- Created by Juan Tomás Alonso Nieto , last modified by Former user on Jun 13, 2022
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 2 Next »
Overview
Google Cloud Platform (GCP) is one of the largest cloud providers out there, and as such requires organizations to protect themselves with cloud security monitoring. Devo’s Threat Research Team’s content contains many GCP detections so your organization can monitor your GCP infrastructure, look for areas of risk, or help respond to threats as they emerge.
Destroying a crypto key is an unusual event that should be checked and considered in context with other suspicious events occurring in the same GCP project.
This alert filters Google Cloud Audit Logs with DestroyCryptoKeyVersion as methodName.
Source table → cloud.gcp
Updating the state of a crypto key is an unusual event that should be checked and considered in context with other suspicious events occurring in the same GCP project.
This alert filters Google Cloud Audit Logs with UpdateCryptoKeyVersion as methodName. It extracts the keystate value set to the cryptokey and checks if it is DISABLED or ENABLED.
Source table → cloud.gcp
To list queues is one of the first steps taken by an attacker in order to enumerate a Google Cloud Platform project.
This detection filters by Google Audit log events in which the methodName parameter contains the string ListQueues.
Source table → cloud.gcp
An attacker could be enumerating GCS buckets to gain more information regarding the Google Cloud project.
This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.list as methodName. It also filters the main account so as to only get the actions performed by service accounts.
Source table → cloud.gcp
An attacker could be modifying permissions, or accessibility, over a bucket.
This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.update as methodName. It also extracts the name of the bucket being updated to include this value in the alert template.
Source table → cloud.gcp
An attacker could be modifying permissions, or accessibility, over a bucket to make it public, or creating a public one.
This alert filters Google Cloud Audit Logs in order to find those which have storage.buckets.create or storage.setIamPermissions as methodName. It also extracts the name of the bucket being updated to include this value in the alert template. It then retrieves the first five pairs of member and action fields within the bindingDeltas array, and checks in each pair if member is equal to allUsers and action is equal to ADD.
Source table → cloud.gcp
An attacker could be creating a service account to gain persistence on the project.
This alert filters Google Cloud Audit Logs in order to find those who have google.iam.admin.v1.CreateServiceAccount as methodName and the resource type is a service account. It also extracts the description attached to the service account creation and the email of this account.
Source table → cloud.gcp
An attacker could be performing reconnaissance against a network.
This alert filters events from cloud.gcp.compute.firewall, checking if the source IP is public and the destination IP is private. It then groups by projects, locations, source IPs and destination IPs, and counts the different number or destination ports. The alert is triggered when this number is greater than five.
Source table → cloud.gcp
An attacker could be performing reconnaissance against a network.
This alert filters events from cloud.gcp.compute.firewall, checking if the source IP is public and if the destination IP is private. It then groups by projects, locations, source IPs and ports, and counts the different numbers or destination IPs. The alert is triggered when this number is greater than five.
Source table → cloud.gcp
An attacker could be attempting to access, or modify, the Secret Manager service.
This alert filters Google Cloud Audit to find those that contain the string SecretManagerService in parameter protoPayload_methodName. This way we filter events coming from the Secret Manager service. It then counts the number of events and filters when it is greater than 10.
Source table → cloud.gcp
An attacker could intend to enumerate the environment.
This alert identifies GCP API requests using GET and LIST methods, that when observed in combination, could indicate that an actor is trying to enumerate the environment. These events are usually generated during normal operations so it is necessary to use this alert as context around other security incidents.
Source table → cloud.gcp
An attacker could be performing reconnaissance on a GCP project trying to enumerate permissions.
This alert filters events from the cloud.gcp table, checking if protoPayload_status_code is equal to seven. This code corresponds to unauthorized requests to the API. It then puts principal email into lower case and groups by resource_labels_project_id and lowerPrincipalEmail. The alert is triggered when the total of these events after grouping is greater than 10.
Source table → cloud.gcp
An attacker could intend to collect data, making public the data from a GCP Storage Bucket.
This alert detects when a user makes public the entire content of a storage bucket.
Source table → cloud.gcp
An adversary may attempt to enumerate the cloud services running on GCP Kubernetes cluster’s pods.
This alert is triggered when more than 10 unauthorized requests are detected in less than five minutes, against GCP Kubernetes cluster’s pods, from the same IP address.
Source table → cloud.gcp
An attacker may have tried to bypass perimeter security by creating a firewall rule.
This alert detects any attempt to create a firewall rule in Google Cloud Compute Engine.
Source table → cloud.gcp
An attacker may have tried to bypass perimeter security by deleting a firewall rule.
This alert detects any attempt to delete a firewall rule in Google Cloud Compute Engine.
Source table → cloud.gcp
An attacker may have tried to bypass perimeter security by modifying a firewall rule.
This alert detects any attempt to modify a firewall rule in Google Cloud Compute Engine.
Source table → cloud.gcp
An attacker may have created a new role to gain persistence.
This alert is triggered when a new Google Cloud IAM custom role is created.
Source table → cloud.gcp
An adversary could delete an IAM custom role to disrupt the availability of system and network resources by inhibiting access to accounts used by legitimate users.
This alert is triggered when a Google Cloud IAM custom role is deleted.
Source table → cloud.gcp
An adversary could delete a IAM Service account key to manipulate the service account and maintain access to the systems.
This alert is triggered when a Google Cloud IAM Service Account Key is deleted.
Source table → cloud.gcp
An adversary could remove a Google Cloud Logging Bucket to impair event aggregation and analysis mechanisms.
This alert is triggered when a Google Cloud Logging Bucket is deleted.
Source table → cloud.gcp
An adversary could create a Google Cloud Pub/Sub Subscription to collect data.
This alert is triggered when a Google Cloud Pub/Sub Subscription is created.
Source table → cloud.gcp
An adversary could delete a Google Cloud Pub/Sub subscription to impair event aggregation and analysis mechanisms.
This alert is triggered when a Google Cloud Pub/Sub subscription is deleted.
Source table → cloud.gcp
An adversary could create a Google Cloud Pub/Sub topic to collect data.
This alert is triggered when a Google Cloud Pub/Sub topic is created.
Source table → cloud.gcp
An adversary could delete a Google Cloud Pub/Sub topic to impair event aggregation and analysis mechanisms.
This alert is triggered when a Google Cloud Pub/Sub topic is deleted.
Source table → cloud.gcp
An attacker could delete a Service Account to interrupt the availability of systems and network resources by inhibiting access to accounts utilized by legitimate users.
This alert is triggered when a Google Cloud IAM service account is deleted.
Source table → cloud.gcp
An adversary could disable a IAM Service Account to manipulate the service account and maintain access to the systems.
This alert is triggered when a Google Cloud IAM service account is disabled.
Source table → cloud.gcp
An adversary could create a IAM Service Account Key to manipulate a service account and maintain access to the systems.
This alert is triggered when a Google Cloud IAM Service Account Key is created.
Source table → cloud.gcp
An adversary could delete a Google Cloud Storage Bucket to destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
This alert is triggered when a Google Cloud Storage Bucket is deleted.
Source table → cloud.gcp
An adversary may modify Storage Bucket Permissions to evade access control lists (ACLs) and access protected files.
This alert is triggered when the Identity and IAM permissions are modified for a Google Cloud Platform (GCP) storage bucket.
Source table → cloud.gcp
A high-risk role has been assigned to a user, this could indicate that a malicious actor could be trying to escalate privileges within a project.
This alert filters Google Cloud Audit Logs to find those which have the method name equal to SetIamPolicy. The alert then parses the different roles and actions from the binding deltas in the protopayload. This alert will only consider the first five actions and roles: any following actions, or roles, will be disregarded. This alert triggers when one of the pairs action-role meets the following criteria: the action is equal to ADD and the roles are one of the following: roles/owner, roles/editor, roles/iam.serviceAccountUser, roles/iam.serviceAccountAdmin, roles/iam.serviceAccountTokenCreator, roles/dataflow.developer, roles/dataflow.admin, roles/composer.admin, roles/dataproc.admin or roles/dataproc.editor.
Source table → cloud.gcp
An attacker may have deleted a VPC Route to interrupt the availability of systems and network resources.
This alert is triggered when a Google Cloud Virtual Private Cloud Route has been deleted.
Source table → cloud.gcp
An attacker may have created a new route to bypass restrictions on traffic routing segregating trusted and untrusted networks.
This alert is triggered when a new Google Cloud Virtual Private Cloud route has been created.
Source table → cloud.gcp
An attacker could delete a Virtual Private Cloud Network (VPC) to interrupt availability of systems and network resources.
This alert filters Google Cloud Audit Logs with a method name equal to "v*.compute.networks.delete" to detect when a Google cloud VPC is deleted.
Source table → cloud.gcp
An attacker could be modifying a logging sink to avoid detection, or redirect logs to a different destination.
This alert filters Google Cloud Audit Logs to find the log entries that have the method name equal to google.logging.v2.ConfigServiceV2.UpdateSink.
Source table → cloud.gcp
An attacker could be deleting a logging sink to avoid detection.
This alert filters Google Cloud Audit Logs to find the log entries that have the method name equal to google.logging.v2.ConfigServiceV2.DeleteSink.
Source table → cloud.gcp
This alert detects when a Cloud SQL Database has been modified or deleted, and if any user has gained privileges on a database or any of its tables.
Source table → cloud.gcp
- No labels