Sensitive actions can have a negative effect on your business if they are taken maliciously or in error.
Investigate the activity
Consider reaching out to the owner of the user account that performed the action to make sure that the owner took the action themselves and that the action was intentional.
You can use Cloud Logging to view other actions taken by the same user
account. For example, the following query searches for Admin Activity Audit Logs
logName:cloudaudit.googleapis.com%2Factivity AND "email@example.com"
By default, you can view Admin Activity Audit Logs in only a single project, folder, or organization at a time. To aggregate logs across your organization, see Aggregate and store your organization's logs.
Respond to an unrecognized activity
If you determine that the action was not legitimate, it is possible that the acting user account is compromised.
- If you use Google Workspace as your identity provider, your Google Workspace administrator can take steps to secure the account.
- If you use a third-party identity provider, check their documentation for what steps you can take.
- Consider taking steps to undo the action. For example, if a sensitive role was unintentionally granted at the organization level, you should remove this role.