# Tracking Service Account Modifications in Google Cloud Platform (GCP)

It's quite common to see your important service account being modified by someone. Don't worry, my friend. Here is how you can track who did what.

1. Login to GCP and navigate to **Logging**
    
2. Set a proper timeline from the date-time picker (last X hour or last Y days)
    
3. Open up the Query Editor and paste the following code snippet
    

```json
protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog"
resource.type="service_account"
protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"
```

Voila! Look for the `principalEmail` field in the output, which will show the name of the person (or bot) who made the change.