For ETD detections focusing on data exfiltration from sensitive Cloud Storage and BigQuery, which action minimizes Cloud Logging costs?

Focusing on the events that indicate data access from sensitive resources is the most effective way to detect exfiltration while controlling costs. Data exfiltration detections hinge on knowing who is reading data from Cloud Storage and BigQuery, so enabling only read audit logs for the designated sensitive buckets and datasets captures the relevant signals without logging every action that isn’t directly related to access. Logging data writes adds a lot of volume because write operations can come from many legitimate processes and don’t directly represent exfiltration events, increasing costs without proportional benefit. Expanding logs to all buckets and datasets across the organization would massively inflate log volume and costs, and wouldn’t improve detection of exfiltration from the targeted resources. VPC Flow Logs track network traffic, but they don’t provide the same service-level visibility into data access on Cloud Storage and BigQuery, and they would still incur costs without delivering targeted exfiltration signals.