From 2ffcc411f8f6fdff15d163bad25e585ea22206f8 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Mon, 11 Dec 2023 15:26:53 +0200 Subject: [PATCH] Add references to rules (gcp_audit_rules) --- rules/gcp_audit_rules/gcp_bigquery_large_scan.yml | 4 ++-- rules/gcp_audit_rules/gcp_destructive_queries.yml | 2 +- rules/gcp_audit_rules/gcp_unused_regions.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml b/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml index 1734ebdd9..f29330f5f 100644 --- a/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml +++ b/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml @@ -3,9 +3,9 @@ Description: Detect any BigQuery query that is doing a very large scan (> 1 GB). DisplayName: "GCP BigQuery Large Scan" Enabled: true Filename: gcp_bigquery_large_scan.py -Reference: +Reference: https://cloud.google.com/bigquery/docs/running-queries Severity: Info -Tests: https://cloud.google.com/bigquery/docs/running-queries +Tests: - ExpectedResult: false Log: insertid: ABCDEFGHIJKL diff --git a/rules/gcp_audit_rules/gcp_destructive_queries.yml b/rules/gcp_audit_rules/gcp_destructive_queries.yml index aea28a201..811a45657 100644 --- a/rules/gcp_audit_rules/gcp_destructive_queries.yml +++ b/rules/gcp_audit_rules/gcp_destructive_queries.yml @@ -1,6 +1,6 @@ AnalysisType: rule Description: Detect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate. -DisplayName: "'GCP Destructive Queries '" +DisplayName: "GCP Destructive Queries" Enabled: true Filename: gcp_destructive_queries.py Reference: https://cloud.google.com/bigquery/docs/managing-tables diff --git a/rules/gcp_audit_rules/gcp_unused_regions.yml b/rules/gcp_audit_rules/gcp_unused_regions.yml index 654747d25..7d8eff7af 100644 --- a/rules/gcp_audit_rules/gcp_unused_regions.yml +++ b/rules/gcp_audit_rules/gcp_unused_regions.yml @@ -18,7 +18,7 @@ Severity: Medium Description: > Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Runbook: Validate the user making the request and the resource created. -Reference: https://attack.mitre.org/techniques/T1535/ +Reference: https://cloud.google.com/docs/geography-and-regions SummaryAttributes: - severity - p_any_ip_addresses