Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging and Google Chronicle

  1. CIS violation detection content can be added in 3 easy steps
  2. Chronicle to GCP connectivity is turnkey
  3. Detection alerts are automatically enriched to make alerts actionable
  4. Complete flexibility to customize detection content exists right inside the product.
Example of GCP YARA-L Detection Rule matches in Enterprise Insights
/** Copyright 2021 Google LLC** Licensed under the Apache License, Version 2.0 (the “License”);* you may not use this file except in compliance with the License.* You may obtain a copy of the License at** https://www.apache.org/licenses/LICENSE-2.0** Unless required by applicable law or agreed to in writing, software* distributed under the License is distributed on an “AS IS” BASIS,* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.* See the License for the specific language governing permissions and* limitations under the License.*/rule gcp_managed_service_account_keys {meta:author = “Google Cloud Security”description = “Ensure that there are only GCP-managed service account keys for each service account”severity = “LOW”implementation = “Configure exclusions for approved workflows.”cis_version = “1.2”cis_control = “1.4”tactic = “TA0003”technique = “T1136”events:$gcp.metadata.vendor_name = “Google Cloud Platform”$gcp.metadata.product_event_type = /google.iam.admin.v1.CreateServiceAccountKey/$gcp.target.user.email_addresses = /iam.gserviceaccount.com///capture variables$gcp.principal.user.email_addresses = $user//exclusionsnot (// GCP Service Accounts$gcp.principal.user.email_addresses = /gserviceaccount.com/ or// Context Aliased Domains$gcp.principal.user.email_addresses = /test-google-a.com/)match:$user over 15mcondition:$gcp}
  • The real identity of the user who was creating the service keys
  • How they were creating service account keys
  • Where they were creating these service keys
Example of gcp_managed_service_account_keys.yaral detection results
Example of Chronicle’s Context Enriched logs showing non log value attributes
Example of the multiple User Agents detected creating service account keys
//exclusionsnot (// GCP service accounts$gcp.principal.user.email_addresses = /gserviceaccount.com/ or// Context Aliased Domains$gcp.principal.user.email_addresses = /test-google-a.com/ or// Permitted workflows$gcp.network.http.user_agent = /Terraform/ nocase)
Example of running a Chronicle Detect retrohunt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store