Skip to main content

I'm building a security audit dashboard in Google Secops and need to filter GCP audit logs to show actions performed only by members of our designated administrator group in GCP. The audit logs themselves don't directly include group membership information.

Is it possible to define a user group (e.g., within Chronicle or using a lookup list) that I can then reference as a variable in my search query? The goal is to effectively filter the audit events to only include those initiated by users belonging to this specific administrator group.

Hi @devashishsingh ,

Good question!

GCP audit logs don’t include group membership info, only the user’s email (principalEmail).

One approach:
Build a lookup table (for example, in Chronicle or BigQuery) mapping admin group members’ emails.
In your search query or dashboard, join or filter the logs using that list.

There’s no native way to reference Google Groups directly in log queries today.

Thank you @a_aleinikov I made a good guess. Big query would be another hassle. I would go with List manager with SecOps and use that as a reference in my queries which looks a simpler approach managed under one roof.

Cheers!
Devashish Singh

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.