diff --git a/docs/playbooks/alerts/HumanAccessedSecret.md b/docs/playbooks/alerts/HumanAccessedSecret.md
index bd519e46f..50effe0fb 100644
--- a/docs/playbooks/alerts/HumanAccessedSecret.md
+++ b/docs/playbooks/alerts/HumanAccessedSecret.md
@@ -7,10 +7,10 @@ once in the period, even if multiple secrets are accessed.
 
 Go to Logs Explorer, use the following filter:
 
-```
-resource.type="audited_resource"
-resource.labels.service="secretmanager.googleapis.com"
-resource.labels.method="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
+```text
+protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
+protoPayload.serviceName="secretmanager.googleapis.com"
+protoPayload.methodName=~"AccessSecretVersion$"
 protoPayload.authenticationInfo.principalEmail!~"gserviceaccount.com$"
 ```
 
diff --git a/docs/playbooks/alerts/HumanDecryptedValue.md b/docs/playbooks/alerts/HumanDecryptedValue.md
index 3226c8d95..2a87e934c 100644
--- a/docs/playbooks/alerts/HumanDecryptedValue.md
+++ b/docs/playbooks/alerts/HumanDecryptedValue.md
@@ -7,10 +7,10 @@ only fires once in the period, even if multiple decryption events occur.
 
 Go to Logs Explorer, use the following filter:
 
-```
-resource.type="audited_resource"
-resource.labels.service="cloudkms.googleapis.com"
-resource.labels.method:"Decrypt"
+```text
+protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
+protoPayload.serviceName="cloudkms.googleapis.com"
+protoPayload.methodName="Decrypt"
 protoPayload.authenticationInfo.principalEmail!~"gserviceaccount.com$"
 ```
 
diff --git a/terraform/alerting/alerts.tf b/terraform/alerting/alerts.tf
index 089c3cec4..07de4f45f 100644
--- a/terraform/alerting/alerts.tf
+++ b/terraform/alerting/alerts.tf
@@ -291,7 +291,7 @@ resource "google_monitoring_alert_policy" "HumanAccessedSecret" {
     display_name = "A non-service account accessed a secret."
 
     condition_monitoring_query_language {
-      duration = "60s"
+      duration = "0s"
 
       query = <<-EOT
       fetch audited_resource
@@ -332,10 +332,10 @@ resource "google_monitoring_alert_policy" "HumanDecryptedValue" {
     display_name = "A non-service account decrypted something."
 
     condition_monitoring_query_language {
-      duration = "60s"
+      duration = "0s"
 
       query = <<-EOT
-      fetch audited_resource
+      fetch global
       | metric 'logging.googleapis.com/user/${google_logging_metric.human_decrypted_value.name}'
       | align rate(5m)
       | every 1m
diff --git a/terraform/alerting/monitoring.tf b/terraform/alerting/monitoring.tf
index 44ab6c6ad..953735ca3 100644
--- a/terraform/alerting/monitoring.tf
+++ b/terraform/alerting/monitoring.tf
@@ -74,9 +74,9 @@ resource "google_logging_metric" "human_accessed_secret" {
   project = var.project
 
   filter = <<EOT
-resource.type="audited_resource"
-resource.labels.service="secretmanager.googleapis.com"
-resource.labels.method:"AccessSecretVersion"
+protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
+protoPayload.serviceName="secretmanager.googleapis.com"
+protoPayload.methodName=~"AccessSecretVersion$"
 protoPayload.authenticationInfo.principalEmail!~"gserviceaccount.com$"
 EOT
 
@@ -109,9 +109,9 @@ resource "google_logging_metric" "human_decrypted_value" {
   project = var.project
 
   filter = <<EOT
-resource.type="audited_resource"
-resource.labels.service="cloudkms.googleapis.com"
-resource.labels.method:"Decrypt"
+protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
+protoPayload.serviceName="cloudkms.googleapis.com"
+protoPayload.methodName="Decrypt"
 protoPayload.authenticationInfo.principalEmail!~"gserviceaccount.com$"
 EOT