Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging and Google Chronicle

  1. CIS violation detection content can be added in 3 easy steps
  2. Chronicle to GCP connectivity is turnkey
  3. Detection alerts are automatically enriched to make alerts actionable
  4. Complete flexibility to customize detection content exists right inside the product.
Example of GCP YARA-L Detection Rule matches in Enterprise Insights
/** Copyright 2021 Google LLC** Licensed under the Apache License, Version 2.0 (the “License”);* you may not use this file except in compliance with the License.* You may obtain a copy of the License at** https://www.apache.org/licenses/LICENSE-2.0** Unless required by applicable law or agreed to in writing, software* distributed under the License is distributed on an “AS IS” BASIS,* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.* See the License for the specific language governing permissions and* limitations under the License.*/rule gcp_managed_service_account_keys {meta:author = “Google Cloud Security”description = “Ensure that there are only GCP-managed service account keys for each service account”severity = “LOW”implementation = “Configure exclusions for approved workflows.”cis_version = “1.2”cis_control = “1.4”tactic = “TA0003”technique = “T1136”events:$gcp.metadata.vendor_name = “Google Cloud Platform”$gcp.metadata.product_event_type = /google.iam.admin.v1.CreateServiceAccountKey/$gcp.target.user.email_addresses = /iam.gserviceaccount.com///capture variables$gcp.principal.user.email_addresses = $user//exclusionsnot (// GCP Service Accounts$gcp.principal.user.email_addresses = /gserviceaccount.com/ or// Context Aliased Domains$gcp.principal.user.email_addresses = /test-google-a.com/)match:$user over 15mcondition:$gcp}
  • The real identity of the user who was creating the service keys
  • How they were creating service account keys
  • Where they were creating these service keys
Example of gcp_managed_service_account_keys.yaral detection results
Example of Chronicle’s Context Enriched logs showing non log value attributes
Example of the multiple User Agents detected creating service account keys
//exclusionsnot (// GCP service accounts$gcp.principal.user.email_addresses = /gserviceaccount.com/ or// Context Aliased Domains$gcp.principal.user.email_addresses = /test-google-a.com/ or// Permitted workflows$gcp.network.http.user_agent = /Terraform/ nocase)
Example of running a Chronicle Detect retrohunt

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

GDPR for Event Managers: An Expert Opinion

GCHQ backlash? Anonymous website shut down following privacy rights protest

Big Brother Tech Can Save You Or Crush You

{UPDATE} Klicker Spiele Hack Free Resources Generator

Digital Identity Initiatives in North America

{UPDATE} Pro Billard 3balls 4balls Hack Free Resources Generator

What is the contrast between Log Centralized, SIM, SEM and SIEM?

Who Wants To Be A Spy? Lesson One.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chronicle

Chronicle

More from Medium

Threat Modeling Frameworks — Do you really need one?

Informing Defense with Adversary Sightings

Join us for Google Cloud Security Talks: Threat Detection & Response Edition

Finding Inconsistencies In MITRE ATT&CK Data Sources