cloud.gcp
Introduction
The tags beginning with cloud.gcp identify events generated by Google Cloud Platform.
Valid tags and data tables
The full tag must have four levels. The first two are fixed as cloud.gcp and represent technology and brand. The third level corresponds to the service while the fourth identifies the type of events sent.
Technology | Brand | Service | Type |
---|---|---|---|
cloud | gcp | scc | event_threat |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
cloud.gcp.scc.event_threat | cloud.gcp.scc.event_threat |
Log samples
The following are sample logs sent to each of the cloud.gcp data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
cloud.gcp.scc.event_threat
2021-09-23 09:57:16.402 localhost=127.0.0.1=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Exfiltration", "sourceProperties": {"affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}], "detectionCategory": {"technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table"}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}}, "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"dataExfiltrationAttempt": {"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}}}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}} 2021-09-23 13:43:04.428 localhost=127.0.0.1=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Exfiltration", "sourceProperties": {"affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}], "detectionCategory": {"technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table"}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}}, "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"dataExfiltrationAttempt": {"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}}}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}} 2021-09-27 16:30:50.254 ip-192-168-1-148.eu-west-1.compute.internal=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Brute Force: SSH", "sourceProperties": {"evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "65"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"projectId": "PROJECT_ID", "zone": "us-west1-a", "instanceId": "INSTANCE_ID", "attempts": [{"sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "SUCCESS"}, {"sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL"}, {"sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL"}]}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/003/"}}, "detectionCategory": {"technique": "brute_force", "indicator": "flow_log", "ruleName": "ssh_brute_force"}, "affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}]}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}} 2021-09-27 16:30:50.290 ip-192-168-1-148.eu-west-1.compute.internal=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Discovery: Service Account Self-Investigation", "sourceProperties": {"sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "detectionCategory": {"technique": "discovery", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "service_account_gets_own_iam_policy"}, "detectionPriority": "LOW", "affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}], "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": {"seconds": "1619200104", "nanos": 908000000.0}, "insertId": "INSERT_ID"}}], "properties": {"serviceAccountGetsOwnIamPolicy": {"principalEmail": "USER_EMAIL@PROJECT_db-83.knight-olson.org", "projectId": "PROJECT_ID", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "rawUserAgent": "RAW_USER_AGENT"}}, "contextUris": {"mitreUri": {"displayName": "Permission Groups Discovery: Cloud Groups", "url": "https://attack.mitre.org/techniques/T1069/003/"}, "cloudLoggingQueryUri": [{"displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK"}]}}, "securityMarks": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"}, "eventTime": "2021-04-23T17:48:24.908Z", "createTime": "2021-04-23T17:48:26.922Z", "propertyDataTypes": {"sourceId": {"structValue": {"fields": {"projectNumber": {"primitiveDataType": "STRING"}, "customerOrganizationNumber": {"primitiveDataType": "STRING"}}}}, "evidence": {"listValues": {"propertyDataTypes": [{"structValue": {"fields": {"sourceLogId": {"structValue": {"fields": {"projectId": {"primitiveDataType": "STRING"}, "resourceContainer": {"primitiveDataType": "STRING"}, "timestamp": {"dataType": "TIMESTAMP", "structValue": {"fields": {"seconds": {"primitiveDataType": "STRING"}, "nanos": {"primitiveDataType": "NUMBER"}}}}, "insertId": {"primitiveDataType": "STRING"}}}}}}}]}}, "detectionPriority": {"primitiveDataType": "STRING"}, "contextUris": {"structValue": {"fields": {"mitreUri": {"dataType": "HYPERLINK", "structValue": {"fields": {"display_name": {"primitiveDataType": "STRING"}, "url": {"primitiveDataType": "STRING"}}}}, "cloudLoggingQueryUri": {"listValues": {"propertyDataTypes": [{"dataType": "HYPERLINK", "structValue": {"fields": {"display_name": {"primitiveDataType": "STRING"}, "url": {"primitiveDataType": "STRING"}}}}]}}}}}, "detectionCategory": {"structValue": {"fields": {"technique": {"primitiveDataType": "STRING"}, "indicator": {"primitiveDataType": "STRING"}, "ruleName": {"primitiveDataType": "STRING"}, "subRuleName": {"primitiveDataType": "STRING"}}}}, "affectedResources": {"listValues": {"propertyDataTypes": [{"structValue": {"fields": {"gcpResourceName": {"primitiveDataType": "STRING"}}}}]}}, "properties": {"structValue": {"fields": {"serviceAccountGetsOwnIamPolicy": {"structValue": {"fields": {"principalEmail": {"primitiveDataType": "STRING"}, "projectId": {"primitiveDataType": "STRING"}, "callerIp": {"primitiveDataType": "STRING"}, "callerUserAgent": {"primitiveDataType": "STRING"}, "rawUserAgent": {"primitiveDataType": "STRING"}}}}}}}}, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"}, "resource": {"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "ORGANIZATION_NAME", "type": "google.cloud.resourcemanager.Project"}} 2021-09-27 16:30:50.309 ip-192-168-1-148.eu-west-1.compute.internal=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Exfiltration", "sourceProperties": {"affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}], "detectionCategory": {"technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table"}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}}, "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"dataExfiltrationAttempt": {"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}}}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}}
And this is how the log would be parsed:
Field | Value | Data type | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
finding_name |
|
| |
finding_parent |
|
| |
finding_resourceName |
|
| |
finding_state |
|
| |
finding_category |
|
| |
finding_sourceProperties_evidence |
|
| |
finding_sourceProperties_properties_projectId |
|
| |
finding_sourceProperties_properties_zone |
|
| |
finding_sourceProperties_properties_instanceId |
|
| |
finding_sourceProperties_properties_attempts |
|
| |
finding_sourceProperties_properties_serviceAccountGetsOwnIamPolicy |
|
| |
finding_sourceProperties_properties_dataExfiltrationAttempt |
|
| |
finding_sourceProperties_properties_instanceDetails |
|
| |
finding_sourceProperties_properties_domains |
|
| |
finding_sourceProperties_properties_network |
|
| |
finding_sourceProperties_properties_dnsContexts |
|
| |
finding_sourceProperties_properties_ips |
|
| |
finding_sourceProperties_properties_ipConnection |
|
| |
finding_sourceProperties_properties_sourceInstanceDetails |
|
| |
finding_sourceProperties_properties_sensitiveRoleGrant |
|
| |
finding_sourceProperties_properties_anomalousLocation |
|
| |
finding_sourceProperties_properties_anomalousSoftware |
|
| |
finding_sourceProperties_properties_serviceName |
|
| |
finding_sourceProperties_properties_methodName |
|
| |
finding_sourceProperties_properties_ssoState |
|
| |
finding_sourceProperties_properties_principalEmail |
|
| |
finding_sourceProperties_properties_domainName |
|
| |
finding_sourceProperties_detectionPriority |
|
| |
finding_sourceProperties_sourceId_projectNumber |
|
| |
finding_sourceProperties_sourceId_customerOrganizationNumber |
|
| |
finding_sourceProperties_sourceId_organizationNumber |
|
| |
finding_sourceProperties_contextUris_mitreUri |
|
| |
finding_sourceProperties_contextUris_cloudLoggingQueryUri |
|
| |
finding_sourceProperties_contextUris_virustotalIndicatorQueryUri |
|
| |
finding_sourceProperties_contextUris_relatedFindingUri |
|
| |
finding_sourceProperties_contextUris_workspacesUri |
|
| |
finding_sourceProperties_detectionCategory_technique |
|
| |
finding_sourceProperties_detectionCategory_indicator |
|
| |
finding_sourceProperties_detectionCategory_ruleName |
|
| |
finding_sourceProperties_detectionCategory_subRuleName |
|
| |
finding_sourceProperties_affectedResources |
|
| |
finding_sourceProperties_findingId |
|
| |
finding_severity |
|
| |
finding_eventTime |
|
| |
finding_createTime |
|
| |
finding_securityMarks_name |
|
| |
finding_propertyDataTypes_sourceId_structValue |
|
| |
finding_propertyDataTypes_evidence_listValues |
|
| |
finding_propertyDataTypes_detectionPriority_primitiveDataType |
|
| |
finding_propertyDataTypes_contextUris_structValue |
|
| |
finding_propertyDataTypes_detectionCategory_structValue |
|
| |
finding_propertyDataTypes_affectedResources_listValues |
|
| |
finding_propertyDataTypes_properties_structValue |
|
| |
finding_propertyDataTypes_findingId_primitiveDataType |
|
| |
finding_workflowState |
|
| |
finding_canonicalName |
|
| |
finding_findingClass |
|
| |
finding_indicator |
|
| |
resource_name |
|
| |
resource_projectName |
|
| |
resource_projectDisplayName |
|
| |
resource_parentName |
|
| |
resource_parentDisplayName |
|
| |
resource_type |
|
| |
resource_folders |
|
| |
hostchain |
|
| ✓ |
tag |
|
|
|
rawMessage |
|
| ✓ |