Overview of Cloud Threats Category
This document provides an overview of the rule sets in the Cloud Threats category, the required data sources, and configuration you can use to tune the alerts generated by each rule set. These rule sets help identify threats in Google Cloud environments using Cloud Audit Logs, and include the following:
- Admin Action: Activity associated with administrative actions, deemed suspicious but potentially legitimate depending on organizational use.
- CDIR SCC Enhanced Exfiltration: Contains context-aware rules that correlate Security Command Center Exfiltration findings with other log sources, such as Cloud Audit Logs logs, Sensitive Data Protection context, BigQuery context and Security Command Center Misconfiguration logs.
- CDIR SCC Enhanced Defense Evasion: Contains context-aware rules that correlate Security Command Center Evasion or Defense Evasion findings with data from other Google Cloud data sources such as Cloud Audit Logs.
- CDIR SCC Enhanced Malware: Contains context-aware rules that correlate Security Command Center Malware findings with data such as the occurrence of IP addresses and domains and their prevalence scores, in addition to other data sources such as Cloud DNS logs.
- CDIR SCC Enhanced Persistence: Contains context-aware rules that correlate Security Command Center Persistence findings with data from sources such as Cloud DNS logs and IAM analysis logs.
- CDIR SCC Enhanced Privilege Escalation: Contains context-aware rules that correlate Security Command Center Privilege escalation findings with data from several other data sources, such as Cloud Audit Logs.
- CDIR SCC Credential Access: Contains context-aware rules that correlate Security Command Center Credential Access findings with data from several other data sources, such as Cloud Audit Logs
- CDIR SCC Enhanced Discovery: Contains context-aware rules that correlate Security Command Center Discovery escalation findings with data from sources such as Google Cloud services and Cloud Audit Logs.
- CDIR SCC Brute Force: Contains context-aware rules that correlate Security Command Center Brute Force escalation findings with data such as Cloud DNS logs.
- Cloud Hacktool: Activity detected from known offensive security platforms or from offensive tools/software used in the wild by threat actors that specifically target cloud resources.
- Cloud SQL Ransom: Detects activity associated with exfiltration or ransom of data within Cloud SQL databases.
- GKE Suspicious Tooling: Detects reconnaissance and exploitation behavior from open source Kubernetes tools.
- IAM Abuse: Activity associated with abusing IAM roles and permissions to potentially privilege-escalate or laterally move within a given Cloud project or across a Cloud organization.
- Potential Exfil Activity: Detects activity associated with potential exfiltration of data.
- Resource Masquerading: Detects Google Cloud resources created with names or characteristics of another resource or resource type. This could be used to mask malicious activity carried out by or within the resource, with the intention of appearing legitimate.
- Service Disruption: Detect destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage. The detected behavior is common and likely benign in testing and development environments.
- Suspicious Behavior: Activity that is thought to be uncommon and suspicious in most environments.
- Suspicious Infrastructure Change: Detects modifications to production infrastructure that align with known persistence tactics
- Weakened Config: Activity associated with weakening or degrading a security control. Deemed suspicious, potentially legitimate depending on organizational use.
Supported devices and log types
The following section describes the required data needed by all rule sets in the Cloud Threats category.
All rule sets
We recommend that you collect Google Cloud Cloud Audit Logs. Certain rules require that customers enable Cloud DNS logging. Make sure that Google Cloud services are configured to record data to the following logs:
In addition, certain rule sets require additional types of data. The following sections explain the additional data requirements.
To ingest data from Google Cloud services, see Ingest Cloud logs to Chronicle. Contact your Chronicle representative if you need to collect these logs using a different mechanism.
Chronicle provides default parsers that parse and normalize raw logs from Google Cloud services to create UDM records with the data needed by these rules.
For a list of all Chronicle supported data sources, see Supported default parsers.
Cloud SQL Ransom rule set
Collect the data listed in the All rule sets section.
To use the Cloud SQL Ransom rule set, make sure that Google Cloud services are also configured to record data to the following logs:
CDIR SCC Enhanced rule sets
Rule sets that begin with the name CDIR SCC Enhanced help identify threats in Google Cloud environments using Security Command Center Premium findings contextualized with several other Google Cloud log sources including the following:
- Cloud Audit Logs
- Cloud DNS logs
- Identity and Access Management (IAM) analysis
- Sensitive Data Protection context
- BigQuery context
- Compute Engine context
Collect the data listed in the All rule sets section.
Rules in the CDIR SCC Enhanced rule sets depend on specific data from Google Cloud services to function as intended.
These rule sets use the following Chronicle log types. Each log type maps to a Security Command Center finding class.
| Chronicle log type | Security Command Center findingClass |
|---|---|
GCP_SECURITYCENTER_THREAT |
Threat |
GCP_SECURITYCENTER_MISCONFIGURATION |
Misconfiguration |
GCP_SECURITYCENTER_VULNERABILITY |
Vulnerability |
GCP_SECURITYCENTER_ERROR |
SCC Error |
These rule sets use the following log data as well. Each is listed by product name and Chronicle ingestion label.
- BigQuery (
GCP_BIGQUERY_CONTEXT) - Compute Engine (
GCP_COMPUTE_CONTEXT) - IAM (
GCP_IAM_CONTEXT) - Sensitive Data Protection (
GCP_DLP_CONTEXT) - Cloud Audit Logs (
GCP_CLOUDAUDIT) - Google Workspace Activity (
WORKSPACE_ACTIVITY) - Cloud DNS queries (
GCP_DNS)
To send the required data to Chronicle, make sure you have completed the following:
- Enabled logging for the required Google Cloud products and services listed above.
- Enabled Security Command Center Premium and services.
- Configured the ingestion of Google Cloud logs to Chronicle.
- Enabled the export Event Threat Detection findings to Chronicle. By default, all Security Command Center findings are ingested. See Collect Security Command Center findings for more information about the default parser field mapping.
- Enabled Cloud Audit Logs and export Cloud Audit Logs to Chronicle. See Collect Cloud Audit Logs for more information.
- Enabled Google Workspace logs and send Google Workspace logs to Chronicle. See Collect Google Workspace logs for more information.
- Exported Google Cloud asset metadata to Chronicle to ingest context-related data listed above. See Exporting Google Cloud Asset Metadata to Chronicle and Exporting Sensitive Data Protection data to Chronicle for more information.
Tuning alerts returned by Cloud Threats category
You can reduce the number of detections a rule or rule set generates using rule exclusions.
A rule exclusion defines the criteria used to exclude an event from being evaluated by the rule set, or by specific rules in the rule set. Create one or more rule exclusions to help reduce the volume of detections. See Configure rule exclusions for information about how to do this.