Quick Start Security for GCP Cloud Logging
Thank you!
We got your information.
Coralogix Extension For GCP Cloud Logging Includes:
Alerts - 9
Stay on top of GCP Cloud Logging key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Building Block - GCP - Cloud Logging - Alert Communication Channel Was Deleted
This alert gets triggered when an alert communication channel was deleted. A notification channel helps to indicate or send a message to the predefined target based on the timelines and event occurrence. This includes multiple notification channels like- email, slack, Pager Duty, Jira, and many more. Impact Effective notification is crucial for alerting the dedicated team about security anomalies. Deleting configuration settings without proper business validation can severely impact the security operations team, as it disables alarms for established rules. This can be exploited as a defense evasion tactic by adversaries to avoid detection and carry out unauthorized activities without interruption. Mitigation Identify the communication channel, connected alert policy, and severity level. If this pertains to a production or critical rule, reach out to the user to verify the communication settings. If the change is legitimate, resolve the event. Otherwise, contact the engineering team or user to revert the changes or allocate the appropriate channel to ensure alerts are directed only to authorized teams or users. MITRE Tactic: TA0005 MITRE Technique: T1562
Building Block - GCP - Cloud Logging - Log Sink Was Deleted
This alert gets triggered when a logging sink was deleted. Log sink in Cloud Logging is simply an object that pairs up filter and destination, but does not own/manage the destination resource. Impact The sinks in the Log Router evaluate each log entry against inclusion and exclusion filters to decide which destinations, such as Cloud Logging buckets, should receive the log entry. This ensures that only relevant and crucial logs are stored in the storage bucket. Deleting such a sink route will cease the forwarding of logs to the storage bucket. This action can lead to several significant consequences, including no export of new logs, gaps in logging data, disrupted monitoring, incomplete insights, potential regulatory issues, and disruption of audit trails. Mitigation Analyze the logs to determine the type of sink and associated services. Based on this analysis, reach out to the user for justification and business approval. If the activity is legitimate, you can close the alert. Otherwise, contact the user or engineering team to create a new sink with a comparable configuration and ensure logs continue to flow correctly. Additionally, consider downgrading user access to prevent similar incidents in the future. MITRE Tactic: TA0040 MITRE Technique: T1489
Building Block - GCP - Cloud Logging - Log Storage Bucket Was Deleted
This alert gets triggered when a storage bucket was deleted. Cloud Logging buckets allow you to store data during different retention periods. Impact Deleting a bucket will revoke access to it, and all logs stored within will be deleted after a 7-day waiting period. Deleting a log storage bucket in Google Cloud Platform (GCP) can have significant consequences, including data loss, compliance issues, disruptions to operations and monitoring, impacts on services, breakage of integrations, and more. Mitigation Review the logs and assess the type and usage of the bucket. If it appears to be a critical bucket, contact the user to request justification and obtain business approval. If the activity is legitimate, resolve the alert. Otherwise, contact the user or engineering team to attempt restoration of the bucket from the backup, or create a new bucket with a comparable configuration to ensure logs are stored with the correct retention policy. Additionally, to prevent similar incidents, ensure continuous bucket backups are enabled with restricted access limited to authorized users only. MITRE Tactic: TA0040 MITRE Technique: T1485
Logging Bucket Retention Policy Was Changed
This alert gets triggered when a logging storage bucket retention policy was changed. A data retention policy in log sink involves managing how long log data is retained and when it is deleted. This policy ensures compliance with regulatory requirements, optimizes storage costs, and supports operational needs. Impact Adjusting the retention policy for GCP log sinks can lead to significant impacts across various domains such as cost management, compliance, data analysis, and operational efficiency. This change can disrupt business operations in several ways, including issues related to regulatory compliance, audit trails, extended data availability, reduced historical data access, increased risk of data exposure, and limitations on historical investigations. Mitigation Review the logs and examine the type and usage of the bucket. If it appears to be a critical bucket, contact the user to obtain justification and business approval. If the activity is legitimate, you can resolve the alert. Otherwise, contact the user or engineering team to establish a retention policy that complies with your business's regulations. Ensure that logs are stored according to the specified requirements. MITRE Tactic: TA0040 MITRE Technique: T1485
Project Was Discontinued From Monitoring
This alert gets triggered when a user removes the project from the monitoring list. A Google Cloud project is required to use Google Workspace APIs and build Google Workspace add-ons or apps. This project forms the basis for creating, enabling, and using all Google Cloud services, including managing APIs, enabling billing, adding and removing collaborators, and managing permissions. Impact Removing a project from Google Cloud Platform (GCP) logging and monitoring results in several significant impacts and consequences. These include the loss of log data, disruption in monitoring and alerting capabilities, challenges in operations and troubleshooting, increased security and compliance risks, difficulties in audit and forensic analysis, and more. Mitigation Review the logs and determine the type and usage of the project. Contact the user for validation and business approval based on this analysis. If the action is confirmed as a legitimate business activity, resolve the case. Otherwise, engage the engineering team to reinstate the account into monitoring and ensure that its logs are monitored as intended. To prevent future occurrences, restrict high-level privileges to administrators and authorized users, and maintain continuous monitoring. MITRE Tactic: TA0040 MITRE Technique: T1496
Log Sink Was Updated
This alert gets triggered when a log sink was updated. Log sink in Cloud Logging is simply an object that pairs up filter and destination, but does not own/manage the destination resource. Note: In this alert, sink modifications are getting monitored only for destination and filter changes, feel free to modify as per your requirements. Impact Unexpected modifications to the sink destination and filters can result in sending unnecessary logs to unintended destinations. If a sink is disabled, any logs received thereafter will not be forwarded to its designated destination and may be lost if not captured by an alternative sink. This can lead to several significant impacts, including the cessation of exporting new logs, gaps in logging data, disrupted monitoring, incomplete insights, and disruption of audit trails. Mitigation Review the logs and examine the type of sink and its associated services. Based on this analysis, reach out to the user to request justification and obtain business approval. If the activity is legitimate, you can resolve the alert. Otherwise, contact the user or engineering team to reverse the changes and ensure logs continue to flow as intended. MITRE Tactic: TA0040 MITRE Technique: T1565
Building Block - GCP - Cloud Logging - Alert Policy Was Deleted
This alert gets triggered when an alert policy was deleted by a user. The alerting policy can monitor time-series data stored by Monitoring or logs stored by Cloud Logging. When that data meets the alerting policy condition, Monitoring creates an incident and sends the notifications. Each incident is a record of the type of data that was monitored and when the conditions were met. Impact Deleting a production alert policy halts monitoring and prevents notifications from being sent to the dedicated security team or channel for specific alerts. This allows adversaries to perform unauthorized activities without detection, as these actions will go unnoticed without the alert policy in place. Examples of such events include unauthorized resource developments, access discovery, persistence, privilege escalation, exfiltration, defense evasion, credential access, and more. Mitigation Identify the type of alert policy deleted by the user. If the alert policy is critical based on log queries and severity, contact the user for justification and validation, and take appropriate action based on their response. If it is critical, contact the engineering team to define a new alert policy using the same query logs. Additionally, review historical events to ensure no unauthorized activities occurred during the time the alert policy was disabled. MITRE Tactic: TA0005 MITRE Technique: T1562
Building Block - GCP - Cloud Logging - Production Alert Policy Was Disabled
This alert gets triggered when an alert policy was disabled. The alerting policy can monitor time-series data stored by Monitoring or logs stored by Cloud Logging. When that data meets the alerting policy condition, Monitoring creates an incident and sends the notifications. Each incident is a record of the type of data that was monitored and when the conditions were met. Impact Disabling a production alert policy halts monitoring and prevents notifications from being sent to the dedicated security team or channel for defined alerts. This allows adversaries to carry out unauthorized activities without detection, as these actions will go unnoticed due to the disabled alert policy. Examples of such events include unauthorized resource developments, access discovery, persistence, privilege escalation, exfiltration, defense evasion, credential access, and more. Mitigation Identify the type of alert policy that the user disabled. If the alert policy is critical based on the log queries and severity, contact the user for justification and validation, then take appropriate action based on their response. If the policy is not deemed critical, contact the engineering team to have it re-enabled. Additionally, review historical events to ensure no unauthorized activities occurred during the period the alert policy was disabled. MITRE Tactic: TA0005 MITRE Technique: T1562
Building Block - GCP - Cloud Logging - Production Alert Log Query Was Modified
This alert gets triggered when a production alert log query was modified. Cloud Audit Logs helps security teams maintain audit trails in Google Cloud Platform (GCP). With this tool, enterprises can attain the same level of transparency over administrative activities and access to data in the Google Cloud Platform as in on-premises environments. Note: In this alert "communication and severity" changes have been whitelisted. Kindly feel free to finetune more as per your requirements. Impact Editing a production alert query is unexpected and can significantly disrupt the alerting workflow. Such changes may alter the alert's purpose, increase the number of alerts, and create an unnecessary workload for your security team if not properly tested and whitelisted. Modifying or removing fields without testing is a poor practice and could be a defense evasion tactic by adversaries to disable alerts and avoid detection of unusual events. Mitigation Review the triggered alert policy, identify the changes, and analyze their impact. If the changes appear critical and unexpected, contact the user to validate the justification for these modifications. If there is valid testing and justification, close the alert. Otherwise, ask the user to revert the query and obtain approval or guidance before making any changes to the production query. Ensure that no critical changes are made without proper validation and business approval. MITRE Tactic: TA0005 MITRE Technique: T1562
Integration
Learn more about Coralogix's out-of-the-box integration with GCP Cloud Logging in our documentation.