If you were to need to monitor a set of assets such as Google Cloud VPCs and any changes that have been made in a set date range, what would be an RQL you could write that would yield the audit trail and show those changes? I would have to imagine it starts with an event query based on something similar I pulled up for AWS: event where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress') or maybe RQL: config where cloud.type = 'aws' AND api.name = 'aws-elbv2-target-group' But how would be the best practice to possible get a list of a set of assets you want to monitor highly for changes. Maybe leveraging tags?
... View more