REGION].[MY_LOG_BUCKET_NAME]._AllLogs`
   LEFT JOIN UNNEST(proto_payload.audit_log.authentication_info.service_account_delegation_info) as service_account_delegation_info
 WHERE
-  timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 DAY)
-  AND proto_payload.audit_log.authentication_info.principal_email IS NOT NULL
+  proto_payload.audit_log.authentication_info.principal_email IS NOT NULL
   -- Actor(s) to be investigated
   AND proto_payload.audit_log.authentication_info.principal_email IN (
     "[MY_COMPROMISED_SA]@[MY_PROJECT_ID].iam.gserviceaccount.com"
   )
 ORDER BY
-  timestamp DESC
\ No newline at end of file
+  timestamp DESC

From 8dcf78cc7cda13f872bd8d1103244bcd9db82cf1 Mon Sep 17 00:00:00 2001
From: charlesbaer <30347307+charlesbaer@users.noreply.github.com>
Date: Wed, 24 Jan 2024 09:51:12 -0500
Subject: [PATCH 2/4] Update 1_01_login_highly_privileged_account.sql

---
 .../log_analytics/sql/1_01_login_highly_privileged_account.sql | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/backends/log_analytics/sql/1_01_login_highly_privileged_account.sql b/backends/log_analytics/sql/1_01_login_highly_privileged_account.sql
index 6617107..a94f756 100644
--- a/backends/log_analytics/sql/1_01_login_highly_privileged_account.sql
+++ b/backends/log_analytics/sql/1_01_login_highly_privileged_account.sql
@@ -22,8 +22,7 @@ SELECT
   JSON_VALUE(proto_payload.audit_log.metadata.event[0].parameter[0].value) AS login_type
 FROM `[MY_PROJECT_ID].[MY_LOG_BUCKET_REGION].[MY_LOG_BUCKET_NAME]._AllLogs`
 WHERE
-  timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 60 DAY)
-  AND proto_payload.audit_log IS NOT NULL
+  proto_payload.audit_log IS NOT NULL
   AND proto_payload.audit_log.authentication_info.principal_email LIKE "admin%"
   AND proto_payload.audit_log.service_name = "login.googleapis.com"
   AND proto_payload.audit_log.method_name LIKE "google.login.LoginService.%"

From 169d874b7a7f4eabca64d1acd67fa2804fb9e91d Mon Sep 17 00:00:00 2001
From: charlesbaer <30347307+charlesbaer@users.noreply.github.com>
Date: Wed, 24 Jan 2024 09:52:04 -0500
Subject: [PATCH 3/4] Update 5_01_users_who_most_frequently_accessed_data.sql

---
 .../sql/5_01_users_who_most_frequently_accessed_data.sql         | 1 -
 1 file changed, 1 deletion(-)

diff --git a/backends/log_analytics/sql/5_01_users_who_most_frequently_accessed_data.sql b/backends/log_analytics/sql/5_01_users_who_most_frequently_accessed_data.sql
index 9441d20..509dc98 100644
--- a/backends/log_analytics/sql/5_01_users_who_most_frequently_accessed_data.sql
+++ b/backends/log_analytics/sql/5_01_users_who_most_frequently_accessed_data.sql
@@ -22,7 +22,6 @@ FROM
 WHERE
   (proto_payload.audit_log.method_name = "google.cloud.bigquery.v2.JobService.InsertJob" OR
    proto_payload.audit_log.method_name = "google.cloud.bigquery.v2.JobService.Query")
-  AND timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 7 DAY)
   AND log_id = "cloudaudit.googleapis.com/data_access"
 GROUP BY
   1

From 150b0f3e0ab555adb617e6b232564408266727c3 Mon Sep 17 00:00:00 2001
From: charlesbaer <30347307+charlesbaer@users.noreply.github.com>
Date: Wed, 24 Jan 2024 18:46:22 -0500
Subject: [PATCH 4/4] Update 4_10_autoscaling_usage_frequency.sql

---
 backends/log_analytics/sql/4_10_autoscaling_usage_frequency.sql | 1 -
 1 file changed, 1 deletion(-)

diff --git a/backends/log_analytics/sql/4_10_autoscaling_usage_frequency.sql b/backends/log_analytics/sql/4_10_autoscaling_usage_frequency.sql
index e2a08e0..15d43bc 100644
--- a/backends/log_analytics/sql/4_10_autoscaling_usage_frequency.sql
+++ b/backends/log_analytics/sql/4_10_autoscaling_usage_frequency.sql
@@ -22,7 +22,6 @@ FROM
 WHERE
   resource.type = "gce_instance_group_manager"
   AND log_id = "cloudaudit.googleapis.com/activity"
-  AND timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 DAY)
 GROUP BY
   1
 ORDER BY