Our next-gen architecture is built to help you make sense of your ever-growing data.

Watch a 4-min demo video!

Quick Start Security for GCP Audit

thank you

Thank you!

We got your information.

GCP Audit
GCP Audit icon

Coralogix Extension For GCP Audit Includes:

Alerts - 8

Stay on top of GCP Audit key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

An Existing Logging Sink was Deleted

This alert gets triggered when an existing sink has been deleted. Monitoring the deletion of the sink is crucial, as it can potentially disrupt your business monitoring and operations. Impact This occurrence could result in various consequences, such as ongoing activities going unmonitored and potential oversight of future attacks and administrative actions. Mitigation Promptly examine the type of sink that was deleted and check for any accompanying comments or messages. If none are found, contact the user and request a business justification, as such an event should not occur without a valid business plan unless it is part of a testing phase. MITRE Tactic: TA0040 MITRE Technique: T1485

A New Logging Sink was Created

This alert gets triggered when a new sink has been created. Monitoring the recently established sink is essential, as well as understanding the destination where the logs are being transferred, and confirming the existence of any business approval for such a significant event. Impact The recently added sink and unfamiliar destination could potentially expose your GCP project''s internal logs to an unknown location. Additionally, this may lead to cost implications, such as inbound/outbound traffic costs, and other associated expenses. Mitigation Engage in such activities only in response to a business demand and with the appropriate approvals. Consequently, promptly contact the user with the log details, request a ticket or approval, and subsequently close the case as needed. MITRE Tactic: TA0040 MITRE Technique: T1485

An Existing Logging Sink was Modified

This alert gets triggered when an existing sink has been modified. It is crucial to observe and track the alterations, specifically identifying any new modifications that have been implemented. Impact This could result in various consequences, including logs being sent to an unauthorized destination, cost implications, and inadequate management of inbound/outbound cost analysis. Mitigation Begin by examining the alterations made to the current sink, such as designation, name, type of logs, etc. Subsequently, if significant modifications are identified in the configuration, contact the user for justification and confirmation of their involvement. Based on the response, proceed to close the case and initiate the necessary follow-up actions. MITRE Tactic: TA0040 MITRE Technique: T1485

A New User was Added to The Project

This alert gets triggered when a new user is added to the project. It is crucial to confirm the identity of the added user and the extent of permissions assigned to them. Impact To prevent privilege escalation, misconfiguration, and data security risks, confirm that the appropriate user possesses the correct permissions approved by the owner. Failure to do so could potentially result in a significant security breach or data exfiltration. Mitigation Initially, examine the user added to the project (potentially a new employee). Confirm the existence of a ticket for access request along with the designated access level, and cross-verify this information with the logs. If no ticket is found, contact the project owner to request the necessary ticket and approval. MITRE Tactic: TA0001 MITRE Technique: T1078

Data Access Logging was Disabled

This alert gets triggered when the data access logging has been disabled. Monitoring this event is highly critical, and it is essential to ensure that logging is consistently enabled to detect any unusual events within your cloud infrastructure. Impact Data Access encompasses logs related to admin actions, as well as data read and write activities. Therefore, it is crucial to actively monitor critical events within Data Access. If this monitoring feature is disabled, the security team may remain unaware of any unusual events that occur in the network. Mitigation Promptly contact the Engineering team and request a business justification for disabling the service. If the approval is granted and the configuration is secure, you may proceed to close the incident. Ensure to examine the Policy Delta, which outlines the changes and services that have been either enabled or disabled. MITRE Tactic: TA0040 MITRE Technique: T1565

A Monitoring Alert was Deleted

This alert gets triggered when a monitoring alert/policy has been deleted by a user. Usually, such events never trigger until there is testing or intentionally someone tries to hide some unusual events. Impact Usually, such activities are performed by the attacker only to clear the traces and alarms so that they can perform their unusual events without notifying anyone or if there was testing done by the operations team. So, deleting such policies may stop triggering the notification for the individual policy that has been deleted. After that attacker can perform such unusual activities and no one will come to know about it. Mitigation Restrict such permissions only to the admin or security team. Also, do reach out to the concerned team/user for business justification, and accordingly take the next step. MITRE Tactic: TA0040 MITRE Technique: T1485

Unusual Activity from Unsupported Cloud Region

This alert gets triggered when an unusual login/activity is seen from an unknown/unused cloud region. Note - Please whitelist the list of regions, before setting up this alert into production. Kindly use this filed to whitelist the region names "protoPayload.resourceLocation.currentLocations". Impact This suggests several possibilities, including human errors, misconfigurations, and potential account compromises. The newly added region might not be adequately monitored from a security standpoint, and there could be significant financial implications due to potentially high service costs based on usage. Mitigation Promptly check if the Cloud Infrastructure team has subscribed to a new region, and contact the account owner/user to confirm whether it was done accidentally or for business use case testing. MITRE Tactic: TA0001 MITRE Technique: T1078

Mute Config Created

This alert gets triggered when a mute config rule is created. A mute rule serves as a configurable setting utilized to define conditions for silencing a Cloud Monitoring alert policy. When activated, muting an alert policy prevents it from sending notifications or carrying out designated actions. Impact An opponent could establish a mute rule indefinitely or for an extended duration to silence the alert policy, resulting in the potential loss of crucial alerts and notifications. This situation could potentially lead to substantial disruptions or outages. Mitigation Consistently examine and oversee your alert policies to verify their correct configuration. This practice aids in the detection of any unauthorized alterations to your alert policies, such as the creation of mute rules. MITRE Tactic: TA0001 MITRE Technique: T1190

Integration

Learn more about Coralogix's out-of-the-box integration with GCP Audit in our documentation.

Read More
Schedule Demo