Answer: Query Admin Activity logs.

The correct answer is B because Admin Activity logs record all administrative actions that modify resource configurations or metadata, including resource creation. This aligns with Google Cloud's documentation stating that Admin Activity logs contain entries for API calls that create, modify, or delete resources, such as VM instances or IAM permissions. The community discussion strongly supports this, with B receiving 100% consensus and high upvotes. Comments from FatCharlie and VicF provide detailed reasoning, citing that Admin Activity logs capture resource creation events, which is exactly what's needed to audit new resources created by a compromised service account. Option A (Data Access logs) is incorrect as it focuses on access to user-provided data, not resource creation, and is often disabled by default. Option C (Access Transparency logs) is for Google support actions, not user resource management. Option D (Stackdriver Monitoring Workspace) is for performance metrics, not audit trails of resource creation.

Author: LeetQuiz Editorial Team