Quick Start Security for GCP VM Manager
Thank you!
We got your information.
Coralogix Extension For GCP VM Manager Includes:
Alerts - 4
Stay on top of GCP VM Manager key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
API Keys Created By an Unknown User
This alert gets triggered when a new user creates an API key. Note: The user might be newly onboarded or unauthorized. Please feel free to change the domain whitelisting as per your corporate infrastructure. Impact An unauthorized or unfamiliar user poses a potential risk when generating API keys. These keys carry significant privileges to connect to or retrieve critical data from the designated application. In such scenarios, an unauthorized user could endanger the application and its data, leading to potential risks such as data exfiltration, misconfigurations, unauthorized access to high privileges, and more. Mitigation Firstly, examine the username and the type of keys that have been configured. Verify if there is an onboarding ticket for the user corresponding to this level of GCP access that aligns with the API permissions. If not, reach out to the user and request clarification and authorization for access. If any aspect seems suspicious, reach out to the engineering team to consider blocking the user or revoking their access. Finally, rotate or delete any unused keys generated by the unauthorized user. MITRE Tactic: TA0010 MITRE Technique: T1020
OAuth Application Configured By an Unknown User
This alert gets triggered when a new OAuth application was configured by an unknown user. This alert includes all the different types of applications- Web Applications, Android, Chrome Extension, IOS, Desktop, etc. Note: The user might be newly onboarded or unauthorized. Therefore, please conduct an investigation accordingly and consider whitelisting or selecting the critical application type "protoPayload.request.client.type" and the domain names as needed. Impact An unauthorized or recently added user poses a potential risk when creating OAuth applications. These applications contain vital information regarding the application, permissions, authorized users, packages, and more. In such instances, an unauthorized user could jeopardize the application and its data, potentially leading to data exfiltration, misconfigurations, unauthorized high-level access, deployment of the application without adequate testing and quality assurance, and other risks. Mitigation Begin by reviewing the username and OAuth configuration type. Verify if there is an onboarding ticket for the user with this level of GCP access that aligns with the OAuth configuration. If no such ticket exists, reach out to the user for justification and access permissions. If any aspect seems suspicious, contact the engineering team to consider blocking the user or revoking access. Finally, remove the OAuth application and any associated data created by the unauthorized user. MITRE Tactic: TA0010 MITRE Technique: T1020
Bulk API Keys Deleted By a User
This alert gets triggered when multiple API keys have been deleted by a user. Note: In this alert, the keys threshold is set to more than 3 keys in 10 minutes. Please feel free to adjust this threshold as per your requirements. Impact Removing API keys will sever or disrupt the integrations/automations established by administrators to access application-related data. This action could render the service inaccessible, result in data disconnection, affect user experience, and potentially damage business reputation, particularly if the API is associated with a production application. Mitigation Limit permissions for such critical events to authorized personnel and administrators exclusively. Examine the event logs, determine the user involved, and request clarification regarding the type and purpose of the API keys. If the event seems legitimate or a test, it can be closed; otherwise, configure new APIs and replace all older ones. Additionally, conduct a comprehensive investigation, as this could significantly affect business operations and clients. MITRE Tactic: TA0040 MITRE Technique: T1489
OAuth Application Was Deleted By a User
This alert gets triggered when an existing OAuth application was deleted by a user. This alert encompasses various application types, such as Web Applications, Android, Chrome Extension, iOS, Desktop, and others. Note: Kindly whitelist or designate the critical application type "protoPayload.request.client.type" as necessary. Impact Removing an OAuth application will sever or disrupt the SSO/SAML and access permissions for all users assigned by administrators to access the application. This action could render the service inaccessible, result in data disconnection, and impact the user experience, among other consequences. Mitigation Limit permissions for such critical events to authorized personnel and administrators exclusively. Review the event logs, identify the user involved, and request justification and details regarding the deleted OAuth application. If the event seems legitimate or a test, it can be closed; otherwise, configure a new OAuth application and rectify any affected services. Additionally, conduct a comprehensive investigation, as this could significantly impact business operations and clients. MITRE Tactic: TA0040 MITRE Technique: T1489
Integration
Learn more about Coralogix's out-of-the-box integration with GCP VM Manager in our documentation.