Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP Correlation Extension

thank you

Thank you!

We got your information.

GCP Correlation Extension
GCP Correlation Extension icon

Coralogix Extension For GCP Correlation Extension Includes:

Alerts - 92

Stay on top of GCP Correlation Extension key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Correlation Alert - GCP - GKE - New User Attempts to Destruct the Backup Plans

This alert gets triggered when a user is added to the GCP cluster backup plan and within 3 hours attempts to delete the backup plan OR restore plan. Backup for GKE consists of two main components: A service that runs in Google Cloud and supports a resource-based REST API. This service serves as the control plane for Backup for GKE. The service includes Google Cloud console UI elements that interact with this API. Note: Kindly feel free to edit the permissions and deletion threshold set to 3 hours as per your environment. Impact Granting unauthorized access and permissions could potentially allow unknown users to execute read and write operations on the designated backup plan. With admin-level permissions, these users may also conduct copy and deletion actions, posing a significant risk of data compromise or loss of data integrity. Deleting a backup plan could result in the removal of numerous backups, leaving your data vulnerable without additional copies to rely on in case of modifications, erasures, or compromises to the original data. Such an action could have significant repercussions on your business operations, infrastructure, and the integrity of data crucial for integrations. Mitigation Ensure that critical permissions are limited exclusively to administrators, and diligently monitor each activity to prevent unauthorized deletion of backups unless a valid business justification or data expiry is provided. Reach out to the user for clarification and details; once the investigation is satisfactorily concluded, proceed with closure. Alternatively, if necessary, promptly restore the backup to its previous state, ensuring it is configured as expected. In case of restore plan deletion, enable the backup again for the impacted database. If required, that user account can be blocked or permissions can be revised as per the role. MITRE Tactic: TA0040 MITRE Technique: T1485

Correlation Alert - GCP - Pub/Sub - Possible Attempt to Destroy Data Flow

This alert gets triggered when over 2 services were deleted within a given threshold, event names are - topics, schema, snapshot, and subscriptions deleted. Note: Please feel free to change the events and threshold set to 3 hours according to your requirements. Impact The adversary attempts to manipulate, interrupt, or destroy your systems and data. Deleting production services could result in losing control over editing content, types, and dedicated subscriptions and topics due to the absence of sources. Impact encompasses techniques adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques for impact may involve data destruction or tampering. Mitigation Examine the logs and affected service that was deleted. If this seems critical, reach out to the user for justification along with the approval ticket and subsequently resolve the alert. If it is not critical, contact the engineering team to set up the new services with similar configurations. Finally, verify whether the event flow is functioning in line with the business use case. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Pub/Sub - Possible Privilege Escalation Attempt By User

This alert gets triggered when a single user was assigned access to more than 2 services in pub/sub. This includes three services: topics, subscriptions, and snapshots. Note: Please free to adjust the threshold set to 2 hours as per your requirements. Impact This could indicate an adversary attempting to gain higher-level permissions or remove legitimate user accounts. Unauthorized permission changes can severely impact business operations and infrastructure, leading to privilege escalation, unauthorized access, command and control, and unauthorized changes to settings. Additionally, such attempts could result in a major network outage, rendering services inaccessible to end users. Mitigation This could indicate an adversary attempting to gain higher-level permissions or remove legitimate user accounts. Adding an unauthorized account can significantly impact business operations and infrastructure, resulting in privilege escalation, unauthorized access, command and control, and unauthorized changes to settings. Additionally, such attempts could cause a major network outage, making services inaccessible to end users. MITRE Tactic: TA0004 MITRE Technique: T1098

Correlation Alert - GCP - Cloud Logging - Possible Resource Hijacking of Configurations

This alert gets triggered when any of the two given events matches the conditions. The event names are - alert communication channel deleted, log storage bucket deleted, and log sink deleted. Note: Please feel free to edit the conditions and time threshold set to 2 hours as per your requirements. Impact Deleting configuration settings without proper business validation can severely impact the security operations team, as it disables alarms for established rules. Deleting a log storage bucket in Google Cloud Platform (GCP) can have significant consequences, including data loss, compliance issues, disruptions to operations and monitoring, impacts on services, breakage of integrations, and more. The sinks in the Log Router evaluate each log entry against inclusion and exclusion filters to decide which destinations, such as Cloud Logging buckets, should receive the log entry. This ensures that only relevant and crucial logs are stored in the storage bucket. Mitigation Review the logs and assess the combination of events. If it appears to be a critical service, contact the user to request justification and obtain business approval. If the activity is legitimate, resolve the alert. Otherwise, contact the user or engineering team to attempt restoration of the bucket from the backup, or create a new bucket with a comparable configuration to ensure logs are stored with the correct retention policy, get the new sink created, and set the communication channels as before. Additionally, to prevent similar incidents, ensure continuous bucket backups are enabled with restricted access limited to authorized users only. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - GCP - Cloud Logging - Alert Communication Channel Was Deleted

This alert gets triggered when an alert communication channel was deleted. A notification channel helps to indicate or send a message to the predefined target based on the timelines and event occurrence. This includes multiple notification channels like- email, slack, Pager Duty, Jira, and many more. Impact Effective notification is crucial for alerting the dedicated team about security anomalies. Deleting configuration settings without proper business validation can severely impact the security operations team, as it disables alarms for established rules. This can be exploited as a defense evasion tactic by adversaries to avoid detection and carry out unauthorized activities without interruption. Mitigation Identify the communication channel, connected alert policy, and severity level. If this pertains to a production or critical rule, reach out to the user to verify the communication settings. If the change is legitimate, resolve the event. Otherwise, contact the engineering team or user to revert the changes or allocate the appropriate channel to ensure alerts are directed only to authorized teams or users. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - GCP - Cloud Logging - Log Sink Was Deleted

This alert gets triggered when a logging sink was deleted. Log sink in Cloud Logging is simply an object that pairs up filter and destination, but does not own/manage the destination resource. Impact The sinks in the Log Router evaluate each log entry against inclusion and exclusion filters to decide which destinations, such as Cloud Logging buckets, should receive the log entry. This ensures that only relevant and crucial logs are stored in the storage bucket. Deleting such a sink route will cease the forwarding of logs to the storage bucket. This action can lead to several significant consequences, including no export of new logs, gaps in logging data, disrupted monitoring, incomplete insights, potential regulatory issues, and disruption of audit trails. Mitigation Analyze the logs to determine the type of sink and associated services. Based on this analysis, reach out to the user for justification and business approval. If the activity is legitimate, you can close the alert. Otherwise, contact the user or engineering team to create a new sink with a comparable configuration and ensure logs continue to flow correctly. Additionally, consider downgrading user access to prevent similar incidents in the future. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - GCP - Cloud Logging - Log Storage Bucket Was Deleted

This alert gets triggered when a storage bucket was deleted. Cloud Logging buckets allow you to store data during different retention periods. Impact Deleting a bucket will revoke access to it, and all logs stored within will be deleted after a 7-day waiting period. Deleting a log storage bucket in Google Cloud Platform (GCP) can have significant consequences, including data loss, compliance issues, disruptions to operations and monitoring, impacts on services, breakage of integrations, and more. Mitigation Review the logs and assess the type and usage of the bucket. If it appears to be a critical bucket, contact the user to request justification and obtain business approval. If the activity is legitimate, resolve the alert. Otherwise, contact the user or engineering team to attempt restoration of the bucket from the backup, or create a new bucket with a comparable configuration to ensure logs are stored with the correct retention policy. Additionally, to prevent similar incidents, ensure continuous bucket backups are enabled with restricted access limited to authorized users only. MITRE Tactic: TA0040 MITRE Technique: T1485

Correlation Alert - GCP - Cloud Logging - Possible Indicators of Compromised Alert Policy

This alert gets triggered when an alert policy was disabled and after some time the same policy was deleted by the user. The alerting policy can monitor time-series data stored by monitoring or logs stored by Cloud Logging. Note: In this alert, a threshold is set to 2 hours, please feel free to adjust as per your requirements. Impact Removing a production alert policy suspends monitoring and stops notifications from being dispatched to the designated security team or channel for specific alerts. This creates an opportunity for adversaries to engage in unauthorized activities without detection, as their actions will proceed unnoticed in the absence of the alert policy. Such activities may encompass unauthorized resource modifications, access discovery, persistence attempts, privilege escalation, data exfiltration, evasion tactics, credential compromise, and others. Mitigation Determine the category of alert policy that has been deleted by the user. If the policy is crucial due to its reliance on log queries and severity, reach out to the user to understand their reasoning and validate their decision. Based on their feedback, take necessary actions as appropriate. For critical policies, involve the engineering team to establish a new alert policy using the existing query logs. Additionally, conduct a review of historical events to confirm that no unauthorized activities took place while the alert policy was inactive. MITRE Tactic: TA0005 MITRE Technique: T1562

Correlation Alert - GCP - Cloud Logging - Possible Alert Defence Evasion Post Query Modifications

This alert gets triggered when adversaries make some changes in the alert log query and disable OR delete the same alert policy after that. Note: Alert threshold is set to 2 hours, please feel free to adjust as per your requirements. Impact Modifying a production alert query can cause unforeseen disruptions to the alerting process. These alterations might change the alert's intended function, lead to more alerts, and potentially overload your security team if not thoroughly tested and approved. Furthermore, disabling or deleting these queries will cease all detection alerts for suspicious activities executed by adversaries. Such activities include unauthorized resource changes, access discovery, persistence attempts, privilege escalation, data exfiltration, evasion tactics, credential compromise, and others. Mitigation Determine the category of alert policy that has been deactivated or removed by the user. If the policy is deemed critical due to its reliance on log queries and severity, reach out to the user to confirm the reasoning behind their actions and validate accordingly. Depending on their feedback, take necessary steps as warranted. For critical policies, engage the engineering team to establish a new alert policy utilizing the existing query logs. Furthermore, conduct a review of historical events to verify that no unauthorized activities transpired during the period when the alert policy was inactive. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - GCP - Cloud Logging - Alert Policy Was Deleted

This alert gets triggered when an alert policy was deleted by a user. The alerting policy can monitor time-series data stored by Monitoring or logs stored by Cloud Logging. When that data meets the alerting policy condition, Monitoring creates an incident and sends the notifications. Each incident is a record of the type of data that was monitored and when the conditions were met. Impact Deleting a production alert policy halts monitoring and prevents notifications from being sent to the dedicated security team or channel for specific alerts. This allows adversaries to perform unauthorized activities without detection, as these actions will go unnoticed without the alert policy in place. Examples of such events include unauthorized resource developments, access discovery, persistence, privilege escalation, exfiltration, defense evasion, credential access, and more. Mitigation Identify the type of alert policy deleted by the user. If the alert policy is critical based on log queries and severity, contact the user for justification and validation, and take appropriate action based on their response. If it is critical, contact the engineering team to define a new alert policy using the same query logs. Additionally, review historical events to ensure no unauthorized activities occurred during the time the alert policy was disabled. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - GCP - Cloud Logging - Production Alert Policy Was Disabled

This alert gets triggered when an alert policy was disabled. The alerting policy can monitor time-series data stored by Monitoring or logs stored by Cloud Logging. When that data meets the alerting policy condition, Monitoring creates an incident and sends the notifications. Each incident is a record of the type of data that was monitored and when the conditions were met. Impact Disabling a production alert policy halts monitoring and prevents notifications from being sent to the dedicated security team or channel for defined alerts. This allows adversaries to carry out unauthorized activities without detection, as these actions will go unnoticed due to the disabled alert policy. Examples of such events include unauthorized resource developments, access discovery, persistence, privilege escalation, exfiltration, defense evasion, credential access, and more. Mitigation Identify the type of alert policy that the user disabled. If the alert policy is critical based on the log queries and severity, contact the user for justification and validation, then take appropriate action based on their response. If the policy is not deemed critical, contact the engineering team to have it re-enabled. Additionally, review historical events to ensure no unauthorized activities occurred during the period the alert policy was disabled. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - GCP - Cloud Logging - Production Alert Log Query Was Modified

This alert gets triggered when a production alert log query was modified. Cloud Audit Logs helps security teams maintain audit trails in Google Cloud Platform (GCP). With this tool, enterprises can attain the same level of transparency over administrative activities and access to data in the Google Cloud Platform as in on-premises environments. Note: In this alert "communication and severity" changes have been whitelisted. Kindly feel free to finetune more as per your requirements. Impact Editing a production alert query is unexpected and can significantly disrupt the alerting workflow. Such changes may alter the alert's purpose, increase the number of alerts, and create an unnecessary workload for your security team if not properly tested and whitelisted. Modifying or removing fields without testing is a poor practice and could be a defense evasion tactic by adversaries to disable alerts and avoid detection of unusual events. Mitigation Review the triggered alert policy, identify the changes, and analyze their impact. If the changes appear critical and unexpected, contact the user to validate the justification for these modifications. If there is valid testing and justification, close the alert. Otherwise, ask the user to revert the query and obtain approval or guidance before making any changes to the production query. Ensure that no critical changes are made without proper validation and business approval. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - GCP - Pub/Sub - Schema Was Deleted

This alert gets triggered when a schema was deleted by a user. A Pub/Sub message schema defines the names and data types for the fields in a message. You can create a schema and associate it with a topic to enforce the schema for published messages. Note: If required, feel free to add the count threshold to receive an alert for a high number of schema deletions. Impact The adversary is attempting to manipulate, interrupt, or destroy your systems and data. A schema assists in managing the types and content of data within messages. Deleting production schemas could result in a loss of control over editing content, types, and dedicated subscriptions and topics due to the absence of sources. Impact encompasses techniques adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques for impact may involve data destruction or tampering. Mitigation Examine the logs and affected schema that was deleted. If this seems critical, reach out to the user for justification along with the approval ticket and subsequently resolve the alert. If it is not critical, contact the engineering team to set up the new schema and ensure it is attached to the appropriate topics and subscriptions. Finally, verify whether the event flow is functioning in line with the business use case. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - GCP - Pub/Sub - Snapshot Was Deleted

This alert gets triggered when a topic/subscription topic was deleted by a user. Snapshots are used in subscriptions. seek operations, which allow you to manage message acknowledgments in bulk. Note: If required, feel free to add the count threshold to receive an alert for a high number of snapshot deletions. Impact The adversary seeks to manipulate, interrupt, or destroy your systems and data. Snapshots aid in managing operations and messages. Deleting production snapshots could result in a loss of control over dedicated subscriptions due to the absence of sources. Impact entails techniques adversaries employ to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact may include data destruction or tampering. Mitigation Examine the logs and connected snapshots that were deleted. If this seems critical, reach out to the user for justification along with the approval ticket, and then close the alert accordingly. If it doesn't seem critical, inform the engineering team to configure a new snapshot and ensure that the newly configured snapshots are attached to the relevant topics and subscriptions. Finally, validate whether the event flow aligns with the business use case. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - GCP - Pub/Sub - Subscription Was Deleted

This alert gets triggered when a subscription instance was deleted by a user. The subscriber client receives and processes the messages published to the topic. Note: If required, feel free to add the count threshold to receive an alert for a high number of subscription deletions. Impact The adversary is attempting to manipulate, disrupt, or damage your systems and data. A subscription serves as the final source from which communication and messages are dispatched. Deleting production subscriptions could disrupt the entire publication and subscription lifecycle due to the absence of sources. Impact involves tactics employed by adversaries to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques for impact may involve data destruction or tampering. Mitigation Review the logs and the type of subscription that was deleted. If this seems critical, reach out to the user for justification along with the approval ticket and then close the alert accordingly. If it doesn't seem critical, inform the engineering team to configure a new subscription or recover it from snapshots if possible, ensuring that the newly configured subscriptions are attached to the relevant topics. Lastly, validate whether the event flow aligns with the business use case. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - GCP - Pub/Sub - Topic Was Deleted

This alert gets triggered when a topic was deleted by a user. A topic can have multiple subscriptions, but a given subscription belongs to a single topic. Note: If required, feel free to add the count threshold to receive an alert for a high number of topic deletions. Impact The adversary seeks to manipulate, interrupt, or destroy your systems and data. Topics connect to multiple subscribers for communication and message exchange. Deleting production topics could disrupt the entire lifecycle of publication and subscription, resulting in a lack of sources. The impact involves techniques adversaries employ to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques for impact may involve destroying or tampering with data. Mitigation Examine the logs and determine the type of topics that were deleted. If the deletion seems critical, reach out to the user for justification along with the approval ticket, and then close the alert accordingly. If it doesn't appear critical, inform the engineering team to configure new topics or recover them from snapshots if feasible, and ensure that the newly configured topics are connected to the relevant subscriptions. Lastly, validate whether the event flow aligns with the business use case. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - GCP - Pub/Sub - User Granted Permissions to Snapshot

This alert gets triggered when a user permission was granted or modified to a pub/sub snapshot. Snapshots are used in subscriptions. seek operations, which allow you to manage message acknowledgments in bulk. Note: In this alert, we have whitelisted all types of "viewer" access, kindly feel free to adjust as per your requirements. Impact Snapshots allow users to manage subscriptions associated with topics. Unauthorized permission changes can significantly impact business operations and infrastructure, leading to privilege escalation, unauthorized access, command and control, data leakage, and unauthorized changes to settings. Additionally, such attempts could result in a major network outage, making services inaccessible to end users. Mitigation Examine the event logs to identify the user who was granted access. Based on their permission level, contact the assigner to confirm the authorization and obtain a business approval ticket. If the activity is confirmed as legitimate business, close the event. Otherwise, contact the engineering team to revoke the user's access. Finally, ensure that no unusual activities were performed by the user during the period of high-privilege access. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - Pub/Sub - Subscription Permissions Granted to a User

This alert gets triggered when a user permission was granted or modified for the Pub/Sub subscriptions. The subscriber client receives and processes messages published on the topic. Note: In this alert, we have whitelisted all types of "viewer" access, kindly feel free to adjust as per your requirements. Impact This could indicate an adversary attempting to gain higher-level permissions or remove legitimate user accounts. Unauthorized permission changes can severely impact business operations and infrastructure, leading to privilege escalation, unauthorized access, command and control, and unauthorized changes to settings. Additionally, such attempts could result in a major network outage, rendering services inaccessible to end users. Mitigation Examine the event logs to identify the user who was granted access. Based on their permission level, contact the assigner to confirm the authorization and obtain a business approval ticket. If the activity is confirmed as a legitimate business, close the event. Otherwise, contact the engineering team to revoke the user's access. Finally, ensure that no unusual activities were performed by the user during the period of high-privilege access. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - Pub/Sub - Topics Permissions Granted to User

This alert gets triggered when a user was granted access to Topics. Cloud Pub/Sub is a fully managed, scalable, global, and secure messaging service that facilitates message exchange between applications and services. Note: In this alert, we have whitelisted all types of "viewer" permissions, kindly feel free to adjust as per your requirements. Impact This could indicate an attempt by an adversary to gain higher-level permissions or remove legitimate user accounts. Unauthorized permission changes can significantly impact business operations and infrastructure, leading to privilege escalation, unauthorized access, command and control, and unauthorized changes to settings. Additionally, such attempts could cause a major network outage, making services inaccessible to end users. Mitigation Analyze the logs to identify the user who was added or removed, as well as the individual who performed this action. If the account and permissions are critical, contact the user for justification and request the approval ticket for this activity. If it is part of a business-approved process, close the alert. Otherwise, contact the engineering team to revert the action, ensure the impact has been mitigated, and confirm that the service is functioning correctly. Finally, downgrade the adversary's user permissions to prevent similar future incidents. MITRE Tactic: TA0004 MITRE Technique: T1098

Correlation Alert - GCP - Firebase Project - Recently Added User Deleted an Application

This alert gets triggered when a user gains extra permissions in Firebase and subsequently deletes the applications. Note: This encompasses events involving internal and external users deleting applications, with a threshold set within 3 hours. You can adjust the timelines as needed to suit your requirements. Impact Assigning elevated permissions to internal or external users and immediate after deleting an application is not a usual event. This suggests a deliberate effort by the user to gain access and influence the organization's applications. Such actions could result from various security threats, including insider threats, external attacks, compromised accounts, or takeovers, major business operations, service down, etc. Mitigation Verify the user, application type, and level of permissions granted to the user. Promptly reach out to the user for justification. If anything seems suspicious, involve the engineering team to restore the application from backup and consider blocking the user account. Legal actions may also be pursued in case of significant business impact or financial losses upon application recovery. Review additional logs to identify any other critical activities performed by the user. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - GCP - Firebase Project - Application Was Removed

This alert gets triggered when a user has deleted an application. Firebase supports a range of application types, including Android, iOS, Web, Flutter, and Unity. Note: This alert is configured to monitor only Android, iOS, and web applications. Please customize it by adding any additional apps based on your specific needs. Impact Deleting an application is an uncommon occurrence outside of testing or sandbox environments. If this event occurs with a production or internal application, it can have significant business impacts, including insider threats, business disruption, financial losses, account compromise or takeover, and operational interruptions. Mitigation Limit critical permissions to authorized users and require approval before deleting an app. Review the logs thoroughly, gather all pertinent details, and reach out to the user for confirmation. If the request is legitimate, resolve the case accordingly. If not, contact the engineering team to investigate and check for any stored backups. If available, restore the application and implement the necessary changes. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - GCP - Firebase Project - Admin Privileges Invite Accepted By User

This alert gets triggered when the user accepts the admin privilege account request. The Firebase Admin SDK provides an API for managing your Firebase users with elevated privileges. Impact The admin user management API gives you the ability to programmatically retrieve, create, update, and delete users without requiring a user's existing credentials and without worrying about client-side rate limiting. Admin privileges grant complete access to the dedicated Firebase project and its associated applications. If unauthorized or unknown users acquire these permissions, it poses significant security risks, including account compromise, account takeover, privilege escalation, insider threats, and more. Mitigation Identify the user account recently added to the project. Reach out to the user who assigned these permissions and request justification along with the approval ticket for granting access. Once resolved, close the case accordingly. If no valid justification is provided, remove the user account immediately, ensure there are no unusual events associated with this user, and continue monitoring. MITRE Tactic: TA0001 MITRE Technique: T1199

Building Block - GCP - Firebase Project - External User Permissions Modified

This alert gets triggered when an external user has been added or modified within the project with a specific role. Firebase currently offers three access levels: owner, viewer, and editor. Note: Please include the whitelisting of corporate official domains in the query. Impact The user account might belong to a contractor or third-party service for the specific project. If this is the case, please whitelist the domain. Otherwise, this event suggests a significant security risk to Firebase, such as account compromise, privilege escalation, account takeover, insider threats, and more. Mitigation Identify the user account that has been added to the project. Reach out to the user who assigned the permissions and request justification and approval for granting these permissions. Once resolved, close the case and whitelist the domain if appropriate. Otherwise, promptly remove the user account, verify no unusual activity occurred, and continue monitoring the situation. MITRE Tactic: TA0001 MITRE Technique: T1199

Building Block - GCP - Cloud VPN - User Permissions Granted to Hub

This alert gets triggered when a new user is granted admin/owner permissions to a network hub. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: For unauthorized user accounts/domains, feel free to whitelist the genuine domain accounts in "protoPayload.authenticationInfo.principalEmail" and permissions in the "role" field as required. Impact An unauthorized user or service account with high privileges can significantly impact your cloud environment. Users with admin or owner permissions can edit, move, and delete critical events, leading to service interruptions, privilege escalations, unauthorized access, modification of critical services and configurations, the creation of backdoors, exposure of Tor IPs to the public internet, and other critical activities. Mitigation Identify the user who added the account and determine the respective domain. Contact the IT team to check if there were any new hires or procurements for the alerted domain/user. If there were, request the approval ticket for access and close the case accordingly. If not, have the user account removed. Then, analyze the logs from the past few hours to ensure no critical or unusual activities were performed by the unknown user. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - IAM - Service Account Key Was Deleted

This alert gets triggered when a key is deleted from a service account. Like a username and password, service account keys are a form of credential. If a user can access a valid service account key, they can use it to authenticate and access the resources to the respective service account that has been granted access. Impact A deleted key can revoke access to the project and account and should be validated. This may impact the operations in case of any authentication or automation configured using the same key. Mitigation Validate the action with the validation from the user and if not, get the new key configured and update the same key in all the configured places. MITRE Tactic: TA0003 MITRE Technique: T1098

Building Block - GCP - IAM - Service Account Was Deleted

This alert gets triggered when a service account is deleted by a user. A service account is a special kind of account used by an application or compute workload, rather than a person. Service accounts are managed by Identity and Access Management (IAM). Impact Service accounts, especially privileged ones, often hold admin-level access to numerous systems, making them enticing targets. Low Visibility and Password Neglect: Service accounts are hard to detect, and their passwords are rarely changed, making them a prime vector for attackers. Mitigation Reach out to the user and validate the activity, ensuring business approval for significant changes. If the deletion aligns with the approved business process, no further action is necessary. However, if not approved, contact the owner and ask to configure the new account with the same configurations and assess the impact of such events. Additionally, confine critical changes to be carried out by project owners and tech leads exclusively. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Cloud VPN - Possible Network Disruption Attempts By a New User

This alert gets triggered when a newly added user with high privileges attempts to delete the network connectivity service like hub and spokes within 3 hours of the timeline. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: For unauthorized user accounts/domains, feel free to whitelist the genuine domain accounts "protoPayload.request.policy.bindings.members" and adjust the threshold set to 3 hours as per the requirements. Impact A user or service account operating without authorization and possessing elevated privileges can exert a notable influence on your cloud infrastructure. Individuals endowed with admin or owner permissions possess the ability to modify, relocate, or erase critical elements. For instance, the deletion of network connectivity devices as witnessed in this scenario suggests potential compromises to user accounts, insider threats, or unauthorized access instances. Mitigation Determine the user responsible for adding the account and their associated domain. Reach out to the IT team to verify any recent hiring or procurement activities related to the alerted domain/user. If affirmative, contact the user to obtain approval for access and authorization for deleting critical network connectivity services, subsequently closing the case. If not, proceed to remove the user account and enlist the engineering team to reconfigure the service. Afterward, analyze the logs from the past few hours to ensure the unidentified user conducted no critical or unusual activities. Consider removing or downgrading user permissions to prevent similar future occurrences. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - CloudSQL - User Disabled Defence Protection & Deleted Databases

This alert gets triggered when a delete protection is disabled for an individual database and then deleted by the user. Note: For more finetuning, please add some labeling for the production databases. So, the QA and sandbox type of events can be ignored, and edit the threshold set to 5 hours as per your requirements. Impact This occurrence could endanger your critical and production databases, lacking an additional layer of confirmation for database deletion. Consequently, such instances could lead to data loss, disruptions in business operations, loss of client data, damage to reputation, and potential regulatory consequences. Deleting the instance could result in the permanent loss of your database and its records, which could significantly disrupt your organization's operations, erode customer trust and safety, and affect connected applications. Mitigation Implementing delete protection will enhance the security of critical databases by requiring confirmation even if a user unintentionally or intentionally attempts to delete them. Therefore, when disabling this protection, it's essential to reach out to the user for verification and ensure that the database is not in use before proceeding with the change. If a critical database has been deleted, contact the engineering team and if possible restore from the backup and block the user account, revise the permissions. In the future, enable real-time backup for critical databases. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - GKE - User Was Added to Backup Plan As Non-Admin

This alert gets triggered when a new user is added with any type of permissions to a cluster backup plan except admin. Backup for GKE is a service for backing up and restoring workloads in GKE clusters. It has two components: A Google Cloud API that serves as the control plane for the service. Note: Please feel free to modify the permissions in the query as required. Impact Granting unauthorized access and permissions could potentially allow unknown users to execute read and write operations on the designated backup plan. Based on the assigned permissions user may attempt to manipulate, edit, delete, copy, and other actions, posing a significant risk of data compromise or loss of data integrity. Mitigation Please review the users recently added to the backup plan, and assess their admin permissions. Reach out to the user responsible for this action for clarification. Obtain approval through the designated ticketing process; if approval is not secured, close the case. Alternatively, if unauthorized permissions are confirmed, promptly remove the user and implement safeguards to prevent similar incidents from occurring in the future. MITRE Tactic: TA0001 MITRE Technique: T1078

Building Block - GCP - Persistent Disk - Multiple Snapshots Deleted

This alert gets triggered when a single user deletes multiple snapshots. Snapshots are stored within the Filestore instance and are child resources of the instance. Snapshots are global resources, so you can use them to restore data to a new disk or VM within the same project. Note: In this alert, the snapshot threshold is set to more than 5 in 20 minutes. Impact Typically, such an event is triggered only when the specified requirements are met. However, if this event is initiated by an unexpected user or involves critical disks/snapshots, it could result in data loss and potentially impact operations. Mitigation Reach out to the user to confirm the activity if it involves a critical disk/snapshot; otherwise, feel free to close the activity. Additionally, such event access can be restricted to the power and admin users only. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - IAM - Account Discovery Performed By New User

This alert gets triggered when a user gets IAM permissions and performs account discovery to self or other corporate accounts. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. Note: The alert threshold is set to 3 hours kindly adjust as per your requirements. Impact This alert encompasses multiple concurrent events: the granting of IAM permissions followed by the immediate execution of critical actions. The adversary is trying to figure out your environment to identify the critical/weak accounts where the adversary can perform further possible attacks like compromise of an account, privilege escalation, lateral movement, or data exfiltration. Mitigation Confirm the user's identity and review their assigned permissions. Reach out to the user to understand the reasons for the observed events. If the activity appears suspicious, temporarily block the user account, validate permissions, remove any unnecessary access, and continue monitoring to prevent further unusual activity. MITRE Tactic: TA0007 MITRE Technique: T1087

Building Block - GCP - Cloud VPN - Network Hub Was Deleted

This alert gets triggered when a user deletes a network hub. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: Please feel free to add the production labels/tagging schema and count threshold in the query to receive only the critical alerts. Impact The hub-and-spoke model is a network design where a central device, or hub, connects to multiple other devices, or spokes. Each spoke acts as a channel for centralized traffic flow. If critical spokes are deleted, it can disrupt network traffic and its intended pathways. This can impact network logging, connection flow, operational uptime, and accessibility, and potentially cause major network outages with significant business implications. Mitigation Analyze the event logs to identify the service and its type. If it is a critical or production service, contact the user for justification and take appropriate action based on their response. If the service was deleted by mistake, contact the engineering team to recreate the service with the same configurations. Validate the impacted service to ensure the network operates as expected. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - GCP - Cloud VPN - Network Spokes Was Deleted

This alert gets triggered when a user deletes a network spokes. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: Feel free to add the count threshold to receive an alert only for bulk deletions. Impact The hub-and-spoke model is a network design where a central device, or hub, connects to multiple other devices, or spokes. The spokes serve as channels for centralized traffic flow. If critical spokes are removed, this can disrupt network traffic and its designated pathways. Consequently, this may affect network logging, connection flow, operational uptime, and accessibility, and could potentially lead to major network outages with significant business repercussions. Mitigation Analyze the event logs to identify the service and its type. If it is a critical or production service, contact the user for justification and take appropriate action based on their response. If the service was mistakenly deleted, reach out to the engineering team to recreate the service with the same configurations. Validate the impacted service to ensure the network operates as expected. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Datastore - Database Exfiltration & Deletion By Same User

This alert gets triggered when a user exports a database and then deletes the database OR documents OR entities. Datastore is a highly scalable NoSQL database for your applications. Datastore automatically handles sharding and replication, providing you with a highly available and durable database that scales automatically to handle your applications' load. Note: In this alert, the threshold is set to within 3 hours and multiple building blocks, feel free to adjust as per requirements. Impact This series of events indicates data exfiltration, insider threats, or account compromised activity when a user downloads a database and then deletes the database collection or database itself. This may have a major impact on business operations if the critical database gets deleted such as -customer data, internal records, service unavailable due to no records in the backend, etc. Mitigation Restrict such critical permissions to only a limited number of users and admins. Analyze the logs, identify the type of database, the collection was exported then deleted, If it appears to be a critical production, contact the user for the validation, if there is no justification, immediately escalate to the engineering team to check the backup status and restore. Now, make sure the impacted backend services are validated and working as expected. If required, that user account can be blocked or permissions can be revised as per the role. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Datastore - Datastore Entity Was Deleted

This alert gets triggered when a datastore entity was deleted. Data objects in Datastore are known as entities. An entity has one or more named properties, each of which can have one or more values. Note: Kindly feel free to add the count threshold in the query to trigger an alert only for bulk deletions. Impact An entity comprises one or multiple named properties, each capable of holding one or more values. Entities of identical types are not required to possess identical properties, and the values within an entity for a specific property need not all conform to the same data type. Deleting entities can result in permanent data loss unless a backup is made. Unauthorized or accidental entity deletions can significantly impact business operations, applications, integrations, customer experience, and more. Mitigation Reviewing entity deletions is crucial due to their potential critical impacts on business operations. Thoroughly examine the logs to assess the importance of the data affected, then contact the user responsible for the deletion to verify the activity. If the action is approved by the business, it can be disregarded; otherwise, engage the engineering team to restore the data from backup files and ensure that any resulting impacts are rectified. Additionally, consider restricting permissions for unauthorized users to prevent similar incidents in the future. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Datastore - Collection Document Was Deleted

This alert gets triggered when a native datastore collection was deleted. Datastore is a highly scalable NoSQL database for your applications. Datastore automatically handles sharding and replication, providing you with a highly available and durable database that scales automatically to handle your applications' load. Collection in datastore handles the fields created in the individual database. Note: Feel free to add the count threshold in the query to trigger an alert for bulk deletions. Impact The collection document serves as the repository for all raw data. Therefore, unintended or mistaken deletion of this document could profoundly affect business operations, customer experience, applications, and data visibility. Moreover, such an incident could result in reputational damage and substantial penalties from compliance authorities. Mitigation Reviewing the deletion of the collection document is vital due to its potential critical impacts on business operations. Analyze the logs to assess the data's significance, then reach out to the user responsible to verify the activity. If the deletion is business-approved, it may be disregarded; otherwise, engage the engineering team to restore it from backup files and ensure any resulting impacts are resolved. Additionally, consider restricting permissions for unauthorized users to mitigate future occurrences. MITRE Tactic: TA0040 MITRE Technique: T1485

Correlation Alert - GCP - Cloud Storage - Possible Content Injection Attempts By a User

This alert gets triggered when a malicious file type was uploaded by a newly added user. Cloud Storage is a service for storing your objects in Google Cloud. An object is an immutable piece of data consisting of a file of any format. You store objects in containers called buckets. Note - Please feel free to edit the file type whitelisting and 2-hour threshold as per your requirements. Impact This indicates that unusual files have been uploaded to a bucket, which raises the concern of potential malicious activities such as bots, malware, trojans, credential harvesting, and command-and-control (C2C) operations. Mitigation Inspect the file types stored in the bucket, remove any suspicious files, and restrict access to authorized users exclusively. Additionally, analyze audit logs to investigate whether the uploaded file exhibits malicious behavior and ensure that no remnants remain in the network. Consider enabling CASB (Cloud Access Security Broker) capability to detect and respond to such file upload events effectively. MITRE Tactic: TA0010 MITRE Technique: T1537

Building Block - GCP - Persistent Disk - Multiple Disks Deleted

This alert gets triggered when multiple disks are deleted in the set timeframe. Note - In this alert, the threshold is set to more than 5 disks deleted within a 15-minute timeframe. You can fine-tune it as per your requirements. Impact If such an event is triggered in a production environment or critical disks, it could significantly impact business operations, leading to service downtime, increased storage consumption, data breaches, and much more. Mitigation Examine the tags assigned to the disk and contact the user accordingly. Ask for the business justification for deleting multiple disks, accordingly take the next step. Like- reconfiguring the disk with the same configuration and replace the impacted service with the new disks. Additionally, Ensure that critical disks are configured with additional delete protection and such permission granted to power or admin users only. MITRE Tactic: TA0040 MITRE Technique: T1485

Correlation Alert - GCP - Compute Engine - Unusual Attempts to Interrupt the Application Settings

This alert gets triggered when a newly added user deletes an API key or OAuth application. OAuth is a technological standard that allows you to authorize one app or service to sign in to another without divulging private information, such as passwords. Note: Feel free to adjust the 3-hour timeline threshold as per your requirements. Impact This situation has the potential to disrupt operations, impact production services, and interrupt integrations. Ideally, these actions should only be performed once the key's purpose has been fulfilled or if the key has been compromised. Mitigation Contact the user to ascertain whether the deletion was part of a testing phase or if a valid key was unintentionally removed. If a production key or application was accidentally deleted, promptly create a new key or application and carefully replace the affected services. If the deletion was a legitimate action with proper approval, consider closing the case with appropriate justification and supporting evidence. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - GCP - Compute Engine - OAuth Application Was Deleted

This alert gets triggered when an existing OAuth application has been deleted. OAuth is a technological standard that allows you to authorize one app or service to sign in to another without divulging private information, such as passwords. Impact The deletion of a production OAuth application currently in use can result in significant business impacts, including service downtime, operational disruptions, financial losses, and restricted customer access. Mitigation Promptly reach out to the user and ascertain whether the application deletion was part of testing or a legitimate action. Inquire about the reason for deleting the application, and based on the response, proceed with the necessary actions. If it is a genuine approval step, consider closing the case else create a new app with the same config and update the impacted services. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Compute Engine - API Key Was Deleted

This alert gets triggered when an API key is deleted. This API is used to Create and run virtual machines on Google Cloud Platform. Note: If this alert triggers frequently, feel free to add the counts in the query to get an alert only for bulk deletion. Impact This occurrence can potentially disrupt operations, affect production services, and disrupt integrations. Ideally, such actions should only be taken when the key's purpose has been fulfilled or if the key has been compromised. Mitigation Reach out to the user to determine whether the deletion was part of testing or if a legitimate key was accidentally removed. If it is a production key that was deleted in error, create a new key promptly and cautiously replace it in the production code. MITRE Tactic: TA0040 MITRE Technique: T1485

Correlation Alert - GCP - Compute Engine - Possible Mass Network Destruction Activity Performed

This alert gets triggered when multiple VM instances are deleted/stopped by a newly added user. Note: In this alert, the VM count is set to more than 10 in building blocks. Please feel free to modify it as per your requirements. Impact It is essential to monitor the deletion of VMs in the production account. Normally, such deletion or suspension activity should not occur in critical or production accounts. However, if it does happen, it can profoundly affect business operations, potentially resulting in data loss, service downtime, and other critical outcomes. Mitigation Ensure that the VM deletion/suspend protection setting is enabled for critical and production accounts. In the event of a deletion event in a critical account, promptly reach out to the user for business approval before taking any further actions. Consider enabling backups for critical instances to mitigate the impact of unexpected events like these. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Compute Engine - Unusual Manipulations In Configurations

This alert gets triggered when a new user attempts to make critical changes to the compute engine and its related services & configurations. Note: In this alert, we have configured monitoring to disable delete protection, set up external public IP, and enabled IP forwarding. Feel free to modify the settings and timelines according to your requirements. Impact Significant alterations to the compute engine and associated security configurations, such as delete protection, external IP configuration, and IP forwarding, can potentially create vulnerabilities that allow external users to conduct network reconnaissance and other attacks to gather sensitive information. Disabling delete protection raises the risk of accidental instance deletion, which could result in the loss of critical instance data. Mitigation Review the logs to identify the user responsible for the changes and their nature. Contact the user to request justification for the actions taken. In the event of changes made to production or critical instances, notify the owner or engineering team immediately to revert the changes and verify their validity. Consider enabling backups for critical instances to safeguard against unexpected events. Lastly, conduct a review of user access and adjust permissions based on their assigned role. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - GCP - Compute Engine - Delete Protection Was Disabled for VM Instance

This alert gets triggered when a delete protection is disabled for a VM instance. Impact Deletion Protection ensures that the VM instance is not unintentionally deleted, providing valuable safeguards for instances with mission-critical or production use cases. The unintentional deletion may impact running operation services, data loss, integrations, etc. Mitigation Verify whether the authorization for disabling deletion protection was granted; if not, enable the service and conduct a thorough investigation. This configuration, when deactivated, can be reactivated within the Basic Information section under deletion protection. MITRE Tactic: TA0040 MITRE Technique: T1529

Correlation Alert - GCP - IAM - Account Access Removal By New Unseen User

This alert gets triggered when a new unseen user deletes a service account or keys. A service account is a special kind of account used by an application or compute workload, rather than a person. Service accounts are managed by Identity and Access Management (IAM). Note: Feel free to modify the alert threshold set to 2 hours as per your requirements. Impact Typically, a newly added user focuses on setting up their account and becoming familiar with the platform. However, if a newly added user attempts to delete a service account and its associated key, this is an uncommon event that could significantly impact business operations. This impact might include service shutdowns, unreachability of related services, interruptions in network traffic, compromised access management integrity, and more. Deleting a service account can result in the removal of access for multiple users and associated services. Mitigation Review the logs to identify the user responsible for the changes made. Reach out to the user to validate and obtain justification for these actions. If any activity appears suspicious, take immediate action to block or remove the user account and initiate a thorough investigation. Contact the engineering team to recreate the service account and keys, replacing affected services with new account credentials. Moving forward, restrict deletion permissions to specific authorized users and assign limited permissions based on their role requirements. MITRE Tactic: TA0040 MITRE Technique: T1531

Building Block - GCP - Cloud DNS - SSL Policy Was Deleted

This alert gets triggered when the SSL policy is deleted. SSL policies govern the process by which load balancers negotiate SSL with clients. For more precise control over SSL/TLS versions and ciphers, you can establish policies and associate them with HTTPS and SSL load balancers. Impact If such an event is triggered in a production account, it could have a critical impact on operational services, including network disruption, service downtime, and compromised security connections. Mitigation Examine the deletion tags, and if this pertains to a critical account, contact the user to obtain a business justification. Based on the justification, close the event or get a DNS policy created with the same configurations and apply the changes to the impacted services. MITRE Tactic: TA0040 MITRE Technique: T1565

Building Block - GCP - Persistent Disk - New User Assigned to a Disk

This alert gets triggered when a user is added to a disk. This includes all the types of permissions like viewer, owner, and read, except admin permissions. Note: Please feel free to modify the permissions in the query as per your requirements. Impact Providing a user with additional permissions exposes the dedicated disk to various security threats. The user gains the ability to execute actions based on the role granted, including significant operations such as editing, removing, and accessing critical data. Moreover, events like data exfiltration, data copying, and data modification pose critical risks to the disk and its data. Mitigation Limit high-level access privileges to administrators and technical leads. Monitor all access grant requests and verify their validity by ensuring they are approved by the manager. Close the case accordingly if the request is valid; otherwise, promptly remove the user. Ensure that no critical activities were conducted by the user, and if necessary, review the audit logs. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - Persistent Disk - User Added to Disk With Admin Privileges

This alert gets triggered when admin permission is granted to a user. This includes any admin permissions like- security admin, admin, compute admin, etc. Note: Please feel free to modify the permissions as per your requirements. Impact Assigning admin permissions to a user exposes the dedicated disk to numerous security threats. The user gains the ability to edit, remove, and appoint new administrators. Moreover, actions such as data exfiltration, service shutdown, data copying/moving, and deletion significantly jeopardize the disk and its data, posing critical risks. Mitigation Limit such elevated access privileges solely to administrators and technical leads. Monitor each access request closely and verify if it has been duly requested and approved by the manager. Close the case accordingly if valid, or promptly remove the user if not. Ensure that no critical activities were undertaken by the user, and if necessary, review the audit logs. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - GKE - ConfigMaps Deleted By a User

This alert gets triggered when ConfigMaps are deleted by a user. ConfigMaps is a Kubernetes mechanism that lets you inject configuration data into application pods. The ConfigMap concept allows you to decouple configuration artifacts from image content to keep containerized applications portable. Impact ConfigMaps serve as repositories for non-sensitive configuration information, including environment variables or configuration files. ConfigMaps are specifically tailored to efficiently manage strings devoid of sensitive data. Deleting ConfigMaps could potentially disrupt operations, alter variable specifications, or affect certificate files, potentially leading to a permanent disconnection from the affected service. Mitigation Ensure that critical permissions are limited to authorized and administrative users exclusively. Additionally, reach out to the user depending on the service type and request justification. If the user provides valid justification, the alert can be resolved; otherwise, contact the engineering team to configure new config maps, update the connected service, and verify the successful connection. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Audit, BigQuery - Possible Data Destruction Attempts By a New User

This alert gets triggered when a newly added user to the GCP console immediately attempts to delete the BigQuery tables or datasets. Note: Kindly adjust the delete threshold for the table and dataset, as well as the 2-hour correlation alert threshold according to your requirements. Impact The deletion of a BigQuery table or dataset by a newly added user is an uncommon occurrence. Typically, users do not perform such actions immediately after gaining access. This suggests potential security threats such as privilege escalation, account takeover, compromise, or insider threats. Such an event could impact your stored databases and records within datasets. Mitigation Review and validate each new user request, assigning the appropriate permissions based on approved access levels necessary for daily tasks. Monitor alert logs, identify the user account, and request business justification for any table or dataset deletions. Take appropriate actions based on the response received. If suspicious activity is detected, block the user account and suspend access pending investigation. Based on data criticality, engage the engineering team to recover data from backups if available. If not, ensure critical datasets have backup capabilities enabled. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Audit - Logs Monitoring Was Disabled

This alert gets triggered when the data access logging has been disabled. Monitoring this event is highly critical, and it is essential to ensure that logging is consistently enabled to detect any unusual events within your cloud infrastructure. Impact Data Access encompasses logs related to admin actions, as well as data read and write activities. Therefore, it is crucial to actively monitor critical events within Data Access. If this monitoring feature is disabled, the security team may remain unaware of any unusual events that occur in the network. Mitigation Promptly contact the Engineering team and request a business justification for disabling the service. If the approval is granted and the configuration is secure, you may proceed to close the incident. Ensure to examine the Policy Delta, which outlines the changes and services that have been either enabled or disabled. MITRE Tactic: TA0040 MITRE Technique: T1565

Building Block - GCP - IAM - New User Was Added to IAM Role

This alert gets triggered when a new user is added to the project. It is crucial to confirm the identity of the added user and the extent of permissions assigned to them. Note: If required, you can whitelist the corporate domains to receive an alert only for non-corporate accounts. Impact To prevent privilege escalation, misconfiguration, and data security risks, confirm that the appropriate user possesses the correct permissions approved by the owner. Failure to do so could potentially result in a significant security breach or data exfiltration. Mitigation Initially, examine the user added to the project (potentially a new employee). Confirm the existence of a ticket for access request along with the designated access level, and cross-verify this information with the logs. If no ticket is found, contact the project owner to request the necessary ticket and approval. MITRE Tactic: TA0001 MITRE Technique: T1078

Correlation Alert - GCP - Cloud VPN - Possible Network Connectivity Services Discontinued

This alert gets triggered when a network connectivity hub and spokes are deleted by the same user in a short period. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: The deletion threshold is set to 1 hour, please feel free to modify it as per the requirements. Impact The hub-and-spoke model represents a network architecture in which a central device, or hub, links to numerous other devices, known as spokes. Removing both the hub and spokes can disrupt the entire network traffic and its designated pathways. This could affect network logging, connection flow, operational downtime, and unreachable connections, and lead to significant network outages, potentially causing critical business disruptions. Mitigation Review the event logs and ascertain the service type. If it seems to be a critical or production service, reach out to the user for justification and proceed accordingly. In case of accidental deletion, contact the engineering team to establish a new service with identical configurations. Validate the affected service and ensure the network resumes normal operation. Subsequently, consider downgrading user permissions as a preventive measure to safeguard against similar critical changes in the future. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - CloudSQL - Possible Database Exfiltration Followed By Deletion

This alert gets triggered when a user exports the database instance and then attempts to delete it within 2 hours of the timeline. Note: For more finetuning, please add some labeling for the production and critical databases. So, the QA and sandbox type of events can be ignored. Impact It's crucial to thoroughly review and verify the data export event, including details such as the destination bucket, data type, user access levels assigned to the destination bucket, and existing security measures. Misconfiguration and the wrong destination could pose a significant security risk to your critical databases and their data. If any unauthorized users are found to have access to the destination bucket, it could further compromise data confidentiality and integrity. Mitigation Examine the destination buckets and the users assigned to ensure the security of the data. Request valid justification for why the data export is necessary and validate the type of instance being deleted. Subsequently, take appropriate actions based on the provided justification. If a critical database has been deleted, contact the engineering team and if possible restore from the backup and block the user account, revise the permissions. In the future, enable real-time backup for critical databases. MITRE Tactic: TA0010 MITRE Technique: T1537

Correlation Alert - GCP - Cloud Spanner - RDBMS Database Exfiltration & Deletion

This alert gets triggered when a user schedules an export job for a dedicated RDBMS and then deletes the database. Spanner is a highly scalable database that combines unlimited scalability with relational semantics, such as secondary indexes, strong consistency, schemas, and SQL providing 99.999% availability in one easy solution. Note: This alert threshold for flow alert is set to 3 hours, and bulk deletion count also can be set to trigger unusual deletions. please feel free to adjust as per your requirements. Impact This series of events indicates data exfiltration, insider threats, or account compromised activity when a user downloads a database and then deletes the database collection or database itself. This may have a major impact on business operations if the critical database gets deleted such as -customer data, internal records, service unavailable due to no records in the backend, etc. Mitigation Restrict such critical permissions to only a limited number of users and admins. Analyze the logs, and identify the type of database collection that was exported and then deleted, If it appears to be a critical production, contact the user for the validation, if there is no justification, immediately escalate to the engineering team to check the backup status and restore. Now, make sure the impacted backend services are validated and working as expected. If required, that user account can be blocked or permissions can be revised as per the role. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Cloud SQL - Database Instance Deleted

This alert gets triggered when a database instance was deleted. Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. Note: Feel free to add the count threshold to get the bulk deletion activity triggered. Impact The MySQL instance stores a wide range of data, encompassing both business-critical information and test data for quality assurance purposes. Deletion of data suggests an unusual event or could be a legitimate activity conducted by the team as part of a scheduled sunset process. Deleting the instance could result in the permanent loss of your database and its records, which could significantly disrupt your organization's operations, erode customer trust and safety, and affect connected applications. Mitigation You have the option to delete a Cloud SQL instance either through the GCloud CLI or the API. Please note: Before proceeding with deletion, ensure it is safe to do so. Additionally, verify that deletion protection is disabled for the instance. Since this appears to be a deletion, reach out to the user and request a business justification, considering the type of instance being deleted. Subsequently, take appropriate actions based on the provided justification. In the future, real-time backup can be activated for critical databases to safeguard from such activity. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - GCP - Cloud SQL - Instance Data Export Query Launched

This alert gets triggered when a bulk database data export command is executed by a user. Each SQL database data export consists of one or more rows to be exported into the table in the target database. Each row in the data export will be added to the table, update an existing row in the table, or be ignored. Impact It's crucial to thoroughly review and verify the data export event, including details such as the destination bucket, data type, user access levels assigned to the destination bucket, and existing security measures. Misconfiguration and the wrong destination could pose a significant security risk to your critical databases and their data. If any unauthorized users are found to have access to the destination bucket, it could further compromise data confidentiality and integrity. Mitigation Examine the destination buckets and the users assigned to ensure the security of the data. Request valid justification for why the data export is necessary, and proceed with the next steps accordingly. If valid justification is not provided, cease the data export process. MITRE Tactic: TA0010 MITRE Technique: T1537

Building Block - GCP - Cloud Spanner - Database Was Deleted

This alert gets triggered when a spanner database is deleted. Spanner is a fully managed, mission-critical, relational database service that offers transactional consistency at a global scale, automatic, synchronous replication for high availability, and support for two SQL dialects: GoogleSQL and PostgreSQL. Note: Please add the tagging in the database and whitelist the dev/QA tags OR count to receive an alert for critical databases only. Impact If critical internal or public customer data stored in the database is deleted, it could have significant repercussions on business operations, potentially leading to reputation damage, compliance penalties, and operational disruptions. Mitigation Ensure that database backup is scheduled daily and weekly. Additionally, in case of accidental deletion of the database, promptly contact the user for confirmation. If confirmed, initiate immediate restoration from backup and conduct a thorough review to assess and mitigate any impacts. MITRE Tactic: TA0040 MITRE Technique: T1485

Correlation Alert - GCP - Persistent Disk - Possible Mass Snapshot Destructions By a Newly Added User

This alert gets triggered when multiple snapshots get deleted by a newly added user within a short period. Note: In this alert, the snapshot count is set to more than 5 in 20 minutes timeframe in the building blocks, please feel free to modify it as per your requirements. Impact Granting admin permissions to a user exposes dedicated snapshots to various security threats. With admin privileges, the user can edit, remove, and appoint new administrators, enabling actions like data exfiltration, service shutdown, data copying/moving, and deletion that pose critical risks to the disk and its data. If such actions occur in a production environment or critical images, they could have severe consequences, including service downtime, increased storage usage, data breaches, and other significant impacts on business operations. Mitigation Restrict elevated access privileges to administrators and technical leads only. Monitor each access request closely and verify if it has been properly requested and approved by the manager. Close valid cases promptly; otherwise, examine the tags assigned to the snapshot and contact the user accordingly. Consider blocking the user account temporarily to prevent future incidents. Contact the engineering team to explore snapshot recovery options from backups if necessary. Ensure that no critical activities were performed by the user and review audit logs if needed. Implement additional delete protection and enable real-time backups for critical snapshots to mitigate the risk of unexpected events. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Persistent Disk - Possible Mass Disk Wipe Attempts By a New User

This alert gets triggered when multiple disks get deleted by a newly added user within a short period. Note: In this alert, disk count is set to more than 5 in 15 minutes, please feel free to modify it as per your requirements. Impact Granting admin permissions to a user exposes the dedicated disk to various security threats. With admin privileges, the user can edit, remove, and assign new administrators, enabling actions like data exfiltration, service shutdown, data copying/moving, and deletion that pose significant risks to the disk and its data. If such actions occur in a production or critical environment, they could have severe consequences, including service downtime, increased storage usage, data breaches, and other critical impacts on business operations. Mitigation Restrict elevated access privileges to administrators and technical leads only. Monitor access requests closely and verify each request for proper approval from the manager. Close valid cases promptly, otherwise examine the disk tags and reach out to the user as needed. Consider blocking the user account temporarily to prevent future incidents. Contact the engineering team to explore disk recovery options from backups if necessary. Ensure no critical actions were performed by the user and review audit logs if needed. Implement additional delete protection and enable real-time backups for critical disks to prevent unexpected events like these. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Cloud DNS - Possible Network Destruction By Deleting Multiple Services

This alert gets triggered when a newly added user attempts to delete the DNS service and configurations. Note: In this alert, we are checking for DNS zone, backend service, and SSL policy delete events. Kindly feel free to edit the services and threshold timelines as per your requirements. Impact Deleting the DNS service and established configurations can significantly disrupt network operations and connection requests. Critical services such as DNS zones, SSL policies, and backend services are essential for ensuring network security and stability. Such actions can result in service interruptions, network flow disruptions, denied requests, unreachable connections, and potential SSL vulnerabilities that may enable unwanted network access and increase the risk of further attacks. Mitigation Limit these permissions and require approval before granting access to a new user. Assign appropriate permissions based on business requirements. Analyze the logs to assess the deleted service, determine its criticality, and understand its impact. Contact the user for justification and engage the engineering team to reconfigure the service or revert changes if feasible. MITRE Tactic: TA0005 MITRE Technique: T1562

Correlation Alert - GCP - GKE - Suspicious Secrets Deletion Observed

This alert gets triggered when a user successfully deletes the secrets after multiple failed attempts. Note: This correlation alert threshold is set to within 2 hours. Feel free to modify the timelines as per your requirements. Impact This event indicates that a user either lacked the necessary permissions or encountered misconfigurations, resulting in multiple failed attempts before ultimately succeeding in deleting the Secrets. This could have been perpetrated by an unauthorized user or an attacker who exploited other vulnerabilities to achieve success. Moreover, such indicators may result in compromised accounts, leaked secrets, privilege escalation, misconfigurations, and other security concerns. Mitigation Examine the alert logs to detect any deleted secrets. If these secrets appear critical or are related to production, reach out to the user for an explanation. Concurrently, coordinate with the engineering team to determine if the deleted secrets can be recovered. If recovery is not feasible, recreate the secrets and update the affected service with new credentials. If needed, suspend the user account while the investigation proceeds. For future prevention, consider implementing a secret manager to securely store sensitive information such as passwords, credentials, tokens, and APIs. MITRE Tactic: TA0040 MITRE Technique: T1565

Correlation Alert - GCP - Persistent Disk, Snapshot - Unusual Snapshot Development By Non-Corporate Account

This alert gets triggered when a user gets additional permissions to a disk and immediately creates a snapshot. Note: In this alert, the correlation alert threshold is set to 3 hours. Please feel free to change the duration as per your requirements and whitelist the corporate domains in the building blocks. Impact This occurrence involves a significant scenario wherein a non-corporate account gains extra privileges to access a disk, followed promptly by the user generating a snapshot of said disk. When a user possesses added permissions for a disk, they gain the capability to execute a range of actions such as creating, modifying, deleting, escalating privileges, copying, etc. Moreover, the act of creating a snapshot of crucial disks additionally poses a risk to internal data security. This could lead to potential data copying, exfiltration, or other similar unauthorized activities by the user. Mitigation This occurrence is out of the ordinary, as the user has recently acquired supplementary permissions and promptly proceeded to create a disk snapshot, which typically isn't part of standard business operations. It's imperative to scrutinize the logs, reach out to the individual who granted the additional permissions to the non-corporate user, and request justification for the action. Subsequently, examine the disk and the data it contains, particularly that used to generate the snapshot. Engage with the user, and if there's no valid business rationale, promptly remove the snapshot. Additionally, review other audit logs to ensure the user hasn't transferred or cloned the snapshot to unauthorized locations, and confirm that no abnormal activity related to the disk or snapshot has occurred. MITRE Tactic: TA0010 MITRE Technique: T1537

Building Block - GCP - GKE - Secrets Was Deleted

This alert gets triggered when a Secret was deleted by a user. A secret is an object that stores sensitive information, such as passwords, OAuth tokens, and SSH keys. Impact Secrets are specifically crafted for safeguarding sensitive data such as passwords, API keys, or TLS certificates. Should vital secrets be intentionally or inadvertently deleted by the user, this action could result in the shutdown or cessation of the affected service due to the inactivity of essential passwords, tokens, and API keys. Consequently, the user would be unable to access these credentials in the future. Mitigation Make sure that crucial permissions are restricted solely to authorized and administrative users. Moreover, contact the user based on the service type and request justification. If the user presents valid reasoning, the alert can be addressed; if not, liaise with the engineering team to establish new configuration maps, update the connected service, and confirm the connection's successful establishment. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - GKE - Suspicious ConfigMaps Deletion Detected

This alert gets triggered when a user successfully deletes the ConfigMaps after multiple failed attempts. Note: This correlation alert threshold is set to 2 hours. Feel free to modify the timelines as per your requirements. Impact This alert signifies that a user lacked the necessary permissions or encountered misconfigurations, resulting in multiple failed attempts before ultimately succeeding in deleting the ConfigMaps. This could be the result of unauthorized access or an attacker exploiting other vulnerabilities. Such indicators may suggest compromised accounts, leaked secrets, privilege escalation, misconfigurations, and similar security risks. Mitigation Review the alert logs to identify the deleted ConfigMaps. If these ConfigMaps are deemed critical or production-related, reach out to the user for justification. Concurrently, engage the engineering team to assess whether the deleted ConfigMaps can be recovered or reconfigured based on the original settings. If necessary, temporarily block the user account pending completion of the investigation. MITRE Tactic: TA0040 MITRE Technique: T1489

Correlation Alert - GCP - Audit - Possible Defense Evasion Attempts By Newly Added User

This alert gets triggered when a new user added to the Google Cloud Platform attempts to delete monitoring alerts and disable logs monitoring. Note: Feel free to add or remove activities as needed to improve the monitoring capabilities. The threshold is set to 3 hours, but feel free to adjust it as per your requirements. Impact The occurrence of these critical events right after granting new permissions raises suspicion and could suggest various security threats, including account compromise, account takeover, insider threats, and privilege escalation. If a user deletes monitoring alerts, the InfoSec team loses visibility and the ability to monitor suspicious activity. Likewise, disabling data access logs prevents logging and forwarding to the designated SIEM/security solution for monitoring and alerting. In these scenarios, unusual events may go undetected, allowing attackers to carry out critical activities successfully. Mitigation Firstly, implement an approval process before adding a new user to the GCP and assign specific permissions based on the user's role and intended activities. Upon alert activation, identify the user account and review the logged activities. Promptly reach out to the user for a business justification if any activity seems suspicious. If warranted, block the user account and revert the activity if feasible. Additionally, engage with the engineering team to confirm that no critical events occurred during the user's access period. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - GCP - Cloud Storage - Unknown File Types Uploaded

This alert gets triggered when an unusual file type is uploaded to a bucket. Cloud Storage is a service for storing your objects in Google Cloud. An object is an immutable piece of data consisting of a file of any format. You store objects in containers called buckets. Note - Kindly add the genuine file formats in the query whitelisting as per your corporate requirements. Impact This suggests that abnormal files have been uploaded to a bucket, posing a potential risk of malicious activities such as bots, malware, trojans, credential harvesting, and command-and-control (C2C) operations. Mitigation Examine the file types uploaded in the bucket, remove any unusual files, and limit access to authorized users only. MITRE Tactic: TA0010 MITRE Technique: T1537

Building Block - GCP - Cloud Storage - User Was Added to a Bucket

This alert gets triggered when a user is added to a bucket or granted access. Cloud Storage is a service for storing your objects in Google Cloud. An object is an immutable piece of data consisting of a file of any format. You store objects in containers called buckets. Impact A potential threat actor might manipulate the permissions of a storage bucket to compromise the security controls of their target. Alternatively, an administrator could unintentionally alter the permissions, potentially resulting in the exposure or loss of data. Mitigation System administrators can adjust permissions for storage buckets. Confirm that any modifications to permissions align with anticipated changes. If unexpected permission changes are identified, remove the user from the bucket access. MITRE Tactic: TA0005 MITRE Technique: T1222

Building Block - GCP - Compute Engine - VM Instance Launched with Enabled IP Forwarding

This alert gets triggered when an IP forwarding is set to enabled for a dedicated VM instance. Impact The IP Forwarding feature allows the virtual machine (VM) linked to the network interface to accept network traffic not intended for any of the IP addresses specified in the attached IP configurations. It also enables the VM to transmit network traffic with a source IP address different from the one assigned to any of the IP configurations of the network interface. Mitigation Regularly review all NICs with active IP forwarding for security and compliance purposes. IP forwarding should be exclusively utilized by virtual machines requiring traffic forwarding, commonly referred to as network virtual appliances. Promptly communicate with the user, examine the IP forwarding routes, and assess the business use case for this occurrence. Ensure that the VM is properly logged and monitored to detect any unusual activities. MITRE Tactic: TA0042 MITRE Technique: T1585

Building Block - GCP - Compute Engine - External Public IP Was Configured

This alert gets triggered when an external IP is configured with a VM instance. Note: Kindly add more queries in the field to get the fine-tuned results. Impact Setting up an external public IP address can expand the attack surface of a resource, heightening its susceptibility to internet-based attacks. This configuration may lead to compliance violations if the resource holds sensitive data meant to remain inaccessible from the internet. Mitigation To alleviate potential adverse effects associated with configuring an external public IP address, it is crucial to adhere to security best practices. These practices include implementing firewalls to limit access to the resource, consistently monitoring for suspicious activity, and applying timely security patches and updates. Furthermore, thoughtful consideration should be given to the necessity of an external public IP address, exploring alternative access methods such as VPNs or private networks where applicable. MITRE Tactic: TA0001 MITRE Technique: T1190

Building Block - GCP - Cloud DNS - DNS Zone Was Deleted

This alert gets triggered when a DNS zone is deleted. Note: If this alert triggers very frequently, free to add the threshold for multiple deletions by a single user. Impact Services or applications relying on DNS records from the deleted zone would lose the ability to resolve DNS queries. This may result in users being unable to access the services or applications, or it could lead to additional issues if these services or applications depend on DNS records for other functionalities. Mitigation Regularly check your DNS zones for any signs of unauthorized or maliciously deleted DNS zones. This proactive monitoring approach enables early detection and response to potential DNS zone attacks, minimizing the risk of significant damage. Implement access controls and authentication measures to restrict the creation of DNS zones in GCP to authorized users. MITRE Tactic: TA0003 MITRE Technique: T1098

Building Block - GCP - Persistent Disk - Snapshot Admin Permission Assigned to a User

This alert gets triggered when a snapshot admin-level access permission was assigned to a user. A snapshot captures the contents of a disk whether or not the disk is attached to a running virtual machine (VM) instance. This includes an instant, archive, and other type of snapshots. Impact A Snapshot holds vital data such as VM & Disk images, instance data, databases, and more. Hence, it's crucial to scrutinize the permissions given to a user and anticipate potential abuse of the assigned privileges, whether intentional or unintentional. Some actions to be mindful of include granting someone else admin privileges, privilege escalation, copying the snapshot, editing, deleting, viewing its data and databases, and downloading metadata. Mitigation Limit such elevated access exclusively to administrators and technical leads. Monitor each access grant request meticulously and verify if it has been properly requested and approved by the manager. If the request is valid, take appropriate action; otherwise, promptly remove the user. Additionally, ensure that the user has not engaged in any critical activities, and if necessary, review the audit logs. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - Persistent Disk - Snapshot Permissions Assigned to a User

This alert gets triggered when a snapshot access permission was assigned to a user. A snapshot captures the contents of a disk whether or not the disk is attached to a running virtual machine (VM) instance. This includes an instant, archive, and other type of snapshots. Note: Kindly feel free to add the specific permissions for which you are more concerned except admin permissions. Impact A Snapshot holds essential information such as VM and Disk images, instance data, databases, and more. Therefore, it is crucial to examine the permissions assigned to a user and the extent to which they could potentially misuse the granted privileges, whether intentionally or unintentionally. Some actions include copying the snapshot, editing, deleting, viewing its data and databases, and downloading metadata. Mitigation Limit such elevated access solely to administrators and technical leads. Monitor each access request closely and ensure that any granted access is valid and approved by the manager. If the request is valid, proceed accordingly; otherwise, promptly remove the user. Additionally, verify that no critical activities were undertaken by the user, and if necessary, review the audit logs. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - Persistent Disk - Unusual Snapshot Creation Using Non-Corp. Account

This alert gets triggered when a snapshot was launched from a non-corp. account. Note: Kindly adjust the domain whitelisting as per your corporate domains. Impact A Snapshot contains crucial data such as VM & Disk images, instance data, databases, and more. Therefore, it is essential to examine snapshots created with non-corporate email addresses. This could suggest various issues like compromised accounts/projects, unauthorized access, newly granted domains, misconfigurations, and more. Mitigation Limit such elevated access exclusively to administrators and technical leads. Monitor every request and verify the email used for creating the service. Consult with IT or Infrastructure engineering to confirm the account status. Close the case accordingly if validated; otherwise, promptly remove the user. Ensure that no critical activity was conducted by the user, and if necessary, review the audit logs. MITRE Tactic: TA0003 MITRE Technique: T1098

Building Block - GCP - IAM - Access Discovery Was Performed

This alert gets triggered when a user checks whether a specific user or service account has permission to perform a particular action on a resource. Note: In this alert, conditions are set to more than 5 attempts in 10 minutes. Please free to adjust the conditions as per your requirements. Impact This is a significant event if conducted by an unknown user, as it involves repeatedly checking the level of permissions assigned to a user through multiple 'check access' attempts. If additional permissions are discovered, an attacker could exploit these privileges to manipulate production services, potentially leading to actions such as editing, deleting, privilege escalation, copying, or shutdown. Mitigation Review the user and targeted account involved in the repeated 'check access' event. Contact the user to inquire about the reason for performing multiple 'check access' attempts on the individual account. If the activity appears to be a legitimate test to verify permissions, close the case. However, if it involves an unrelated user engaging in this behavior, issue a warning or, if necessary, temporarily block the user's permissions and inform the appropriate manager about these unusual events. MITRE Tactic: TA0007 MITRE Technique: T1087

Building Block - GCP - GKE - Multiple Failed Attempts to Delete the ConfigMaps

This alert gets triggered when a user attempts to delete multiple ConfigMaps and fails due to some restrictions. Note- In this alert, the threshold is established for over 3 attempts per user within a 10-minute timeframe. Please feel free to change it as per your requirements. Impact These numerous failed attempts may arise from various issues such as connection problems, restricted permissions, access denial, or malicious attempts by attackers to delete data. Consequently, deleting such data could lead to the loss of future connections, rendering the configured cluster and services useless due to the absence of necessary credentials or tokens. Mitigation Examine the logs to ascertain the user's identity, reach out to the user, and verify the validity of the reasons documented in the logs. Prompt the user to obtain the necessary permissions if needed; otherwise, notify the administrator to delete the specified data with appropriate approval, or address integration issues based on the findings of the root cause analysis. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - GCP - GKE - Multiple Failed Attempts to Delete the Secrets

This alert gets triggered when a user attempts to delete multiple Secrets and fails due to some restrictions. Note- In this alert, the threshold is established for over 3 attempts per user within a 10-minute timeframe. Impact Secrets serve the purpose of storing sensitive data such as passwords, API keys, or TLS certificates. Multiple unsuccessful attempts may stem from diverse issues including connection difficulties, limited permissions, access denial, or malicious endeavors by attackers aiming to delete data. Mitigation Examine the logs to ascertain the user's identity, reach out to user, and verify the validity of the reasons documented in the logs. Prompt the user to obtain the necessary permissions if needed; otherwise, notify the administrator to delete the specified data with appropriate approval, or address integration issues based on the findings of the root cause analysis. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - GCP - Cloud SQL - Delete Protection Disabled for Existing Database

This alert gets triggered when a delete protection is disabled for the existing databases where the protection was enabled earlier and not it has been disabled. Note: For more finetuning, please add some labeling for the production and critical databases. So, the QA and sandbox type of events can be ignored. Impact This occurrence could endanger your critical and production databases, lacking an additional layer of confirmation for database deletion. Consequently, such instances could lead to data loss, disruptions in business operations, loss of client data, damage to reputation, and potential regulatory consequences. Mitigation Implementing delete protection will enhance the security of critical databases by requiring confirmation even if a user unintentionally or intentionally attempts to delete them. Therefore, when disabling this protection, it's essential to reach out to the user for verification and ensure that the database is not in use before proceeding with the change. MITRE Tactic: TA0005 MITRE Technique: T1578

Building Block - GCP - Datastore - Data Exported From Datastore

This alert gets triggered when a user downloads the files/data from the datastore. Data from a Datastore mode database can be exported and seamlessly imported into another Datastore mode database, even across different projects. Impact Exporting data to offline storage, another project, or a different datastore can potentially jeopardize data security, leading to risks such as exposure, unauthorized access, and leakage. Additionally, such actions could result in compliance violations and substantial penalties for the organization. Mitigation Ensure that crucial operations like data export are limited to administrator users possessing monitoring capabilities, adhering to the Zero Trust framework for robust data security. Verify the destination of data export in collaboration with the user and assess its business justification; if none exists, promptly remove the exported data. MITRE Tactic: TA0010 MITRE Technique: T1567

Building Block - GCP - Cloud Spanner - Database Export Job Was Created

This alert gets triggered when a database export job is created. The Dataflow connector for Spanner lets you read data from and write data to Spanner in a Dataflow pipeline, optionally transforming or modifying the data. Impact Detecting and preventing unauthorized database exports is vital to safeguarding sensitive data. Misconfigurations in dataflow can inadvertently expose data to unauthorized users, leading to data modifications and potential public disclosure online. Mitigation Limited access to these settings should be granted solely to administrators and authorized users. Additionally, in the event of such settings being triggered, gather pertinent details such as database type, name, and destination. Subsequently, reach out to the user for confirmation and a business justification. If deemed necessary, halt the database export and delete any data transmitted during this period from the destination. MITRE Tactic: TA0010 MITRE Technique: T1029

Building Block - GCP - GKE - Restore Plan Was Deleted

This alert gets triggered when the user deletes a restore plan. After a backup is created, administrators can create a restore for that backup, which initiates the restoration of some portion of the contents of that backup into a target cluster. Note: Please free to set the count threshold to receive an alert only for bulk deletions. Impact In GKE, the Restore plan houses multiple restoration points, each linked to a backup for data recovery in the event of loss. Deleting the Restore plan eliminates the last resort for data retrieval, potentially leading to irreversible data loss. This could significantly impact database availability, operational continuity, and service delivery due to the absence of critical data when needed. Mitigation Ensure that crucial permissions are limited exclusively to administrators and diligently monitor all activities to prevent the deletion of any restore plans without a valid business justification or plan expiration. Reach out to the user for clarification and details, and conclude the investigation accordingly. If necessary, reinitiate the backup process to ensure data restoration capability is restored from the backup. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - GKE - Backup Plan Was Deleted

This alert gets triggered when a user deletes a backup plan. Backup for GKE consists of two main components: A service that runs in Google Cloud and supports a resource-based REST API. This service serves as the control plane for Backup for GKE. The service includes Google Cloud console UI elements that interact with this API. Note: Please free to set the count threshold to receive an alert only for bulk deletions. Impact In GKE, a backup plan encompasses multiple backups, each tailored with its own set of configured files, applications, and data. Deleting a backup plan could result in the removal of numerous backups, leaving your data vulnerable without additional copies to rely on in case of modifications, erasures, or compromises to the original data. Such an action could have significant repercussions on your business operations, infrastructure, and the integrity of data crucial for integrations. Mitigation Ensure that critical permissions are limited exclusively to administrators, and diligently monitor each activity to prevent unauthorized deletion of backups unless a valid business justification or data expiry is provided. Reach out to the user for clarification and details; once the investigation is satisfactorily concluded, proceed with closure. Alternatively, if necessary, promptly restore the backup to its previous state, ensuring it is configured as expected. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Cloud Domains - Backend Service Was Deleted

This alert gets triggered when a backend service is deleted. A backend service determines the distribution of traffic in Cloud Load Balancing. The configuration of the backend service includes a set of parameters, such as the protocol for connecting to backends, diverse distribution and session settings, health checks, and timeouts. Impact If such an event occurs in a production account, it can have a significant impact on operational services, including integration issues, network disruptions, and service downtime. Mitigation Examine the service to determine if it was part of scheduled testing as indicated by the tags. If it was, consider the case closed. Otherwise, promptly reach out to the user, seek justification, and if it was an error, take immediate action to either restore from a backup or reconfigure the service. MITRE Tactic: TA0040 MITRE Technique: T1565

Building Block - GCP - BigQuery - Dataset Was Deleted

This alert gets triggered when a user deletes a targeted dataset. Datasets are top-level containers that are used to organize and control access to your tables and views. A table or view must belong to a dataset, so you need to create at least one dataset before loading data into BigQuery. Note: If the alert is common according to the corporate nature, feel free to increase the threshold to get unusual deletes. Impact A dataset serves as the initial gateway for accessing and viewing tables. It's crucial to regularly review dataset configurations and user access permissions to mitigate unauthorized data access and potential exposure. Additionally, unauthorized users may also pose a risk of data deletion, potentially resulting in significant data loss. Mitigation Regularly assess dataset configurations and user permissions to ensure secure data access. Limit deletion capabilities to authorized users exclusively. In the event of an unauthorized deletion, examine production environment logs and contact the user for business justification. If none are provided, restore tables from the backup and reconfigure affected services accordingly. MITRE Tactic: TA0005 MITRE Technique: T1578

Building Block - GCP - BigQuery - Table Was Deleted

This alert gets triggered when a table from the dataset is deleted. A BigQuery table contains individual records organized in rows. Each record is composed of columns (also called fields). Note: If the alert is common according to the corporate nature, feel free to increase the threshold to get unusual deletes. Impact A table serves as the designated repository for storing records or values within the BigQuery database. Deletion events of such tables can pose significant ramifications for your business operations, ranging from service disruptions and database errors to data loss, ultimately affecting customer experience and potentially tarnishing your business reputation. Mitigation Prohibit regular users from initiating such activities or events and maintain vigilant oversight over such occurrences. Ensure clear segregation between production and QA environments. As a proactive measure, enable daily data backups for critical tables. In the event of such critical events, promptly engage the user for business justification. If not provided, reconfigure the table or restore it from backup, conducting thorough impact analysis to verify the seamless functionality of business services. MITRE Tactic: TA0005 MITRE Technique: T1578

Building Block - GCP - Compute Engine - New User Added to a VM Instance As Admin

This alert gets triggered when a new user has been added to an existing VM instance as an owner with full access. Impact Verifying the authorization of the user added to a VM instance is crucial. The inclusion of an unauthorized user in a VM could result in potential risks, including data exfiltration, configuration alterations, and a significant impact on business operations. Mitigation Reach out to the individual who added the user, request an approval ticket for the same user, and proceed with subsequent actions based on the provided approval. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - Compute Engine - New User Added to a VM Instance

This alert gets triggered when a new user has been added to an existing VM instance. The permission could be anything editor, reader, specific to a service, etc. Note: Feel free to edit the required permissions settings only. Impact It is crucial to verify the user added to a VM instance and confirm their access authorization. The addition of an unauthorized user to a VM can result in potential risks such as data exfiltration, configuration changes, and significant business impact. Mitigation Reach out to the owner who added the user, request an approval ticket for the same user, and proceed with appropriate actions based on the provided approval. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - GCP - IAM - User Was Added to an IAM Role

This alert gets triggered when a user is added to an IAM role. Impact A change in a user's role affects the user's ability to access the services within the project. An attacker can manipulate user roles to give himself more privileges or revoke access to other users. Mitigation Examine and confirm the action, ensuring that the user linked to the role possesses the accurate permissions assigned. If not, eliminate the user, review the modifications, and mandate that such actions only take place following the appropriate approvals from authorized individuals with valid tickets/emails. MITRE Tactic: TA0003 MITRE Technique: T1098

Building Block - GCP - Datastore - Database Was Deleted

This alert gets triggered when a user deletes a database. The database houses a collection of entities, datasets, and values, enabling the processing and presentation of results to the connected application. Note: Kindly feel free to add the count threshold in the query to trigger an alert only for bulk deletions. Impact The deletion of a database can significantly disrupt business operations, leading to data loss, damage to brand reputation, and potential compliance penalties. Data loss may also erode trust among existing and potential users, as they may question the organization's commitment to protecting their data through robust security measures. Mitigation Implement stringent access controls and establish an approval process for critical events. Ensure daily database backups are enabled to meet compliance requirements. Upon reviewing logs, if the deletion pertains to staging or sandbox environments, you may close the alert. Otherwise, contact the user to request a business justification. In the event of accidental deletion, restore the database from backup and investigate the associated business impact. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Audit - Monitoring Alert Was Deleted

This alert gets triggered when a monitoring alert/policy has been deleted by a user. Usually, such events never trigger until there is testing or someone intentionally tries to hide some unusual events. Impact Usually, such activities are performed by the attacker only to clear the traces and alarms so that they can perform their unusual events without notifying anyone or if there was testing done by the operations team. So, deleting such policies may stop triggering the notification for the individual policy that has been deleted. After that attacker can perform such unusual activities and no one will come to know about it. Mitigation Restrict such permissions only to the admin or security team. Also, do reach out to the concerned team/user for business justification, and accordingly take the next step. MITRE Tactic: TA0040 MITRE Technique: T1485

Building Block - GCP - Compute Engine - Multiple VM Instances Deleted

This alert gets triggered when multiple VM instances are deleted in a specific interval of time. Note - For this alert, the set condition is when VM counts more than 10 in 15 minutes. Please fine-tune the condition as per your requirements. Impact Monitoring VM deletions in the production account is crucial. Typically, deletion activity of this nature should not occur in production or critical accounts. However, if it does, it could have a significant impact on business operations, leading to data loss, service downtime, and other critical consequences. Mitigation Verify that the VM deletion protection setting is activated for critical and production accounts. If a deletion event occurs in the critical account, promptly contact the user to obtain business approval and proceed with the necessary actions. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - GCP - Compute Engine - Multiple VM Instances Suspended OR Stopped

This alert gets triggered when multiple VM instances are suspended or stopped in a specific interval of time. Note - For this alert, the set condition is when VM counts more than 10 in 15 minutes. Please fine-tune the condition as per your requirements. Impact Suspended instances preserve the guest OS memory, device, and application state. Google charges for the storage necessary to save instance memory. You can only suspend an instance for up to 60 days. After 60 days, the instance is automatically moved to the TERMINATED state. It is important to check and make sure the unnecessary VMs are not running as it may have a high-cost implication based on the configuration set by the user OR if the critical instance has been suspended or stopped by the unauthorized user/mistake this may impact your business operations, integration, service downtime, etc. Mitigation Check with the user if the VM is no longer needed and get it deleted. So, the cost can be saved and further close the case. If the critical instance has been suspended/stopped by mistake, get it resumed/start immediately. MITRE Tactic: TA0040 MITRE Technique: T1529

Integration

Learn more about Coralogix's out-of-the-box integration with GCP Correlation Extension in our documentation.

Read More
Schedule Demo