Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging and Google Chronicle

Note; GCP Security Command Center provides both runtime and state based GCP benchmark visibility for CIS benchmarks (and other frameworks too), and is highly recommended as an essential part of our Google Cloud Blueprints.

Example of GCP YARA-L Detection Rule matches in Enterprise Insights
/** Copyright 2021 Google LLC** Licensed under the Apache License, Version 2.0 (the “License”);* you may not use this file except in compliance with the License.* You may obtain a copy of the License at**** Unless required by applicable law or agreed to in writing, software* distributed under the License is distributed on an “AS IS” BASIS,* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.* See the License for the specific language governing permissions and* limitations under the License.*/rule gcp_managed_service_account_keys {meta:author = “Google Cloud Security”description = “Ensure that there are only GCP-managed service account keys for each service account”severity = “LOW”implementation = “Configure exclusions for approved workflows.”cis_version = “1.2”cis_control = “1.4”tactic = “TA0003”technique = “T1136”events:$gcp.metadata.vendor_name = “Google Cloud Platform”$gcp.metadata.product_event_type = /google.iam.admin.v1.CreateServiceAccountKey/$ = / variables$gcp.principal.user.email_addresses = $user//exclusionsnot (// GCP Service Accounts$gcp.principal.user.email_addresses = / or// Context Aliased Domains$gcp.principal.user.email_addresses = /$user over 15mcondition:$gcp}

Note; What’s the CIS 1.4 control about? tl;dr — don’t create and download service account keys.

Example of gcp_managed_service_account_keys.yaral detection results
Example of Chronicle’s Context Enriched logs showing non log value attributes
Example of the multiple User Agents detected creating service account keys
//exclusionsnot (// GCP service accounts$gcp.principal.user.email_addresses = / or// Context Aliased Domains$gcp.principal.user.email_addresses = / or// Permitted workflows$ = /Terraform/ nocase)
Example of running a Chronicle Detect retrohunt



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store