Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP Audit

GCP Audit
GCP Audit icon

Out-of-the-Box Security For GCP Audit Includes:

Alerts - 11

Stay on top of GCP Audit key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

An Existing Logging Sink was Deleted

This alert gets triggered when an existing sink has been deleted. Monitoring the deletion of the sink is crucial, as it can potentially disrupt your business monitoring and operations. Impact This occurrence could result in various consequences, such as ongoing activities going unmonitored and potential oversight of future attacks and administrative actions. Mitigation Promptly examine the type of sink that was deleted and check for any accompanying comments or messages. If none are found, contact the user and request a business justification, as such an event should not occur without a valid business plan unless it is part of a testing phase. MITRE Tactic: TA0040 MITRE Technique: T1485

A New Logging Sink was Created

This alert gets triggered when a new sink has been created. Monitoring the recently established sink is essential, as well as understanding the destination where the logs are being transferred, and confirming the existence of any business approval for such a significant event. Impact The recently added sink and unfamiliar destination could potentially expose your GCP project''s internal logs to an unknown location. Additionally, this may lead to cost implications, such as inbound/outbound traffic costs, and other associated expenses. Mitigation Engage in such activities only in response to a business demand and with the appropriate approvals. Consequently, promptly contact the user with the log details, request a ticket or approval, and subsequently close the case as needed. MITRE Tactic: TA0040 MITRE Technique: T1485

An Existing Logging Sink was Modified

This alert gets triggered when an existing sink has been modified. It is crucial to observe and track the alterations, specifically identifying any new modifications that have been implemented. Impact This could result in various consequences, including logs being sent to an unauthorized destination, cost implications, and inadequate management of inbound/outbound cost analysis. Mitigation Begin by examining the alterations made to the current sink, such as designation, name, type of logs, etc. Subsequently, if significant modifications are identified in the configuration, contact the user for justification and confirmation of their involvement. Based on the response, proceed to close the case and initiate the necessary follow-up actions. MITRE Tactic: TA0040 MITRE Technique: T1485

A New User was Added to The Project

This alert gets triggered when a new user is added to the project. It is crucial to confirm the identity of the added user and the extent of permissions assigned to them. Impact To prevent privilege escalation, misconfiguration, and data security risks, confirm that the appropriate user possesses the correct permissions approved by the owner. Failure to do so could potentially result in a significant security breach or data exfiltration. Mitigation Initially, examine the user added to the project (potentially a new employee). Confirm the existence of a ticket for access request along with the designated access level, and cross-verify this information with the logs. If no ticket is found, contact the project owner to request the necessary ticket and approval. MITRE Tactic: TA0001 MITRE Technique: T1078

Data Access Logging was Disabled

This alert gets triggered when the data access logging has been disabled. Monitoring this event is highly critical, and it is essential to ensure that logging is consistently enabled to detect any unusual events within your cloud infrastructure. Impact Data Access encompasses logs related to admin actions, as well as data read and write activities. Therefore, it is crucial to actively monitor critical events within Data Access. If this monitoring feature is disabled, the security team may remain unaware of any unusual events that occur in the network. Mitigation Promptly contact the Engineering team and request a business justification for disabling the service. If the approval is granted and the configuration is secure, you may proceed to close the incident. Ensure to examine the Policy Delta, which outlines the changes and services that have been either enabled or disabled. MITRE Tactic: TA0040 MITRE Technique: T1565

A Monitoring Alert was Deleted

This alert gets triggered when a monitoring alert/policy has been deleted by a user. Usually, such events never trigger until there is testing or intentionally someone tries to hide some unusual events. Impact Usually, such activities are performed by the attacker only to clear the traces and alarms so that they can perform their unusual events without notifying anyone or if there was testing done by the operations team. So, deleting such policies may stop triggering the notification for the individual policy that has been deleted. After that attacker can perform such unusual activities and no one will come to know about it. Mitigation Restrict such permissions only to the admin or security team. Also, do reach out to the concerned team/user for business justification, and accordingly take the next step. MITRE Tactic: TA0040 MITRE Technique: T1485

Unusual Activity from Unsupported Cloud Region

This alert gets triggered when an unusual login/activity is seen from an unknown/unused cloud region. Note - Please whitelist the list of regions, before setting up this alert into production. Kindly use this filed to whitelist the region names "protoPayload.resourceLocation.currentLocations". Impact This suggests several possibilities, including human errors, misconfigurations, and potential account compromises. The newly added region might not be adequately monitored from a security standpoint, and there could be significant financial implications due to potentially high service costs based on usage. Mitigation Promptly check if the Cloud Infrastructure team has subscribed to a new region, and contact the account owner/user to confirm whether it was done accidentally or for business use case testing. MITRE Tactic: TA0001 MITRE Technique: T1078

No Logs From GCP Audit

This alert gets triggered if there are no logs in the last 6 hours for the GCP audit in the customer account. Note: Please feel free to change the time durations according to your corporate policy. Impact This could suggest an absence of events from the audit, or it may point to errors or misconfigurations in the service causing interruptions. Additionally, if an attacker engages in malicious activities or unusual events, these actions might go unnoticed by the operations team. Mitigation Ensuring the configuration and workflow align with established standards and best practices is crucial. In the event of any discrepancies, contact the engineering team responsible for the integrations to review whether the situation is genuine or if there have been no alerts from the audit logs within the specified timeframes. MITRE Tactic: TA0040 MITRE Technique: T1485

A GCP Instance was Preempted

This alert gets triggered when a GCP instance has been preempted. Preemptible instances are VM instances that can be created at a much lower price than a regular instance. The only difference is that the compute engine can terminate these instances if those resources need to be reclaimed for other tasks. Preemptible instances also have a 24-hour limit after which they are terminated. If GCP determines that its data center load is increasing, it can, selectively, terminate your pre-emptive VM instance, which can cause application disruption" Impact If GCP identifies an increase in their data center load, they may selectively terminate your preemptible VM instance, leading to potential disruptions in your applications. Therefore, it is crucial to exclusively employ preemptible instances for fault-tolerant applications or batch-processing jobs. Mitigation Vigorously oversee critical instances to ensure they are shielded from any abnormal traffic, including DOS, DDoS attacks, and requests from blacklisted IPs or countries. If detected, promptly block connections from such IP addresses and geo-locations. MITRE Tactic: TA0040 MITRE Technique : T1485

Mute Config Updated

This alert gets triggered when an existing mute is updated. A mute rule is a configurable setting utilized to define conditions under which a Cloud Monitoring alert policy should be silenced. When activated, muting an alert policy prevents it from sending notifications or executing any specified actions. Impact If an adversary were to update a mute rule for an alert policy in Google Cloud Platform (GCP), it could potentially have significant consequences, depending on the specific changes made to the rule and the importance of the alerts and notifications being suppressed. Mitigation Implement appropriate security controls, such as using strong passwords and enabling multi-factor authentication, and regularly reviewing and monitoring your alert policies to ensure that they are configured correctly. MITRE Tactic: TA0005 MITRE Technique: T1564

Mute Config Created

This alert gets triggered when a mute config rule is created. A mute rule serves as a configurable setting utilized to define conditions for silencing a Cloud Monitoring alert policy. When activated, muting an alert policy prevents it from sending notifications or carrying out designated actions. Impact An opponent could establish a mute rule indefinitely or for an extended duration to silence the alert policy, resulting in the potential loss of crucial alerts and notifications. This situation could potentially lead to substantial disruptions or outages. Mitigation Consistently examine and oversee your alert policies to verify their correct configuration. This practice aids in the detection of any unauthorized alterations to your alert policies, such as the creation of mute rules. MITRE Tactic: TA0001 MITRE Technique: T1190


Learn more about Coralogix's out-of-the-box integration with GCP Audit in our documentation.

Read More
Schedule Demo