Stay organized with collections Save and categorize content based on your preferences.

Overview of Cloud Threats Category

This document provides an overview of the rule sets in the Cloud Threats category, the required data sources, and configuration you can use to tune the alerts generated by each rule set. These rule sets help identify threats in Google Cloud environments using Cloud Audit Logs, and include the following:

  • Admin Action: Activity associated with administrative actions, deemed suspicious but potentially legitimate depending on organizational use.
  • Cloud Hacktool: Activity detected from known offensive security platforms or from offensive tools/software used in the wild by threat actors that specifically target cloud resources.
  • IAM Abuse: Activity associated with abusing IAM roles and permissions to potentially privilege-escalate or laterally move within a given Cloud project or across a Cloud organization.
  • Potential Exfil Activity: Detects activity associated with potential exfiltration of data.
  • Resource Masquerading: Detects Google Cloud resources created with names or characteristics of another resource or resource type. This could be used to mask malicious activity carried out by or within the resource, with the intention of appearing legitimate.
  • Service Disruption: Detect destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage. The detected behavior is common and likely benign in testing and development environments.
  • Suspicious Behavior: Activity that is thought to be uncommon and suspicious in most environments.
  • Suspicious Infrastructure Change: Detects modifications to production infrastructure that align with known persistence tactics
  • Weakened Config: Activity associated with weakening or degrading a security control. Deemed suspicious, potentially legitimate depending on organizational use.

Supported devices and log types

The following section describes the required data needed by rule sets in the Cloud Threats category.

We recommend that you collect Google Cloud Cloud Audit Logs. Certain rules require customers to enable Cloud DNS Logging. Make sure that Google Cloud services are configured to record data to the following logs:

To ingest these logs to Chronicle, see Ingest Cloud logs to Chronicle. Contact your Chronicle representative if you need to collect these logs using a different mechanism.

For a list of all Chronicle supported data sources, see Supported default parsers.

Tuning alerts returned by Cloud Threats category

Rule sets in the Cloud Threats category include reference lists that enable you to control the alerts generated by each rule set. In each reference list, you define criteria of a UDM event that excludes the event from being evaluated by the rule set.

This section describes each reference list and provides example values that can be provided in the reference list.

Admin Action rule set

This rule set uses the following reference lists to identify criteria in a UDM event that excludes the event from being evaluated.

Generic Name Description
HTTP User Agent Reference list name: gcti__cld__admin_action__network_http_user_agent__exclusion_list.

The HTTP User Agent string, for example Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.

Principal Email Address Reference list name: gcti__cld__admin_action__principal_email_address__exclusion_list.

E-mail address associated with the flagged action, for example: foobar@google.com

Target Resource Name Reference list name: gcti__cld__admin_action__target_resource_name__exclusion_list

The name of the target resource of the flagged action, for example:

project/foobar

organization/foobar

instance/foobar

Cloud Hacktool rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: `gcti__cld__hacktls__principal_user_email_addresses__exclusion_list`.

E-mail address associated with the flagged action, for example: foobar@example.com

HTTP User Agent Reference list name: `gcti__cld__hacktls__network_http_user_agent__exclusion_list`.

The HTTP User Agent string, for example Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.

Principal User ID Reference list name: `gcti__cld__hacktls__principal_user_userid__exclusion_list`.

User ID associated with the flagged action, for example 123456789012345678901 or system:serviceaccount:foo:bar

Target Cloud Project Reference list name: `gcti__cld__hacktls__target_cloud_project_name__exclusion_list`.

The name of the Google Cloud project associated with the flagged action, for example project-foobar-123

IAM Abuse rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: `gcti__cld__iamabuse__principal_user_email_addresses__exclusion_list`.

Originating email address associated with the flagged action, for example foobar@example.com

Target Resource Name Reference list name: `gcti__cld__iamabuse__target_resource_name__exclusion_list`.

Targeted service account associated with the flagged action, for example foobar-123@foofoo.iam.gserviceaccount.com.

HTTP User Agent Reference list name: `gcti__cld__iamabuse__network_http_user_agent__exclusion_list`.

The HTTP User Agent string, for example Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36..

Potential Exfil Activity rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Answer Name Reference list name: gcti__cld__exfil__answer_name__exclusion_list.

Answer to the given DNS query, for example analytics.example.com.

Question Name Reference list name: gcti__cld__exfil__question_name__exclusion_list.

Subject of the DNS query, for example analytics.example.com.

Resource Name Reference list name: gcti__cld__exfil__resource_name__exclusion_list.

Hostname or resource name of the VM making the DNS queries.

Response Data Reference list name: gcti__cld__exfil__response_data__exclusion_list.

Data portion of the Answer, for example analytics.bar.com.example.net.

Resource Masquerading rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Target Cloud Project Name Reference list name: `gcti__cld__res_masq__target_cloud_project_name__exclusion_list`.
Google Cloud project name associated with the flagged action, for example project-example-123456
Network HTTP User Agent Reference list name: `gcti__cld__res_masq__network_http_user_agent__exclusion_list`.
Name of the originating user agent, for example Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.
Target Resource Name Reference list name: `gcti__cld__res_masq__target_resource_name__exclusion_list`
Name of the resource targeted by the flagged action, such as the name of a Compute Engine instance or Google Kubernetes Engine node.

Service Disruption rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: `gcti__cld__svcdisrupt__principal_user_email_addresses__exclusion_list`.
Originating email address associated with the flagged action, for example: foobar@example.com
Target Cloud Project Name Reference list name: `gcti__cld__svcdisrupt__target_cloud_project_name__exclusion_list`.
Targeted Google Cloud project name associated with the flagged action, for example: unicorn-prod-424543
HTTP User Agent Reference list name: `gcti__cld__svcdisrupt__network_http_user_agent__exclusion_list`.
HTTP User Agent string which may identify the source of network traffic, for example:
Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.

Suspicious Behavior rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: `gcti__cld__susbehavior__principal_user_email_addresses__exclusion_list`
Originating email address associated with the flagged action, for example foobar@example.com
Target User Email Address Reference list name: `gcti__cld__susbehavior__target_user_email_addresses__exclusion_list`.
Targeted email address associated with the flagged action, for example: foobar@example.com
Target Resource Name Reference list name: `gcti__cld__susbehavior__target_resource_name__exclusion_list`.
Name of the resource targeted by the flagged action. For example, the project name or instance name.
Target Cloud Project Name Reference list name: `gcti__cld__susbehavior__target_cloud_project_name__exclusion_list`.
Targeted Google Cloud project name associated with the flagged action, for example: unicorn-prod-424543

Suspicious Infrastructure Change rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Target Cloud Project Name Reference list name: `gcti__cld__infrastructurechange__target_cloud_project_name__exclusion_list`
Google Cloud project name associated with the flagged action, for example project-example-123456
Principal User Email Address Reference list name: `gcti__cld__infrastructurechange__principal_user_email_addresses__exclusion_list`
Originating email address associated with the flagged action, for example alice@example.com
Network HTTP User Agent Reference list name: `gcti__cld__infrastructurechange__network_http_user_agent__exclusion_list`
Name of the originating user agent, such as Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.
Target Resource Name Reference list name: `gcti__cld__infrastructurechange__compute_disk_image_name__exclusion_list`
Name of the resource targeted by the flagged action, such as the name of a Compute Disk or Image.
Target Resource Attribute Label Reference list name: `gcti__cld__infrastructurechange__compute_disk_snapshot_name__exclusion_list`
Name of the resource attribute targeted by the flagged action, such as the name of a Compute Snapshot.

Weakened Config rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal Attribute Role Name Reference list name: `gcti__cld__weak_config__principal_attribute_role_name__exclusion_list`

The role that the principal user applied or attributed to a target resource, for example:

role/instance.viewer

role/storage.owner

Principal Email Address Reference list name: `gcti__cld__weak_config__principal_email_address__exclusion_list`

E-mail address associated with the flagged action, for example: foobar@google.com

Product Event Type Reference list name: `gcti__cld__weak_config__product_event_type__exclusion_list`

Specify the resource and method associated with the event in the flagged action, for example:

compute.instances.setMetadata

storage.setiamPermissions

Target Project Name Reference list name: `gcti__cld__weak_config__target_project_name__exclusion_list`

The name of the target project of the flagged action, for example:

project/foobar