This alert gets triggered when a KMS key is scheduled for deletion. KMS keys encrypt data and provide access to different services in the GCP environment. Impact Once a key is deleted the services associated with this key might lose access to GCP resources which can impact business continuity. Further, this may lead to a business and access interruption due to the key deletion. Mitigation Validate with the pertinent user that the deletion was intentional and authorized. If necessary and feasible, halt the deletion process. If the action raises suspicions, conduct a more in-depth investigation into the user and their additional activities. If the key has been deleted by mistake as scheduled, get a new key configured and update the impacted service with the new key. MITRE Tactic: TA0040 MITRE Technique: T1489

This alert gets triggered when several KMS keys are disabled across multiple projects. Note - In this alert, the threshold is set to more than 3 projects in 20 minutes timeframe. Impact GCP services that use the deleted KMS key will lose access to GCP resources. Further, this may lead to a business and access interruption due to the key deletion. Mitigation Validate with the pertinent user that the deletion was intentional and authorized. If necessary and feasible, halt the disable process. If the action raises suspicions, conduct a more in-depth investigation into the user and their additional activities. if required, revert the keys to a running state and restrict such events only for power and admin users. MITRE Tactic: TA0040 MITRE Technique: T1489

This alert gets triggered when a KMS key is disabled. KMS keys are used to encrypt data and provide access to different services in the GCP environment. Impact Once a key is disabled the services associated with this key might lose access to GCP resources which can impact business continuity. Further, this may lead to a business and access interruption due to the inactive state of the key. Mitigation Verify with the relevant user that the action was intentional and authorized. If necessary, re-enable the corresponding keys. If the action appears suspicious, conduct a thorough investigation into the user and their other activities. MITRE Tactic: TA0040 MITRE Technique: T1489

This alert gets triggered when several KMS keys are scheduled for deletion across multiple projects. KMS keys encrypt data and provide access to different services in the GCP environment. Note - In this alert, the threshold is set to more than 3 projects within 20 minutes timeframe. Impact Once a key is disabled the services associated with this key might lose access to GCP resources which can impact business continuity. Further, this may lead to a business and access interruption due to deleting the keys. Mitigation Validate with the pertinent user that the deletion was intentional and authorized. If necessary and feasible, halt the deletion process. If the action raises suspicions, conduct a more in-depth investigation into the user and their additional activities. If the key has been deleted as per the schedule, get a new key configured and update the impacted services with the new keys. MITRE Tactic: TA0040 MITRE Technique: T1489

This rule detects if there are no logs in the last 4 hours for GCP Cloud KMS in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert gets triggered when multiple keys are created by a user in a 15-minute timeframe. Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. Note - In this alert, the threshold is set to more than 5 keys created within a 15-minute timeframe. Impact Monitoring the generation and utilization of keys becomes crucial, particularly in scenarios where a user generates multiple keys. Unauthorized access and utilization of these keys pose a significant threat to your data, potentially leading to unauthorized entry and the execution of actions such as encryption, decryption, and unauthorized access to stored secrets. Mitigation Reach out to the user and request an explanation for generating multiple keys within a brief timeframe. Additionally, assess the permissions and users associated with the key, ensuring that the owner is actively managing the key's security. Implement proactive monitoring of key usage to verify that it is exclusively employed for legitimate business purposes. MITRE Tactic: TA0006 MITRE Technique: T1552

This alert gets triggered when a new key ring is created by the user. A key ring is the root resource for Cloud KMS keys and key versions. Each key ring exists within a given location. Impact Monitoring key usage and security configuration settings is crucial. If the key is leaked or used by an unauthorized user, it can be exploited for data exfiltration or decryption. Mitigation Upon the alert being triggered, promptly contact the user to confirm the business use case, ownership details, rotation timelines, etc., ensuring that the key is managed securely. MITRE Tactic: TA0040 MITRE Technique: T1552