Overview of Cloud Threats Category
This document provides an overview of the rule sets in the Cloud Threats category, the required data sources, and configuration you can use to tune the alerts generated by each rule set. These rule sets help identify threats in Google Cloud environments using Cloud Audit Logs, and include the following:
- Admin Action: Activity associated with administrative actions, deemed suspicious but potentially legitimate depending on organizational use.
- Cloud Hacktool: Activity detected from known offensive security platforms or from offensive tools/software used in the wild by threat actors that specifically target cloud resources.
- IAM Abuse: Activity associated with abusing IAM roles and permissions to potentially privilege-escalate or laterally move within a given Cloud project or across a Cloud organization.
- Potential Exfil Activity: Detects activity associated with potential exfiltration of data.
- Resource Masquerading: Detects Google Cloud resources created with names or characteristics of another resource or resource type. This could be used to mask malicious activity carried out by or within the resource, with the intention of appearing legitimate.
- Service Disruption: Detect destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage. The detected behavior is common and likely benign in testing and development environments.
- Suspicious Behavior: Activity that is thought to be uncommon and suspicious in most environments.
- Suspicious Infrastructure Change: Detects modifications to production infrastructure that align with known persistence tactics
- Weakened Config: Activity associated with weakening or degrading a security control. Deemed suspicious, potentially legitimate depending on organizational use.
Supported devices and log types
The following section describes the required data needed by rule sets in the Cloud Threats category.
We recommend that you collect Google Cloud Cloud Audit Logs. Certain rules require customers to enable Cloud DNS Logging. Make sure that Google Cloud services are configured to record data to the following logs:
To ingest these logs to Chronicle, see Ingest Cloud logs to Chronicle. Contact your Chronicle representative if you need to collect these logs using a different mechanism.
For a list of all Chronicle supported data sources, see Supported default parsers.
Tuning alerts returned by Cloud Threats category
Rule sets in the Cloud Threats category include reference lists that enable you to control the alerts generated by each rule set. In each reference list, you define criteria of a UDM event that excludes the event from being evaluated by the rule set.
This section describes each reference list and provides example values that can be provided in the reference list.
Admin Action rule set
This rule set uses the following reference lists to identify criteria in a UDM event that excludes the event from being evaluated.
| Generic Name | Description |
|---|---|
| HTTP User Agent | Reference list name: gcti__cld__admin_action__network_http_user_agent__exclusion_list.
The HTTP User Agent string, for example |
| Principal Email Address | Reference list name: gcti__cld__admin_action__principal_email_address__exclusion_list.
E-mail address associated with the flagged action, for example:
|
| Target Resource Name | Reference list name:
gcti__cld__admin_action__target_resource_name__exclusion_list
The name of the target resource of the flagged action, for example:
|
Cloud Hacktool rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Principal User Email Address | Reference list name: `gcti__cld__hacktls__principal_user_email_addresses__exclusion_list`.
E-mail address associated with the flagged action, for example:
|
| HTTP User Agent | Reference list name: `gcti__cld__hacktls__network_http_user_agent__exclusion_list`.
The HTTP User Agent string, for example |
| Principal User ID | Reference list name: `gcti__cld__hacktls__principal_user_userid__exclusion_list`.
User ID associated with the flagged action, for example |
| Target Cloud Project | Reference list name: `gcti__cld__hacktls__target_cloud_project_name__exclusion_list`.
The name of the Google Cloud project associated with the flagged action, for example |
IAM Abuse rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Principal User Email Address | Reference list name: `gcti__cld__iamabuse__principal_user_email_addresses__exclusion_list`.
Originating email address associated with the flagged action, for example |
| Target Resource Name | Reference list name: `gcti__cld__iamabuse__target_resource_name__exclusion_list`.
Targeted service account associated with the flagged action, for example |
| HTTP User Agent | Reference list name: `gcti__cld__iamabuse__network_http_user_agent__exclusion_list`.
The HTTP User Agent string, for example |
Potential Exfil Activity rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Answer Name | Reference list name: gcti__cld__exfil__answer_name__exclusion_list.
Answer to the given DNS query, for example |
| Question Name | Reference list name: gcti__cld__exfil__question_name__exclusion_list.
Subject of the DNS query, for example |
| Resource Name | Reference list name: gcti__cld__exfil__resource_name__exclusion_list.
Hostname or resource name of the VM making the DNS queries. |
| Response Data | Reference list name: gcti__cld__exfil__response_data__exclusion_list.
Data portion of the Answer, for example |
Resource Masquerading rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Target Cloud Project Name | Reference list name: `gcti__cld__res_masq__target_cloud_project_name__exclusion_list`.
Google Cloud project name associated with the flagged action, for example project-example-123456 |
| Network HTTP User Agent | Reference list name: `gcti__cld__res_masq__network_http_user_agent__exclusion_list`.
Name of the originating user agent, for example Mozilla/5.0
(Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/94.0.4606.71 Mobile Safari/537.36. |
| Target Resource Name | Reference list name: `gcti__cld__res_masq__target_resource_name__exclusion_list`
Name of the resource targeted by the flagged action, such as the name of a Compute Engine instance or Google Kubernetes Engine node. |
Service Disruption rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Principal User Email Address | Reference list name: `gcti__cld__svcdisrupt__principal_user_email_addresses__exclusion_list`. Originating email address associated with the flagged action, for example: foobar@example.com |
| Target Cloud Project Name | Reference list name: `gcti__cld__svcdisrupt__target_cloud_project_name__exclusion_list`. Targeted Google Cloud project name associated with the flagged action, for example: unicorn-prod-424543 |
| HTTP User Agent | Reference list name: `gcti__cld__svcdisrupt__network_http_user_agent__exclusion_list`. HTTP User Agent string which may identify the source of network traffic, for example: Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko)
Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36. |
Suspicious Behavior rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Principal User Email Address | Reference list name: `gcti__cld__susbehavior__principal_user_email_addresses__exclusion_list` Originating email address associated with the flagged action, for example foobar@example.com |
| Target User Email Address | Reference list name: `gcti__cld__susbehavior__target_user_email_addresses__exclusion_list`. Targeted email address associated with the flagged action, for example: foobar@example.com |
| Target Resource Name | Reference list name: `gcti__cld__susbehavior__target_resource_name__exclusion_list`. Name of the resource targeted by the flagged action. For example, the project name or instance name. |
| Target Cloud Project Name | Reference list name: `gcti__cld__susbehavior__target_cloud_project_name__exclusion_list`. Targeted Google Cloud project name associated with the flagged action, for example: unicorn-prod-424543 |
Suspicious Infrastructure Change rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Target Cloud Project Name | Reference list name: `gcti__cld__infrastructurechange__target_cloud_project_name__exclusion_list` Google Cloud project name associated with the flagged action, for example project-example-123456 |
| Principal User Email Address | Reference list name: `gcti__cld__infrastructurechange__principal_user_email_addresses__exclusion_list` Originating email address associated with the flagged action, for example alice@example.com |
| Network HTTP User Agent | Reference list name: `gcti__cld__infrastructurechange__network_http_user_agent__exclusion_list` Name of the originating user agent, such as Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.
|
| Target Resource Name | Reference list name: `gcti__cld__infrastructurechange__compute_disk_image_name__exclusion_list` Name of the resource targeted by the flagged action, such as the name of a Compute Disk or Image. |
| Target Resource Attribute Label | Reference list name: `gcti__cld__infrastructurechange__compute_disk_snapshot_name__exclusion_list` Name of the resource attribute targeted by the flagged action, such as the name of a Compute Snapshot. |
Weakened Config rule set
Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.
| Generic name | Description |
|---|---|
| Principal Attribute Role Name | Reference list name: `gcti__cld__weak_config__principal_attribute_role_name__exclusion_list`
The role that the principal user applied or attributed to a target resource, for example:
|
| Principal Email Address | Reference list name: `gcti__cld__weak_config__principal_email_address__exclusion_list`
E-mail address associated with the flagged action, for example:
|
| Product Event Type | Reference list name: `gcti__cld__weak_config__product_event_type__exclusion_list`
Specify the resource and method associated with the event in the flagged action, for example:
|
| Target Project Name | Reference list name: `gcti__cld__weak_config__target_project_name__exclusion_list`
The name of the target project of the flagged action, for example:
|