Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging and Google Chronicle

  1. CIS violation detection content can be added in 3 easy steps
  2. Chronicle to GCP connectivity is turnkey
  3. Detection alerts are automatically enriched to make alerts actionable
  4. Complete flexibility to customize detection content exists right inside the product.
Example of GCP YARA-L Detection Rule matches in Enterprise Insights
/** Copyright 2021 Google LLC** Licensed under the Apache License, Version 2.0 (the “License”);* you may not use this file except in compliance with the License.* You may obtain a copy of the License at** https://www.apache.org/licenses/LICENSE-2.0** Unless required by applicable law or agreed to in writing, software* distributed under the License is distributed on an “AS IS” BASIS,* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.* See the License for the specific language governing permissions and* limitations under the License.*/rule gcp_managed_service_account_keys {meta:author = “Google Cloud Security”description = “Ensure that there are only GCP-managed service account keys for each service account”severity = “LOW”implementation = “Configure exclusions for approved workflows.”cis_version = “1.2”cis_control = “1.4”tactic = “TA0003”technique = “T1136”events:$gcp.metadata.vendor_name = “Google Cloud Platform”$gcp.metadata.product_event_type = /google.iam.admin.v1.CreateServiceAccountKey/$gcp.target.user.email_addresses = /iam.gserviceaccount.com///capture variables$gcp.principal.user.email_addresses = $user//exclusionsnot (// GCP Service Accounts$gcp.principal.user.email_addresses = /gserviceaccount.com/ or// Context Aliased Domains$gcp.principal.user.email_addresses = /test-google-a.com/)match:$user over 15mcondition:$gcp}
  • The real identity of the user who was creating the service keys
  • How they were creating service account keys
  • Where they were creating these service keys
Example of gcp_managed_service_account_keys.yaral detection results
Example of Chronicle’s Context Enriched logs showing non log value attributes
Example of the multiple User Agents detected creating service account keys
//exclusionsnot (// GCP service accounts$gcp.principal.user.email_addresses = /gserviceaccount.com/ or// Context Aliased Domains$gcp.principal.user.email_addresses = /test-google-a.com/ or// Permitted workflows$gcp.network.http.user_agent = /Terraform/ nocase)
Example of running a Chronicle Detect retrohunt

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understand why hackers create Malware like Worms, Trojan Horses, Virus

Threat Modelling for Sensitive Applications

CyberDacians Awarded as Top B2B Company by Clutch!

How Is The Self-Storage Industry Impacted By The Coronavirus Pandemic?

How FraudScore’s Event And Conversions Report Help Ad Fraud Detection

Securing Your Data While Saving Money with Enterprise Mobility Management

Importance of Cyber Security in Organizations By Mann Bajpai

The Importance of Cloud Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chronicle

Chronicle

More from Medium

Practical Detection-as-Code

How to write detection rules in YARA-L for Google Chronicle

Help, I need to develop a detection use case.

Use case development and maintenance is a structured process. Especially when you want to establish a high-velocity development/maintenance team.

3 Foundational Pillars for Attack Path Management: Pillar 2 — Empirical Impact Assessment