Document toolboxDocument toolbox

cloud.gcp

Owned by Borja Moro Moreno
Last updated: Jan 10, 2022 by Juan Tomás Alonso Nieto (Unlicensed)Version comment
4 min read

Introduction

The tags beginning with cloud.gcp identify events generated by Google Cloud Platform.

Valid tags and data tables

The full tag must have four levels. The first two are fixed as cloud.gcp and represent technology and brand. The third level corresponds to the service while the fourth identifies the type of events sent.

Technology

Brand

Service

Type

cloud

gcp

scc

event_threat

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

cloud.gcp.scc.event_threatcloud.gcp.scc.event_threat

Log samples

The following are sample logs sent to each of the cloud.gcp data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cloud.gcp.scc.event_threat

2021-09-23 09:57:16.402 localhost=127.0.0.1=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Exfiltration", "sourceProperties": {"affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}], "detectionCategory": {"technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table"}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}}, "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"dataExfiltrationAttempt": {"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}}}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}}
2021-09-23 13:43:04.428 localhost=127.0.0.1=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Exfiltration", "sourceProperties": {"affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}], "detectionCategory": {"technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table"}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}}, "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"dataExfiltrationAttempt": {"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}}}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}}
2021-09-27 16:30:50.254 ip-192-168-1-148.eu-west-1.compute.internal=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Brute Force: SSH", "sourceProperties": {"evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "65"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"projectId": "PROJECT_ID", "zone": "us-west1-a", "instanceId": "INSTANCE_ID", "attempts": [{"sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "SUCCESS"}, {"sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL"}, {"sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL"}]}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/003/"}}, "detectionCategory": {"technique": "brute_force", "indicator": "flow_log", "ruleName": "ssh_brute_force"}, "affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}]}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}}
2021-09-27 16:30:50.290 ip-192-168-1-148.eu-west-1.compute.internal=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Discovery: Service Account Self-Investigation", "sourceProperties": {"sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "detectionCategory": {"technique": "discovery", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "service_account_gets_own_iam_policy"}, "detectionPriority": "LOW", "affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}], "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": {"seconds": "1619200104", "nanos": 908000000.0}, "insertId": "INSERT_ID"}}], "properties": {"serviceAccountGetsOwnIamPolicy": {"principalEmail": "USER_EMAIL@PROJECT_db-83.knight-olson.org", "projectId": "PROJECT_ID", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "rawUserAgent": "RAW_USER_AGENT"}}, "contextUris": {"mitreUri": {"displayName": "Permission Groups Discovery: Cloud Groups", "url": "https://attack.mitre.org/techniques/T1069/003/"}, "cloudLoggingQueryUri": [{"displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK"}]}}, "securityMarks": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"}, "eventTime": "2021-04-23T17:48:24.908Z", "createTime": "2021-04-23T17:48:26.922Z", "propertyDataTypes": {"sourceId": {"structValue": {"fields": {"projectNumber": {"primitiveDataType": "STRING"}, "customerOrganizationNumber": {"primitiveDataType": "STRING"}}}}, "evidence": {"listValues": {"propertyDataTypes": [{"structValue": {"fields": {"sourceLogId": {"structValue": {"fields": {"projectId": {"primitiveDataType": "STRING"}, "resourceContainer": {"primitiveDataType": "STRING"}, "timestamp": {"dataType": "TIMESTAMP", "structValue": {"fields": {"seconds": {"primitiveDataType": "STRING"}, "nanos": {"primitiveDataType": "NUMBER"}}}}, "insertId": {"primitiveDataType": "STRING"}}}}}}}]}}, "detectionPriority": {"primitiveDataType": "STRING"}, "contextUris": {"structValue": {"fields": {"mitreUri": {"dataType": "HYPERLINK", "structValue": {"fields": {"display_name": {"primitiveDataType": "STRING"}, "url": {"primitiveDataType": "STRING"}}}}, "cloudLoggingQueryUri": {"listValues": {"propertyDataTypes": [{"dataType": "HYPERLINK", "structValue": {"fields": {"display_name": {"primitiveDataType": "STRING"}, "url": {"primitiveDataType": "STRING"}}}}]}}}}}, "detectionCategory": {"structValue": {"fields": {"technique": {"primitiveDataType": "STRING"}, "indicator": {"primitiveDataType": "STRING"}, "ruleName": {"primitiveDataType": "STRING"}, "subRuleName": {"primitiveDataType": "STRING"}}}}, "affectedResources": {"listValues": {"propertyDataTypes": [{"structValue": {"fields": {"gcpResourceName": {"primitiveDataType": "STRING"}}}}]}}, "properties": {"structValue": {"fields": {"serviceAccountGetsOwnIamPolicy": {"structValue": {"fields": {"principalEmail": {"primitiveDataType": "STRING"}, "projectId": {"primitiveDataType": "STRING"}, "callerIp": {"primitiveDataType": "STRING"}, "callerUserAgent": {"primitiveDataType": "STRING"}, "rawUserAgent": {"primitiveDataType": "STRING"}}}}}}}}, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"}, "resource": {"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "ORGANIZATION_NAME", "type": "google.cloud.resourcemanager.Project"}}
2021-09-27 16:30:50.309 ip-192-168-1-148.eu-west-1.compute.internal=95.18.57.137 cloud.gcp.scc.event_threat: {"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Exfiltration", "sourceProperties": {"affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}], "detectionCategory": {"technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table"}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}}, "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"dataExfiltrationAttempt": {"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}}}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}}

And this is how the log would be parsed:

Field

Value

Data type

Extra fields

eventdate

2021-09-23 09:57:16.402

timestamp



hostname

localhost

str



finding_name

organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID

str



finding_parent

organizations/ORGANIZATION_ID/sources/SOURCE_ID

str



finding_resourceName

null

str



finding_state

ACTIVE

str



finding_category

Exfiltration: BigQuery Data Exfiltration

str



finding_sourceProperties_evidence

[{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}]

str



finding_sourceProperties_properties_projectId

null

str



finding_sourceProperties_properties_zone

null

str



finding_sourceProperties_properties_instanceId

null

str



finding_sourceProperties_properties_attempts

null

str



finding_sourceProperties_properties_serviceAccountGetsOwnIamPolicy

null

str



finding_sourceProperties_properties_dataExfiltrationAttempt

{"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}

str



finding_sourceProperties_properties_instanceDetails

null

str



finding_sourceProperties_properties_domains

null

str



finding_sourceProperties_properties_network

null

str



finding_sourceProperties_properties_dnsContexts

null

str



finding_sourceProperties_properties_ips

null

str



finding_sourceProperties_properties_ipConnection

null

str



finding_sourceProperties_properties_sourceInstanceDetails

null

str



finding_sourceProperties_properties_sensitiveRoleGrant

null

str



finding_sourceProperties_properties_anomalousLocation

null

str



finding_sourceProperties_properties_anomalousSoftware

null

str



finding_sourceProperties_properties_serviceName

null

str



finding_sourceProperties_properties_methodName

null

str



finding_sourceProperties_properties_ssoState

null

str



finding_sourceProperties_properties_principalEmail

null

str



finding_sourceProperties_properties_domainName

null

str



finding_sourceProperties_detectionPriority

HIGH

str



finding_sourceProperties_sourceId_projectNumber

PROJECT_NUMBER

str



finding_sourceProperties_sourceId_customerOrganizationNumber

ORGANIZATION_ID

str



finding_sourceProperties_sourceId_organizationNumber

null

str



finding_sourceProperties_contextUris_mitreUri

{"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}

str



finding_sourceProperties_contextUris_cloudLoggingQueryUri

null

str



finding_sourceProperties_contextUris_virustotalIndicatorQueryUri

null

str



finding_sourceProperties_contextUris_relatedFindingUri

null

str



finding_sourceProperties_contextUris_workspacesUri

null

str



finding_sourceProperties_detectionCategory_technique

org_exfiltration

str



finding_sourceProperties_detectionCategory_indicator

audit_log

str



finding_sourceProperties_detectionCategory_ruleName

big_query_exfil

str



finding_sourceProperties_detectionCategory_subRuleName

exfil_to_external_table

str



finding_sourceProperties_affectedResources

[{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}]

str



finding_sourceProperties_findingId

null

str



finding_severity

HIGH

str



finding_eventTime

1970-01-01T00:00:00Z

str



finding_createTime

1970-01-01T00:00:00Z

str



finding_securityMarks_name

null

str



finding_propertyDataTypes_sourceId_structValue

null

str



finding_propertyDataTypes_evidence_listValues

null

str



finding_propertyDataTypes_detectionPriority_primitiveDataType

null

str



finding_propertyDataTypes_contextUris_structValue

null

str



finding_propertyDataTypes_detectionCategory_structValue

null

str



finding_propertyDataTypes_affectedResources_listValues

null

str



finding_propertyDataTypes_properties_structValue

null

str



finding_propertyDataTypes_findingId_primitiveDataType

null

str



finding_workflowState

null

str



finding_canonicalName

null

str



finding_findingClass

null

str



finding_indicator

null

str



resource_name

null

str



resource_projectName

null

str



resource_projectDisplayName

null

str



resource_parentName

null

str



resource_parentDisplayName

null

str



resource_type

null

str



resource_folders

null

str



hostchain

localhost=127.0.0.1=95.18.57.137

str

✓

tag

cloud.gcp.scc.event_threat

str


✓

rawMessage

{"finding": {"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Exfiltration", "sourceProperties": {"affectedResources": [{"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"}, {"gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"}], "detectionCategory": {"technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table"}, "detectionPriority": "HIGH", "sourceId": {"projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID"}, "contextUris": {"mitreUri": {"displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/"}}, "evidence": [{"sourceLogId": {"projectId": "PROJECT_ID", "timestamp": {"nanos": 0.0, "seconds": "0"}, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID"}}], "properties": {"dataExfiltrationAttempt": {"jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults", "jobState": "SUCCEEDED", "query": "SQL_QUERY", "userEmail": "PROJECT_ID@PROJECT_srv-17.morgan.net", "job": {"projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US"}, "sourceTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "SOURCE_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}], "destinationTables": [{"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID"}]}}}, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z"}}

str

✓