Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP Persistent Disk

GCP Persistent Disk
GCP Persistent Disk icon

Out-of-the-Box Security For GCP Persistent Disk Includes:

Alerts - 7

Stay on top of GCP Persistent Disk key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Multiple Disks Deleted by a Single User

This alert gets triggered when multiple disks are deleted in the set timeframe. Note - In this alert, the threshold is set to more than 5 disks deleted within a 15-minute timeframe. You can fine-tune it as per your requirements. Impact If such an event is triggered in a production environment or critical disks, it could significantly impact business operations, leading to service downtime, increased storage consumption, data breaches, and much more. Mitigation Examine the tags assigned to the disk and contact the user accordingly. Ask for the business justification for deleting multiple disks, accordingly take the next step. Like- reconfiguring the disk with the same configuration and replace the impacted service with the new disks. Additionally, Ensure that critical disks are configured with additional delete protection and such permission granted to power or admin users only. MITRE Tactic: TA0040 MITRE Technique: T1485

Multiple Disks Created by a Single User

This alert gets triggered when multiple disks are created by a single user. Note - In this alert, the threshold is set to more than 5 disks created within 15-minute timeframe. You can fine-tune it as per your requirements. Impact Monitoring disk configuration settings is crucial, including disk type, allocated size for each disk, access levels, and encryption settings, to ensure authorized access to a service. Creating multiple disks is an uncommon occurrence, and it's not a routine or typical activity. This action could potentially be carried out by a malicious actor with the intent to overwhelm system operations, creating an opportunity to store harmful content discreetly. Mitigation Examine the configuration details and the business requirements for configuring the multiple disks. If anything appears suspicious or deviates from the corporate standard policy, reach out to the user to address and rectify the issue unless there is a valid business justification. If the disks created by the user serve no purpose, it's advisable to halt their use and remove them. Additionally, consider limiting the ability to perform such actions to power or admin users to prevent unnecessary events. MITRE Tactic: TA0042 MITRE Technique: T1585

A New Disk was Created with High Volume Capacity

This alert gets triggered when a new disk is created with a huge volume capacity. Note - In this alert, the disk size is set to more than 40000 in GBs to 65536 GB. Feel free to adjust the size capacity according to business policy. Impact Monitoring the configuration settings for disks is crucial, including disk type, allocated size for each disk, access levels, and encryption settings, to ensure authorized access to a service. Generating a disk with an exceptionally large capacity is an infrequent and uncommon occurrence. This could potentially disrupt your operations, lead to a substantial increase in financial costs, and result in unnecessary data storage. Mitigation Examine the configuration details and business purpose for creating a disk with such a huge capacity. Understand the data going to be stored, lifecycle of the data and if anything appears questionable or does not align with the corporate standard policy, edit the disk and set the configuration as per the requirement and unless there is a valid business justification. MITRE Tactic: TA0042 MITRE Technique: T1585"

Disk Image File was Created

This alert gets triggered when a disk image file is created. Impact Disks possess significant storage capacity and are crucial for business operations. Therefore, any misconfiguration or unnecessary creation of a disk can result in unauthorized access, data exfiltration, downloading of data, network discovery, and other potential risks. Mitigation Reach out to the user, confirm the activity, and make sure the corporate best practices have been followed along with the business justification else get the image file deleted if not in use. MITRE Tactic: TA0042 MITRE Technique: T1585'

Disk Image File was Deleted

This alert gets triggered when a disk image file is deleted. Impact This event could lead to data loss, business operations, unauthorized access, and service downtime as a result of insufficient storage capacity. Mitigation Reach out to the user, and confirm the activity, if the activity has a genuine business justification, close the case else get the new disk configured with the same configuration and update the impacted services. MITRE Tactic: TA0040 MITRE Technique: T1489'

A New Clone Disk was Created from an Existing Disk

This alert gets triggered when an existing disk image is cloned. Impact If unauthorized events are carried out, it suggests that the account has been compromised, leading to account takeover, data manipulation, and exfiltration. Mitigation Verify with the user, request business justification, and review the configuration settings of the cloned disk to ensure it adheres to best practices. MITRE Tactic: TA0009 MITRE Technique: T1530'

Snapshot was Deleted

This alert gets triggered when a snapshot is deleted. Impact Typically, such an event is triggered only when the specified requirements are met. However, if this event is initiated by an unexpected user or involves critical disks/snapshots, it could result in data loss and potentially impact operations. Mitigation Reach out to the user to confirm the activity if it involves a critical disk/snapshot; otherwise, feel free to close the activity. Additionally, such event access can be restricted to the power and admin users only. MITRE Tactic: TA0040 MITRE Technique: T1489'

Documentation

Learn more about Coralogix's out-of-the-box integration with GCP Persistent Disk in our documentation.

Read More
Schedule Demo