Document toolboxDocument toolbox

Platform alert pack: GCP

Owned by Former user (Deleted)
Last updated: Jan 10, 2024 by Borja Moro Moreno
2 min read
[ 1 Purpose ] [ 2 Included alerts ] [ 3 Prerequisites ] [ 4 Open alert pack  ] [ 5 Use alert pack  ]

Purpose

GCP is one of the biggest cloud providers in the world and will enable your organization to build, run and manage applications across multiple environments. This alert pack is a bundle of Devo’s Security Operations out-of-the-box detections that can help you obtain a quick coverage of alerts.

Our Google Cloud Platform Log-Based Threat Detection Suite is a powerful and comprehensive set of alerts designed to proactively detect and mitigate a wide range of cybersecurity threats that leverage Google Cloud Platform (GCP) logs. As organizations increasingly adopt cloud-based solutions for their infrastructure, it becomes essential to have robust monitoring and detection systems in place to safeguard sensitive data and critical applications hosted on GCP

Included alerts

SecOpsGCPGCPloitExploitationFrameworkActivity

SecOpsGCPIAMServiceAccountCreated

SecOpsGCPAuditListQueues

SecOpsGCPGCSBucketEnumerated

SecOpsGCPGCSBucketModified

SecOpsGCPGoogleDriveSharedPublicly

SecOpsGCPKMSKeyEnabledOrDisabled

SecOpsGCPKMSKeyDestroy

SecOpsGCPSecretsManagerHighActivity

SecOpsGCPPortScan

SecOpsGCPPortSweep

SecOpsLog4ShellVulnerabilityCloudGCP

SecOpsGCPPossibleReconnaissanceActivity

SecOpsGCPAuditUnauthorizedAPICalls

SecOpsGCPKubernetesSensitiveObjectAccess

SecOpsGCPSQLDatabaseModification

SecOpsGCPLoggingSinkModification

SecOpsGCPNewPublicStorageBucket

SecOpsGCPKubernetesClusterPodScanDetection

SecOpsGCPGCEFirewallRuleCreation

SecOpsGCPGCEFirewallRuleDeletion

SecOpsGCPGCEFirewallRuleModification

SecOpsGCPIAMCustomRoleCreation

SecOpsGCPIAMCustomRoleDeletion

SecOpsGCPIAMServiceAccountKeyDeletion

SecOpsGCPLoggingBucketDeletion

SecOpsGCPPubSubSubscriptionCreation

SecOpsGCPPubSubSubscriptionDeletion

SecOpsGCPPubSubTopicCreation

SecOpsGCPPubSubTopicDeletion

SecOpsGCPIAMServiceAccountDisabled

SecOpsGCPIAMServiceAccountKeyCreation

SecOpsGCPIAMServiceAccountDeletion

SecOpsGCPPrivateCloudNetworkDeletion

SecOpsGCPPrivateCloudRouteCreation

SecOpsGCPStorageBucketDeletion

SecOpsGCPStorageBucketPermissionsModification

SecOpsGCPPrivateCloudRouteDeletion

SecOpsGCPDetectAccountsWithHighRiskRolesByProject

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

  • cloud.gcp.*

Open alert pack 

Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Platform alert packs (use alert pack).png

Use alert pack 

The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.