Re: Looker activity monitoring

rodneysamuel · 02-04-2024 02:52 PM

Has anyone played around with monitoring Looker? Looker being the source of a large amount of data, it's crucial for us to be able to alert on anomalies for example if a user is downloading something they have never viewed or accessed before or someone is running SQL runner that they haven't done before etc. I understand all of these information are in Looker event, content usage, history explores etc?

Has anybody solved the bringing into the SIEM part? The data is spread across different explores and I want to run complex analysis as mentioned above in Looker itself before bringing them into SIEM. There aren't a great many documentation. I wonder if this a problem faced by others in threat detection community?

dsimeonova

Hey @rodneysamuel !
Looker System Activity data it's very limited currently if you wan to change something on the backend (you can't actually).
Additionally to the dashboards on the Admin panel, you can use the System Activity explores to find more answers to your questions but always only using the fields pre-built by Looker.
Remember that data related to query history is only 90 days back. There is an option to extend this period up to last 365 days but you will need to talk with your Account Executive to enable the called "Elite System Activity". From those explores you can build the analysis that you need and save it to dashboards. You can obtain info related to the actions of the users in Looker but keep in mind that you may not found everything. Recommend you to dig into the System Activity explores (all of them).Creating Looker usage reports with System Activity Explores | Google Cloud

Please share any particular use case that you would like to view.