GoogleCloudPlatform · charlesbaer · Jan 24, 2024 · Jan 24, 2024 · Jan 24, 2024 · Jan 24, 2024
diff --git a/backends/log_analytics/sql/1_01_login_highly_privileged_account.sql b/backends/log_analytics/sql/1_01_login_highly_privileged_account.sql
@@ -22,8 +22,7 @@ SELECT
   JSON_VALUE(proto_payload.audit_log.metadata.event[0].parameter[0].value) AS login_type
 FROM `[MY_PROJECT_ID].[MY_LOG_BUCKET_REGION].[MY_LOG_BUCKET_NAME]._AllLogs`
 WHERE
-  timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 60 DAY)
-  AND proto_payload.audit_log IS NOT NULL
+  proto_payload.audit_log IS NOT NULL
   AND proto_payload.audit_log.authentication_info.principal_email LIKE "admin%"
   AND proto_payload.audit_log.service_name = "login.googleapis.com"
   AND proto_payload.audit_log.method_name LIKE "google.login.LoginService.%"
diff --git a/backends/log_analytics/sql/4_10_autoscaling_usage_frequency.sql b/backends/log_analytics/sql/4_10_autoscaling_usage_frequency.sql
@@ -22,7 +22,6 @@ FROM
 WHERE
   resource.type = "gce_instance_group_manager"
   AND log_id = "cloudaudit.googleapis.com/activity"
-  AND timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 DAY)
 GROUP BY
   1
 ORDER BY

diff --git a/backends/log_analytics/sql/4_20_actions_by_user_identity_over_time.sql b/backends/log_analytics/sql/4_20_actions_by_user_identity_over_time.sql
@@ -25,11 +25,10 @@ SELECT
 FROM `[MY_PROJECT_ID].[MY_LOG_BUCKET_REGION].[MY_LOG_BUCKET_NAME]._AllLogs`
   LEFT JOIN UNNEST(proto_payload.audit_log.authentication_info.service_account_delegation_info) as service_account_delegation_info
 WHERE
-  timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 DAY)
-  AND proto_payload.audit_log.authentication_info.principal_email IS NOT NULL
+  proto_payload.audit_log.authentication_info.principal_email IS NOT NULL
   -- Actor(s) to be investigated
   AND proto_payload.audit_log.authentication_info.principal_email IN (
     "[MY_COMPROMISED_SA]@[MY_PROJECT_ID].iam.gserviceaccount.com"
   )
 ORDER BY
-  timestamp DESC
+  timestamp DESC
diff --git a/backends/log_analytics/sql/5_01_users_who_most_frequently_accessed_data.sql b/backends/log_analytics/sql/5_01_users_who_most_frequently_accessed_data.sql
@@ -22,7 +22,6 @@ FROM
 WHERE
   (proto_payload.audit_log.method_name = "google.cloud.bigquery.v2.JobService.InsertJob" OR
    proto_payload.audit_log.method_name = "google.cloud.bigquery.v2.JobService.Query")
-  AND timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 7 DAY)
   AND log_id = "cloudaudit.googleapis.com/data_access"
 GROUP BY
   1