Stay organized with collections Save and categorize content based on your preferences.

Change log for GCP_SECURITYCENTER_THREAT

Date Changes
2022-11-24 Enhancement -
- Mapped the field 'sourceProperties.contextUris.mitreUri.displayName' to 'principal.application'.
- Mapped the field 'sourceProperties.contextUris.mitreUri.url' to 'principal.url'.
- Mapped the field 'access.serviceName' to 'target.application'.
- Mapped the field 'sourceProperties.findingId' and 'findingClass' to 'security_result.detection_fields'.
- Added following mapping for the category 'Privilege Escalation: Create Kubernetes CSR for master cert' and 'Privilege Escalation: Creation of sensitive Kubernetes bindings' :
- Mapped the field 'sourceProperties.sourceId.projectNumber' to 'principal.resource.product_object_id'.
- Mapped the field 'sourceProperties.evidence.0.sourceLogId.projectId' to 'principal.resource.name'.
- Mapped the field 'sourceProperties.evidence.0.sourceLogId.resourceContainer' to 'principal.resource.attribute.labels'.
- Added following mapping for the category 'Privilege Escalation: Creation of sensitive Kubernetes bindings' :
- Mapped the field 'kubernetes.bindings.0.role.name' to 'principal.user.attribute.roles.name'.
- Mapped the field 'kubernetes.bindings.0.role.kind' to 'principal.user.attribute.roles.description'.
- Mapped the field 'kubernetes.bindings.0.name' to 'principal.user.attribute.roles.type'.
- Mapped the field 'kubernetes.bindings.0.subjects.0.kind' to 'principal.user.attribute.labels'.
- Mapped the field 'kubernetes.bindings.0.subjects.0.name' to 'principal.user.attribute.labels'.
2022-11-11 Enhancement -
- Mapped the field 'sourceProperties.detectionPriority' to 'security_result.priority'.
- Mapped the field 'sourceProperties.affectedResources.0.gcpResourceName' to 'target.resource.name'.
- Mapped the field 'sourceProperties.sourceId.organizationNumber' to 'principal.resource.attribute.labels'.
- Added following mapping for the category 'Defense Evasion: Modify VPC Service Control' :
- Mapped the field 'sourceProperties.properties.delta.accessLevels.policyName' and 'sourceProperties.properties.delta.accessLevels.action' to 'security_result.rule_labels'.
- Mapped the field 'sourceProperties.properties.name' and 'sourceProperties.properties.policyLink' to ''.
- Mapped the field 'mitreAttack.primaryTactic' and 'mitreAttack.primaryTechniques' to 'security_result.detection_fields'.
2022-10-31 Enhancement -
- Added following mapping for the category 'Exfiltration: BigQuery Data to Google Drive':
- The field 'access.principalEmail' mapped to 'user.email_addresses'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.sourceId.projectNumber' mapped to 'principal.resource.product_object_id'.
- The field 'sourceProperties.properties.extractionAttempt.sourceTable.projectId' mapped to 'principal.resource.name'.
- The field 'sourceProperties.properties.extractionAttempt.sourceTable.datasetId' mapped to 'security_result[n].about.resource_ancestors.product_object_id' and 'security_result[n].about.resource_ancestors.resource_type' mapped by 'DATASET'.
- The field 'sourceProperties.properties.extractionAttempt.sourceTable.tableId' mapped to 'security_result[n].about.resource.product_object_id' and 'security_result[n].about.resource.resource_type' mapped by 'TABLE'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].collectionType' mapped to 'security_result[n].about.resource.resource_subtype'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].collectionName' mapped to 'security_result[n].about.resource.name'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].originalUri' mapped to 'security_result[n].about.file.full_path'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].objectName' mapped to 'security_result[n].about.file.names'.
- Added following mapping for the category 'Exfiltration: BigQuery Data Extraction':
- The field 'access.principalEmail' mapped to 'user.email_addresses'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.sourceId.customerOrganizationNumber' mapped to 'principal.resource.attribute.labels'.
- The field 'access.methodName' mapped to 'principal.resource.attribute.labels'.
- The field 'sourceProperties.sourceId.projectNumber' mapped to 'principal.resource.product_object_id'.
- The field 'sourceProperties.properties.extractionAttempt.sourceTable.projectId' mapped to 'principal.resource.name'.
- The field 'sourceProperties.properties.extractionAttempt.sourceTable.datasetId' mapped to 'security_result[n].about.resource_ancestors.product_object_id' and 'security_result[n].about.resource_ancestors.resource_type' mapped by 'DATASET'.
- The field 'sourceProperties.properties.extractionAttempt.sourceTable.tableId' mapped to 'security_result[n].about.resource.product_object_id' and 'security_result[n].about.resource.resource_type' mapped by 'TABLE'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].collectionType' mapped to 'security_result[n].about.resource.resource_subtype'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].collectionName' mapped to 'security_result[n].about.resource.name'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].originalUri' mapped to 'security_result[n].about.file.full_path'.
- The field 'sourceProperties.properties.extractionAttempt.destinations[n].objectName' mapped to 'security_result[n].about.file.names'.
- Added following mapping for the category 'Exfiltration: Cloud SQL Restore Backup to External Organization':
- The field 'access.principalEmail' mapped to 'user.email_addresses'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.sourceId.customerOrganizationNumber' mapped to 'principal.resource.attribute.labels'.
- The field 'access.methodName' mapped to 'principal.resource.attribute.labels'.
- The field 'sourceProperties.sourceId.projectNumber' mapped to 'principal.resource.product_object_id'.
- The field 'sourceProperties.evidence.0.sourceLogId.projectId' mapped to 'principal.resource.name'.
- The field 'sourceProperties.detectionCategory.subRuleName' mapped to 'security_result.rule_type'.
- Added following mapping for the category 'Discovery: Service Account Self-Investigation':
- The field 'access.principalEmail' mapped to 'user.email_addresses'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.sourceId.customerOrganizationNumber' mapped to 'principal.resource.attribute.labels'.
- The field 'access.methodName' mapped to 'principal.resource.attribute.labels'.
- The field 'access.serviceAccountKeyName' mapped to 'principal.user.attribute.labels'.
- The field 'sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent' mapped to 'network.http.user_agent'.
- The field 'sourceProperties.sourceId.projectNumber' mapped to 'principal.resource.product_object_id'.
- The field 'sourceProperties.evidence.0.sourceLogId.projectId' mapped to 'principal.resource.name'.
- Added following mapping for the category 'Credential Access: Sensitive Role Granted To Hybrid Group':
- The field 'access.principalEmail' mapped to 'user.email_addresses'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.sourceId.customerOrganizationNumber' mapped to 'principal.resource.attribute.labels'.
- The field 'access.methodName' mapped to 'principal.resource.attribute.labels'.
- The field 'sourceProperties.detectionCategory.ruleName' mapped to 'security_result.rule_name'.
- The field 'sourceProperties.sourceId.projectNumber' mapped to 'principal.resource.product_object_id'.
- The field 'sourceProperties.evidence.0.sourceLogId.projectId' mapped to 'principal.resource.name'.
- The field 'iamBindings[n].role' mapped to 'principal.user.attribute.roles[n].name'.
- The field 'iamBindings[n].action' mapped to 'principal.user.attribute.roles[n].description'.
- The field 'iamBindings[n].member' mapped to 'principal.user.group_identifiers'.
- Added following mapping for the category 'Exfiltration: CloudSQL Data Exfiltration':
- The field 'access.principalEmail' mapped to 'user.email_addresses'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.sourceId.customerOrganizationNumber' mapped to 'principal.resource.attribute.labels'.
- The field 'access.methodName' mapped to 'principal.resource.attribute.labels'.
- The field 'sourceProperties.sourceId.projectNumber' mapped to 'principal.resource.product_object_id'.
- The field 'sourceProperties.evidence.0.sourceLogId.projectId' mapped to 'principal.resource.name'.
- The field 'sourceProperties.properties.exportToGcs.bucketAccess' mapped to 'principal.resource.attribute.labels'.
- The field 'sourceProperties.properties.exportToGcs.bucketResource' mapped to 'principal.resource.attribute.labels'.
- The field 'sourceProperties.properties.exportToGcs.exportScope' mapped to 'principal.resource.attribute.labels'.
- The field 'exfiltration.sources.[0].name' mapped to 'principal.url'.
- The field 'exfiltration.sources.[0].components.0' mapped to 'principal.process.command_line'.
- The field 'exfiltration.targets.[0].name' mapped to 'target.url'.
- The field 'exfiltration.targets.[0].components.[0]' mapped to 'target.process.command_line'.
- Added following mapping for the category 'Persistence: GCE Admin Added SSH Key' or 'Persistence: GCE Admin Added Startup Script':
- The field 'access.principalEmail' mapped to 'user.email_addresses'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.sourceId.customerOrganizationNumber' mapped to 'principal.resource.attribute.labels'.
- The field 'access.methodName' mapped to 'principal.resource.attribute.labels'.
- The field 'sourceProperties.properties.gceInstanceId' mapped to 'principal.asset.product_object_id'.
- The field 'sourceProperties.properties.projectId' mapped to 'principal.resource.name'.
- The field 'sourceProperties.sourceId.projectNumber' mapped to 'principal.resource.product_object_id'.
- The field 'sourceProperties.properties.callerUserAgent' mapped to 'network.http.user_agent'.
- The field 'sourceProperties.properties.metadataKeyOperation' mapped to 'principal.resource.attribute.labels'.
- Added following mapping for the category 'Persistence: IAM Anomalous Grant':
- The field 'sourceProperties.properties.customRoleSensitivePermissions.permissions' mapped to 'principal.user.attribute.permissions.name'.
- The field 'access.callerIp' mapped to 'principal.ip'.
- The field 'access.callerIpGeo.regionCode' mapped to 'principal.location.country_or_region'.
- The field 'sourceProperties.evidence.0.sourceLogId.resourceContainer' mapped to 'principal.resource.attribute.labels'.
- Added following mapping for the category 'PUBLIC_BUCKET_ACL':
- The field 'resourceName' mapped to 'security_result.about.resource.name'.
- The field 'parent' mapped to 'security_result.about.resource_ancestors.name'.
- The field 'state' mapped to 'security_result.detection_fields'.
- The field 'sourceProperties.ScannerName' mapped to 'principal.resource.name'.
- The field 'sourceProperties.ResourcePath' mapped to 'target.file.full_path'.
- The field 'description' mapped to 'security_result.description'.
- Modified mapping for the field 'resource.parentDisplayName', 'parent', 'findings.parent' from 'security_result.about.resource.parent' to 'security_result.about.resource_ancestors.name'.
- The field 'state' mapped to 'security_result.detection_fields'.
- The field 'canonicalName' mapped to 'security_result.detection_fields'.
- The field 'mute' mapped to 'security_result.detection_fields'.
2022-05-23 Enhancement - The newly ingested logs(i.e, a new category within ETD for data exfiltration named 'Exfiltration: Big query Data to Google Drive') have been parsed and mapped to the following fields:
'findings.category' mapped to 'security_result.summary'.
'sourceProperties.properties.principalEmail' mapped to 'principal.user.attribute.roles' if value is service account else mapped to 'principal.user.email_addresses'.
'sourceProperties.properties.dataExfiltrationAttempt.query' mapped to 'target.process.command_line'.
'sourceProperties.properties.dataExfiltrationAttempt.jobLink' mapped to 'target.url'.
'sourceProperties.evidence.0.sourceLogId.projectId' mapped to 'security_result.about.user.attribute.cloud.project.name'.
'sourceProperties.sourceId.projectNumber' mapped to 'security_result.about.user.attribute.cloud.project.id'.
'sourceProperties.properties.extractionAttempt.sourceTable.tableId' mapped to 'about.resource.name'
'sourcesTables in sourceProperties.properties.extractionAttempt.sourceTable.datasetId' mapped to 'about.resource.parent'
'sourceProperties.properties.extractionAttempt.destinations.collectionType' mapped to 'about.resource.type'.
'destinationTables in sourceProperties.properties.extractionAttempt.destinations.collectionName' mapped to 'about.resource.name'.