Overview of Cloud Threats Category

This document provides an overview of the rule sets in the Cloud Threats category, the required data sources, and configuration you can use to tune the alerts generated by each rule set. These rule sets help identify threats in Google Cloud environments using Google Cloud data.

Rule set descriptions

The following rule sets are available in the Cloud Threats category.

  • Admin Action: Activity associated with administrative actions, deemed suspicious but potentially legitimate depending on organizational use.
  • CDIR SCC Enhanced Exfiltration: Contains context-aware rules that correlate Security Command Center Exfiltration findings with other log sources, such as Cloud Audit Logs logs, Sensitive Data Protection context, BigQuery context and Security Command Center Misconfiguration logs.
  • CDIR SCC Enhanced Defense Evasion: Contains context-aware rules that correlate Security Command Center Evasion or Defense Evasion findings with data from other Google Cloud data sources such as Cloud Audit Logs.
  • CDIR SCC Enhanced Malware: Contains context-aware rules that correlate Security Command Center Malware findings with data such as the occurrence of IP addresses and domains and their prevalence scores, in addition to other data sources such as Cloud DNS logs.
  • CDIR SCC Enhanced Persistence: Contains context-aware rules that correlate Security Command Center Persistence findings with data from sources such as Cloud DNS logs and IAM analysis logs.
  • CDIR SCC Enhanced Privilege Escalation: Contains context-aware rules that correlate Security Command Center Privilege escalation findings with data from several other data sources, such as Cloud Audit Logs.
  • CDIR SCC Credential Access: Contains context-aware rules that correlate Security Command Center Credential Access findings with data from several other data sources, such as Cloud Audit Logs
  • CDIR SCC Enhanced Discovery: Contains context-aware rules that correlate Security Command Center Discovery escalation findings with data from sources such as Google Cloud services and Cloud Audit Logs.
  • CDIR SCC Brute Force: Contains context-aware rules that correlate Security Command Center Brute Force escalation findings with data such as Cloud DNS logs.
  • CDIR SCC Data Destruction: Contains context-aware rules that correlate Security Command Center Data Destruction escalation findings with data from several other data sources, such as Cloud Audit Logs.
  • CDIR SCC Inhibit System Recovery: Contains context-aware rules that correlate Security Command Center Inhibit System Recovery findings with data from several other data sources such as Cloud Audit Logs.
  • CDIR SCC Execution: Contains context-aware rules that correlate Security Command Center Execution findings with data from several other data sources such as Cloud Audit Logs.
  • CDIR SCC Initial Access: Contains context-aware rules that correlate Security Command Center Initial Access findings with data from several other data sources such as Cloud Audit Logs.
  • CDIR SCC Impair Defenses: Contains context-aware rules that correlate Security Command Center Impair Defenses findings with data from several other data sources such as Cloud Audit Logs.
  • CDIR SCC Impact: Contains rules for Impact findings from Security Command Center.
  • CDIR SCC Cloud Armor: Contains rules for Cloud Armor findings from Security Command Center with a Critical, High, Medium, and Low severity classification.
  • CDIR SCC Cloud IDS: Contains rules for Cloud IDS findings from Security Command Center with a Critical, High, Medium, and Low severity classification.
  • CDIR SCC Custom Module: Contains rules for Event Threat Detection custom module findings from Security Command Center.
  • Cloud Hacktool: Activity detected from known offensive security platforms or from offensive tools or software used in the wild by threat actors that specifically target cloud resources.
  • Cloud SQL Ransom: Detects activity associated with exfiltration or ransom of data within Cloud SQL databases.
  • Kubernetes Suspicious Tools: Detects reconnaissance and exploitation behavior from open source Kubernetes tools.
  • Kubernetes RBAC Abuse: Detects Kubernetes activity associated with the abuse of role-based access controls (RBAC) that attempt privilege escalation or lateral movement.
  • Kubernetes Certificate Sensitive Actions: Detects Kubernetes Certificates and Certificate Signing Requests (CSR's) actions that could be used to establish persistence or escalate privileges.
  • IAM Abuse: Activity associated with abusing IAM roles and permissions to potentially privilege-escalate or laterally move within a given Cloud project or across a Cloud organization.
  • Potential Exfil Activity: Detects activity associated with potential exfiltration of data.
  • Resource Masquerading: Detects Google Cloud resources created with names or characteristics of another resource or resource type. This could be used to mask malicious activity carried out by or within the resource, with the intention of appearing legitimate.
  • Serverless Threats : Detects activity associated with potential compromise or abuse of Serverless resources in Google Cloud such as Cloud Run and Cloud Functions.
  • Service Disruption: Detect destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage. The detected behavior is common and likely benign in testing and development environments.
  • Suspicious Behavior: Activity that is thought to be uncommon and suspicious in most environments.
  • Suspicious Infrastructure Change: Detects modifications to production infrastructure that align with known persistence tactics
  • Weakened Config: Activity associated with weakening or degrading a security control. Deemed suspicious, potentially legitimate depending on organizational use.
  • Potential Insider Data Exfiltration from Chrome: Detects activity associated with potential insider threat behaviors such as data exfiltration or loss of potentially sensitive data outside of a Google Workspace organization. This includes behaviors from Chrome considered anomalous compared to a 30-day baseline.
  • Potential Insider Data Exfiltration from Drive: Detects activity associated with potential insider threat behaviors such as data exfiltration or loss of potentially sensitive data outside of a Google Workspace organization. This includes behaviors from Drive considered anomalous compared to a 30-day baseline.
  • Potential Insider Data Exfiltration from Gmail: Detects activity associated with potential insider threat behaviors such as data exfiltration or loss of potentially sensitive data outside of a Google Workspace organization. This includes behaviors from Gmail considered anomalous compared to a 30-day baseline.
  • Potential Workspace Account Compromise: Detects insider threat behaviors indicating that the account could have been potentially compromised and may lead to privilege escalation attempts or lateral movement attempts within a Google Workspace organization. This would include behaviors considered rare or anomalous compared to a 30-day baseline.
  • Suspicious Workspace Administrative Actions: Detect behaviors indicating potential evasion, security downgrading or rare and anomalous behaviors never seen in the last 30 days from users with higher privileges such as administrators.

The CDIR abbreviation stands for Cloud Detection, Investigation, and Response.

Supported devices and log types

The following sections describe the required data needed by rule sets in the Cloud Threats category.

To ingest data from Google Cloud services, see Ingest Cloud logs to Chronicle. Contact your Chronicle representative if you need to collect these logs using a different mechanism.

Chronicle provides default parsers that parse and normalize raw logs from Google Cloud services to create UDM records with data required by these rule sets.

For a list of all Chronicle supported data sources, see Supported default parsers.

All rule sets

To use any rule set, we recommend that you collect Google Cloud Cloud Audit Logs. Certain rules require that customers enable Cloud DNS logging. Make sure that Google Cloud services are configured to record data to the following logs:

Cloud SQL Ransom rule set

To use the Cloud SQL Ransom rule set, we recommend that you collect the following Google Cloud data:

CDIR SCC Enhanced rule sets

All rule sets that begin with the name CDIR SCC Enhanced use Security Command Center Premium findings contextualized with several other Google Cloud log sources, including the following:

  • Cloud Audit Logs
  • Cloud DNS logs
  • Identity and Access Management (IAM) analysis
  • Sensitive Data Protection context
  • BigQuery context
  • Compute Engine context

To use the CDIR SCC Enhanced rule sets, we recommend that you collect the following Google Cloud data:

  • Log data listed in the All rule sets section.
  • The following log data, listed by product name and Chronicle ingestion label:

    • BigQuery (GCP_BIGQUERY_CONTEXT)
    • Compute Engine (GCP_COMPUTE_CONTEXT)
    • IAM (GCP_IAM_CONTEXT)
    • Sensitive Data Protection (GCP_DLP_CONTEXT)
    • Cloud Audit Logs (GCP_CLOUDAUDIT)
    • Google Workspace Activity (WORKSPACE_ACTIVITY)
    • Cloud DNS queries (GCP_DNS)
  • The following Security Command Center finding classes, listed by findingClass identifier and Chronicle ingestion label:

    • Threat (GCP_SECURITYCENTER_THREAT)
    • Misconfiguration (GCP_SECURITYCENTER_MISCONFIGURATION)
    • Vulnerability (GCP_SECURITYCENTER_VULNERABILITY)
    • SCC Error (GCP_SECURITYCENTER_ERROR)

The CDIR SCC Enhanced rule sets also depend on data from Google Cloud services. To send the required data to Chronicle, make sure you complete the following:

Kubernetes Suspicious Tools rule set

To use the Kubernetes Suspicious Tools rule set, we recommend that you collect the data listed in the All rule sets section. Make sure that Google Cloud services are configured to record data to Google Kubernetes Engine (GKE) Node Logs

Kubernetes RBAC Abuse rule set

To use the Kubernetes RBAC Abuse rule set, we recommend that you collect Cloud Audit Logs, listed in the All rule sets section.

Kubernetes Certificate Sensitive Actions rule set

To use the Kubernetes Certificate Sensitive Actions rule set, we recommend that you collect Cloud Audit Logs, listed in the All rule sets section.

Google Workspace-related rule sets

The following rule sets detect patterns in Google Workspace data:

  • Potential Insider Data Exfiltration from Chrome
  • Potential Insider Data Exfiltration from Drive
  • Potential Insider Data Exfiltration from Gmail
  • Potential Workspace Account Compromise
  • Suspicious Workspace Administrative Actions

These rule sets require the following log types, listed by product name and Chronicle ingestion label:

  • Workspace Activities (WORKSPACE_ACTIVITY)
  • Workspace Alerts (WORKSPACE_ALERTS)
  • Workspace ChromeOS Devices (WORKSPACE_CHROMEOS)
  • Workspace Mobile Devices (WORKSPACE_MOBILE)
  • Workspace Users (WORKSPACE_USERS)
  • Google Chrome Browser Cloud Management (CHROME_MANAGEMENT)
  • Gmail logs (GMAIL_LOGS)

To ingest the required data, do the following:

Serverless Threats rule set

Cloud Run logs include Request logs and Container logs which are ingested as the GCP_RUN log type in Chronicle. GCP_RUN logs can be ingested using direct ingestion or using Feeds and Cloud Storage. For specific log filters and more ingestion details, see Exporting Google Cloud Logs to Chronicle. The following export filter exports Google Cloud Cloud Run (GCP_RUN) logs, in addition to the default logs both through the direct ingestion mechanism as well as through Cloud Storage and Sinks:

log_id("run.googleapis.com/stdout") OR
log_id("run.googleapis.com/stderr") OR
log_id("run.googleapis.com/requests") OR
log_id("run.googleapis.com/varlog/system)

Tuning alerts returned by Cloud Threats category

You can reduce the number of detections a rule or rule set generates using rule exclusions.

A rule exclusion defines the criteria used to exclude an event from being evaluated by the rule set, or by specific rules in the rule set. Create one or more rule exclusions to help reduce the volume of detections. See Configure rule exclusions for information about how to do this.

What's next