Stay organized with collections Save and categorize content based on your preferences.

Overview of Cloud Threats Category

This document provides an overview of the rule sets in the Cloud Threats category, the required data sources, and configuration you can use to tune the alerts generated by each rule set. These rule sets help identify threats in Google Cloud environments using Cloud Audit Logs, and include the following:

  • Admin Action: Activity associated with administrative actions, deemed suspicious but potentially legitimate depending on organizational use.
  • Cloud Hacktool: Activity detected from known offensive security platforms or
    from offensive tools/software used in the wild by threat actors that specifically target cloud resources.
  • IAM Abuse: Activity associated with abusing IAM roles and permissions to
    potentially privilege-escalate or laterally move within a given Cloud project or across a Cloud organization.
  • Potential Exfil Activity: Detects activity associated with potential exfiltration of data.
  • Service Disruption: Detect destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage. The detected behavior is common and likely benign in testing and development environments.
  • Suspicious Behavior: Activity that is thought to be uncommon and suspicious in
    most environments.
  • Weakened Config: Activity associated with weakening or degrading a security control. Deemed suspicious, potentially legitimate depending on organizational use.
  • Suspicious Infrastructure Change: Detects modifications to production infrastructure that align with known persistence tactics

Supported devices and log types

The following section describes the required data needed by rule sets in the Cloud Threats category.

We recommend that you collect Google Cloud Cloud Audit Logs. Certain rules require customers to enable Cloud DNS Logging. Make sure that Google Cloud services are configured to record data to the following logs:

To ingest these logs to Chronicle, see Ingest Cloud logs to Chronicle. Contact your Chronicle representative if you need to collect these logs using a different mechanism.

For a list of all Chronicle supported data sources, see Supported default parsers.

Tuning alerts returned by Cloud Threats category

Rule sets in the Cloud Threats category include reference lists that enable you to control the alerts generated by each rule set. In each reference list, you define criteria of a UDM event that excludes the event from being evaluated by the rule set.

This section describes each reference list and provides example values that can be provided in the reference list.

Admin Action rule set

This rule set uses the following reference lists to identify criteria in a UDM event that excludes the event from being evaluated.

Generic Name Description
Principal Email Address Reference list name: gcticldadminaction_principal_emailaddress_exclusion_list

E-mail address associated with the flagged action, for example: foobar@google.com

Target Resource Name Reference list name: gcti__cld__admin_action__target_resource_name__exclusion_list

The name of the target resource of the flagged action, for example:

project/foobar

organization/foobar

instance/foobar

Cloud Hacktool rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: gcti__cld__hacktls__principal_user_email_addresses__exclusion_list
E-mail address associated with the flagged action, for example: foobar@example.com
HTTP User Agent Reference list name: gcti__cld__hacktls__network_http_user_agent__exclusion_list
HTTP User Agent, for example Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.
Principal User ID Reference list name: gcti__cld__hacktls__principal_user_userid__exclusion_list
User ID associated with the flagged action, for example: "123456789012345678901" or "system:serviceaccount:foo:bar"
Target Cloud Project Reference list name: gcti__cld__hacktls__target_cloud_project_name__exclusion_list
The name of the Cloud project associated with the flagged action, forexample: project-foobar-123

IAM Abuse rule

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: gcti__cld__iamabuse__principal_user_email_addresses__exclusion_list
Originating email address associated with the flagged action, for example foobar@example.com
Target Resource Name Reference list name: gcti__cld__iamabuse__target_resource_name__exclusion_list
Targeted service account associated with the flagged action, for example: foobar-123@foofoo.iam.gserviceaccount.com.

Potential Exfil Activity rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Answer Name Reference list name: gcticldexfilanswer_nameexclusion_list

Answer to the given DNS query, for example: analytics.example.com.

Question Name Reference list name: gcti__cld__exfil__question_name__exclusion_list

Subject of the DNS query, for example: analytics.example.com.

Resource Name Reference list name: gcti__cld__exfil__resource_name__exclusion_list

Hostname or resource name of the VM making the DNS queries.

Response Data Reference list name: gcti__cld__exfil__response_data__exclusion_list

Data portion of the Answer, for example: analytics.bar.com.example.net.

Service Disruption rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: gcti__cld__svcdisrupt__principal_user_email_addresses__exclusion_list.
Originating email address associated with the flagged action, for example: foobar@example.com
Target Cloud Project Name Reference list name: gcti__cld__svcdisrupt__target_cloud_project_name__exclusion_list.
Targeted cloud project name associated with the flagged action, for example: unicorn-prod-424543
HTTP User Agent Reference list name: gcti__cld__svcdisrupt__network_http_user_agent__exclusion_list
HTTP User Agent which may identify the source of network traffic, for example:
Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.

Suspicious Behavior rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal User Email Address Reference list name: gcti__cld__susbehavior__principal_user_email_addresses__exclusion_list
Originating email address associated with the flagged action, for example: foobar@example.com
Target User Email Address Reference list name: gcti__cld__susbehavior__target_user_email_addresses__exclusion_list.
Targeted email address associated with the flagged action, for example: foobar@example.com
Target Resource Name Reference list name: gcti__cld__susbehavior__target_resource_name__exclusion_list.
Name of the resource targeted by the flagged action. For example, the project name or instance name.
Target Cloud Project Name Reference list name: gcti__cld__susbehavior__target_cloud_project_name__exclusion_list.
Targeted cloud project name associated with the flagged action, for example: unicorn-prod-424543

Weakened Config rule set

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Principal Attribute Role Name Reference list name: `gcti__cld__weak_config__principal_attribute_role_name__exclusion_list`

The role that the principal user applied or attributed to a target resource, for example:

role/instance.viewer

role/storage.owner

Principal Email Address Reference list name: `gcti__cld__weak_config__principal_email_address__exclusion_list`

E-mail address associated with the flagged action, for example: foobar@google.com

Product Event Type Reference list name: `gcti__cld__weak_config__product_event_type__exclusion_list`

Specify the resource and method associated with the event in the flagged action, for example:

compute.instances.setMetadata

storage.setiamPermissions

Target Project Name Reference list name: `gcti__cld__weak_config__target_project_name__exclusion_list`

The name of the target project of the flagged action, for example:

project/foobar

Suspicious Infrastructure Change

Use the following reference lists to define criteria in a UDM event that excludes the event from being evaluated by the rule set.

Generic name Description
Target Cloud Project Name Reference list name: gcti__cld__infrastructurechange__target_cloud_project_name__exclusion_list
Cloud project name associated with the flagged action, for example: project-example-123456
Principal User Email Address Reference list name: gcti__cld__infrastructurechange__principal_user_email_addresses__exclusion_list
Originating email address associated with the flagged action, for example: alice@example.com
Network HTTP User Agent Reference list name: gcti__cld__infrastructurechange__network_http_user_agent__exclusion_list
Name of the originating user agent, such as Mozilla/5.0 (Linux; Android 12; Pixel 6 Build/SD1A.210817.023; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Mobile Safari/537.36.
Target Resource Name Reference list name: gcti__cld__infrastructurechange__compute_disk_image_name__exclusion_list
Name of the resource targeted by the flagged action, such as the name of a Compute Disk or Image.
Target Resource Attribute Label Reference list name: gcti__cld__infrastructurechange__compute_disk_snapshot_name__exclusion_list
Name of the resource attribute targeted by the flagged action, such as the name of a Compute Snapshot.