Cloud SQL - Unusual Data Activity

Are you talking about curated detections? 

Curious where this is coming from? 

customer uses the sql client like pgadmin to copy and upload data
i see only logged entries are query ran with limited samples
and its not even parsed properly using GCP_CLOUDSQL or GCP_CLOUDAUDIT Parsers

tried to create the metrics in cloud monitoring but not much useful as i dont see a way to import it to secops

cloud sql ransom is the only curated detection but not sure what exactly it detects , is there a way to find the exact rules with in this rule set ?

Those are definitely the log types.  

lid need to investigate the product event types further.  

If GCP is connected to SecOps which it sounds like it is you can create exports filters.  

You would probably need to setup an audit policy specifically for the tables in question.
The default audit policy I think same like MySQL is likely only reporting the sessions establishment and some admin activities but not the full DB activity details.

There are multiple typs of CloudSQL logs, the one you are looking for is probably the Data Access Logs and these are the ones that will be pased by Cloud Audit parser mostly, these logs are not enabled by default, so you would need to enable them and for specific tables first as they could be very noisy.

Currently, I'm collecting all activity logs and data access logs. The Cloud SQL API is enabled for data access logs via IAM > Audit Config.

Since this is a PostgreSQL instance, I am specifically collecting the log with the following log ID: log_id("cloudsql.googleapis.com/postgres.log")

However, if similar queries are executed, they may not be logged due to sampling. Additionally, the parser needs to be updated to include the textPayload field, which contains the query details and other relevant information.

If you have a raw log sample that has this info then please share it with me and I can provide a parser extension to parse the missing data.