This rule detects if there are no logs in the last 4 hours for GCP WAF in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert triggers when the Google Cloud Armor preconfigured WAF rules for RCE are triggered. Impact Threat actors can gain initial access to a network by exploiting the RCE vulnerability present in a web application. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when the Google Cloud Armor preconfigured WAF rules for SQL Injection Attacks are triggered. Impact SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when the Google Cloud Armor preconfigured WAF rules for HTTP Protocol Attacks are triggered. Impact HTTP Protocol Attacks can lead to disruption of service, such request injection via HTTP Smuggling Attack or HTTP Parameter Pollution attacks. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc.

This alert triggers when the the Google Cloud Armor preconfigured WAF rules for LFI or RFI are triggered. LFI attacks are a type of web application vulnerability that allows an attacker to include and execute local files on a server. This can occur when the application does not properly validate or sanitize user input, enabling the attacker to manipulate file paths and access sensitive files. RFI attacks involve exploiting vulnerabilities in web applications to include and execute remote files from an external server. Attackers manipulate input parameters or file inclusion mechanisms to trick the application into loading malicious files hosted on a remote server. Impact Attackers can execute arbitrary code, gain unauthorized access to sensitive data, compromise the entire system, or launch further attacks. LFI/RFI attacks can disrupt the targeted application, lead to data breaches, and cause reputation damage to organizations. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when the Google Cloud Armor preconfigured WAF rules for Scanner Detection are triggered. Impact Threat actors can use vulnerability scanners as part of their enumeration attempts prior to an attack and on the environment protected by the WAF. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc.

This alert triggers when the Google Cloud Armor preconfigured WAF rules for NodeJS Attacks are triggered. Impact Threat actors can gain initial access to a network by exploiting a NodeJS vulnerability present in a web application. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when the Google Cloud Armor preconfigured WAF rules for Java Attacks are triggered. Impact Threat actors can gain initial access to a network by exploiting a Java vulnerability present in a web application. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when the Google Cloud Armor preconfigured WAF rules for PHP Injection are triggered. Impact Threat actors can gain initial access to a network by exploiting the RCE vulnerability present in a web application. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when the Google Cloud Armor preconfigured WAF rules for XSS are triggered. Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Impact An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This rule detects the creation of a GCP WAF rule. Impact Custom firewall rules can be manipulated by attackers to have an entry point into various services in GCP. Mitigation Validate the action and revert the changes if not authorized. Ensure the firewall and the network range are scoped properly. Ensure the user who created the rule was authorized to create a firewall rule. MITRE Tactic: TA0003 MITRE Technique: T1136

This rule detects the deletion of a GCP WAF rule. Impact An adversary may delete a firewall rule in order to impact the network operations and create business impact in their target's environment. Mitigation Investigate what was the firewall rule - what was denied or allowed and decide if it was a legitimate or malicious activity. Revert changes if needed and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562

This rule detects when an GCP WAF rule has been updated. Impact An adversary may modify the configuration of a firewall rule to weaken their target's security controls or an administrator may inadvertently modify the configuration, which could lead to data exposure or loss. Mitigation Firewall configuration may be modified by network administrators. Verify that the configuration change was expected. If not, revert the changes and investigate further. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert triggers when the the Google Cloud Armor preconfigured WAF rules for common vulnerabilities are triggered. Impact Threat actors can gain initial access to a network by exploiting common vulnerabilities present in a web application. Mitigation Investigate further based on the mentioned CVE in the logs. MITRE Tactic: TA0001 MITRE Technique: T1190