GCP

Overview

Google Cloud Platform (GCP) is one of the largest cloud providers out there, and as such requires organizations to protect themselves with cloud security monitoring. Devo’s Threat Research Team’s content contains many GCP detections so your organization can monitor your GCP infrastructure, look for areas of risk, or help respond to threats as they emerge.

Destroying a crypto key is an unusual event that should be checked and considered in context with other suspicious events occurring in the same GCP project.

This alert filters Google Cloud Audit Logs with DestroyCryptoKeyVersion as methodName.

Source table → cloud.gcp

Updating the state of a crypto key is an unusual event that should be checked and considered in context with other suspicious events occurring in the same GCP project.

This alert filters Google Cloud Audit Logs with UpdateCryptoKeyVersion as methodName. It extracts the keystate value set to the cryptokey and checks if it is DISABLED or ENABLED.

Source table → cloud.gcp

To list queues is one of the first steps taken by an attacker in order to enumerate a Google Cloud Platform project.

This detection filters by Google Audit log events in which the methodName parameter contains the string ListQueues.

Source table → cloud.gcp

An attacker could be enumerating GCS buckets to gain more information regarding the Google Cloud project.

This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.list as methodName. It also filters the main account so as to only get the actions performed by service accounts.

Source table → cloud.gcp

An attacker could be modifying permissions, or accessibility, over a bucket.

This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.update as methodName. It also extracts the name of the bucket being updated to include this value in the alert template.

Source table → cloud.gcp