Our next-gen architecture is built to help you make sense of your ever-growing data.

Watch a 4-min demo video!

Quick Start Security for GCP Cloud Bigtable

thank you

Thank you!

We got your information.

GCP Cloud Bigtable
GCP Cloud Bigtable icon

Coralogix Extension For GCP Cloud Bigtable Includes:

Alerts - 5

Stay on top of GCP Cloud Bigtable key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Application Profile was Deleted

This alert gets triggered when an application profile is deleted. An application profile, also known as an app profile, contains configurations that instruct your Bigtable instance on handling incoming requests from applications. Upon connecting to a Bigtable instance, an application utilizes either the default app profile or a specific app profile designated by you. Impact This event is infrequent but crucial to monitor, as it signifies the management of incoming requests to your application. Deleting an app profile may suggest malicious intent to conceal traffic, potentially allowing abnormal traffic to target your application, and leading to potential application and database-level attacks. Mitigation Examine the logs to identify the type of app profile that was deleted, and subsequently, reach out to the user for business justification and confirmation. Based on their response, either resolve the case or recreate the deleted profile replica. Additionally, investigate the root cause of the event to prevent future occurrences. MITRE Tactic: TA0005 MITRE Technique: T1562

An Instance was Deleted

This alert gets triggered when a bigtable instance is deleted. A Bigtable instance is a container for your data. Instances have one or more clusters, located in different zones. Impact The deletion of a Bigtable instance carries significant consequences, including potential data loss, unauthorized access, disruptions to business operations, compromised user experiences, and damage to brand reputation, particularly in instances of unresponsive data. Mitigation To bolster the security of critical events, implement restrictions and incorporate an approval layer. For actions involving production accounts, promptly request business justification from the user. If the events are deemed valid, the alert can be closed; otherwise, consider restoring the backup file. Assess the impact of instance deletion and take necessary steps to ensure operations resume smoothly. MITRE Tactic: TA0040 MITRE Technique: T1489

Multiple Instances Created

This alert gets triggered when a NoSQL Bigtable instance is created. A Bigtable instance is a container for your data. Instances have one or more clusters, located in different zones. Note: This alert threshold is set to more than 10 instances in 30 minutes. Please feel free to modify as per your infra/DevOps daily operations count. Impact It's essential to ensure that the creation of Bigtable instances is securely managed by authorized users, following best practices to safeguard your business or clients' data. Considering the cost of approximately $468 per month for a Bigtable instance, it's important to be mindful of potential budget impacts resulting from its creation. Mitigation Examine the instance settings, including encryption, backup policy, and IAM permissions, to verify the instance's security configuration. If best practices are not adhered to, engage with the user to address and rectify any deficiencies. MITRE Tactic: TA0042 MITRE Technique: T1585

Backup was Deleted

This alert gets triggered when a backup file is deleted by the user. Bigtable backups let you save a copy of a table's schema and data and then restore from the backup to a new table later. Impact Backups are essential for safeguarding critical data within any database, particularly in production environments. Detecting and preventing backup deletions is crucial, as it may signal malicious intent by attempting to erase data copies, rendering them unrecoverable. Mitigation Implement controls to limit critical actions and promptly reach out to the user, particularly for actions within the production account, to request justification. If the justification provided is genuine, the case may be closed accordingly. However, if suspicions arise or no valid reason is provided, consider restoring the backup file if feasible. Further investigation is warranted to understand the motives behind such critical actions executed without proper business approval. MITRE Tactic: TA0040 MITRE Technique: T1485

Multiple Tables Deleted

This alert gets triggered when multiple tables are deleted by a user. Note - In this alert, the threshold is set to more than 5 tables in 15 minutes. Please adjust this threshold value as per your requirements. Impact The bulk deletion of tables signals an abnormal activity within the environment, potentially stemming from an attacker or misconfiguration. Such incidents can result in data loss, operational downtime, and damage to brand reputation, among other consequences. Mitigation Ensure that only administrators and authorized users have permission to perform critical events like bulk table deletion. Monitor this alert vigilantly and communicate with the user to understand the reasons behind deleting multiple tables. Based on the information gathered, either close the alert or proceed with appropriate actions. MITRE Tactic: TA0040 MITRE Technique: T1485

Integration

Learn more about Coralogix's out-of-the-box integration with GCP Cloud Bigtable in our documentation.

Read More
Schedule Demo