Add references to rules (gcp_audit_rules)

panther-labs · Dec 11, 2023 · cb2653b · cb2653b
1 parent 02ce284
commit cb2653b
Show file tree

Hide file tree

Showing 18 changed files with 21 additions and 3 deletions.
diff --git a/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml b/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml
@@ -3,6 +3,7 @@ Description: An access attempt violating VPC service controls (such as Perimeter
 DisplayName: "GCP Access Attempts Violating VPC Service Controls"
 Enabled: true
 Filename: gcp_access_attempts_violating_vpc_service_controls.py
+Reference: https://cloud.google.com/vpc-service-controls/docs/troubleshooting#debugging
 Severity: Medium
 Tests:
     - ExpectedResult: false

diff --git a/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml b/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml
@@ -3,8 +3,9 @@ Description: Detect any BigQuery query that is doing a very large scan (> 1 GB).
 DisplayName: "GCP BigQuery Large Scan"
 Enabled: true
 Filename: gcp_bigquery_large_scan.py
+Reference:
 Severity: Info
-Tests:
+Tests: https://cloud.google.com/bigquery/docs/running-queries
     - ExpectedResult: false
       Log:
         insertid: ABCDEFGHIJKL

diff --git a/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml b/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml
@@ -3,6 +3,7 @@ Description: Detects GCP cloud storage bucket updates and deletes.
 DisplayName: "GCP Cloud Storage Buckets Modified Or Deleted"
 Enabled: true
 Filename: gcp_cloud_storage_buckets_modified_or_deleted.py
+Reference: https://cloud.google.com/storage/docs/buckets
 Severity: Low
 Tests:
     - ExpectedResult: false

diff --git a/rules/gcp_audit_rules/gcp_destructive_queries.yml b/rules/gcp_audit_rules/gcp_destructive_queries.yml
@@ -3,6 +3,7 @@ Description: Detect any destructive BigQuery queries or jobs such as update, del
 DisplayName: "'GCP Destructive Queries '"
 Enabled: true
 Filename: gcp_destructive_queries.py
+Reference: https://cloud.google.com/bigquery/docs/managing-tables
 Severity: Info
 Tests:
     - ExpectedResult: true

diff --git a/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml b/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml
@@ -4,6 +4,7 @@ DisplayName: "GCP DNS Zone Modified or Deleted"
 Enabled: true
 Filename: gcp_dns_zone_modified_or_deleted.py
 Runbook: Verify that this modification or deletion was expected. These operations are high-impact events and can result in downtimes or total outages.
+Reference: https://cloud.google.com/dns/docs/zones
 Severity: Low
 Tests:
     - ExpectedResult: true

diff --git a/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml b/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml
@@ -19,6 +19,7 @@ Severity: Low
 Description: >
   Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket.
 Runbook: Validate the GCS bucket change was safe.
+Reference: https://cloud.google.com/storage/docs/access-control/iam-permissions
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_gcs_public.yml b/rules/gcp_audit_rules/gcp_gcs_public.yml
@@ -16,6 +16,7 @@ Reports:
 Severity: High
 Description: Adversaries may access data objects from improperly secured cloud storage.
 Runbook: Validate the GCS bucket change was safe.
+Reference: https://cloud.google.com/storage/docs/access-control/making-data-public
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml b/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml
@@ -13,8 +13,9 @@ Reports:
   MITRE ATT&CK:
     - TA0004:T1078
 Severity: Medium
-Description: Attaching an audit role manually could be a sign of privilege escalation
+Description: Attaching an admin role manually could be a sign of privilege escalation
 Runbook: Verify with the user who attached the role or add to a allowlist
+Reference: https://cloud.google.com/looker/docs/admin-panel-users-roles
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_iam_corp_email.yml b/rules/gcp_audit_rules/gcp_iam_corp_email.yml
@@ -18,6 +18,7 @@ Reports:
 Severity: Low
 Description: A Gmail account is being used instead of a corporate email
 Runbook: Remove the user
+Reference: https://cloud.google.com/iam/docs/service-account-overview
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml b/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml
@@ -18,6 +18,7 @@ Reports:
 Severity: Info
 Description: A custom role has been created, deleted, or updated.
 Runbook: No action needed, informational
+Reference: https://cloud.google.com/iam/docs/creating-custom-roles
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml b/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml
@@ -24,6 +24,7 @@ Runbook: >
   Direct them to make the change in Terraform to avoid automated rollback.
   Grep for google_org and google_folder in terraform repos for places to 
   put your new policy bindings. 
+Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_logging_settings_modified.yml b/rules/gcp_audit_rules/gcp_logging_settings_modified.yml
@@ -3,6 +3,7 @@ Description: Detects any changes made to logging settings
 DisplayName: "GCP Logging Settings Modified"
 Enabled: true
 Filename: gcp_logging_settings_modified.py
+Reference: https://cloud.google.com/logging/docs/default-settings
 Severity: Low
 Tests:
     - ExpectedResult: false

diff --git a/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml b/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml
@@ -3,6 +3,7 @@ Description: Permissions granted to impersonate a service account. This includes
 DisplayName: GCP Permissions Granted to Create or Manage Service Account Key
 Enabled: true
 Filename: gcp_permissions_granted_to_create_or_manage_service_account_key.py
+Reference: https://cloud.google.com/iam/docs/keys-create-delete
 Severity: Low
 Tests:
     - ExpectedResult: false

diff --git a/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml b/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml
@@ -3,6 +3,7 @@ Description: Detects when a service account or key is created manually by a user
 DisplayName: "GCP Service Account or Keys Created "
 Enabled: true
 Filename: gcp_service_account_or_keys_created.py
+Reference: https://cloud.google.com/iam/docs/keys-create-delete
 Severity: Low
 Tests:
     - ExpectedResult: true

diff --git a/rules/gcp_audit_rules/gcp_sql_config_changes.yml b/rules/gcp_audit_rules/gcp_sql_config_changes.yml
@@ -14,8 +14,9 @@ Reports:
     - 2.11
 Severity: Low
 Description: >
-  Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server.
+  Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server.
 Runbook: Validate the Sql Instance configuration change was safe
+Reference: https://cloud.google.com/sql/docs/mysql/instance-settings
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_unused_regions.yml b/rules/gcp_audit_rules/gcp_unused_regions.yml
@@ -18,6 +18,7 @@ Severity: Medium
 Description: >
   Adversaries may create cloud instances in unused geographic service regions in order to evade detection.
 Runbook: Validate the user making the request and the resource created.
+Reference: https://attack.mitre.org/techniques/T1535/
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

diff --git a/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml b/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml
@@ -4,6 +4,7 @@ DisplayName: "GCP User Added to IAP Protected Service"
 Enabled: true
 Filename: gcp_user_added_to_iap_protected_service.py
 Runbook: 'Note: GCP logs all bindings everytime this event occurs, not just changes. Bindings should be reviewed to ensure no unintended users have been added. '
+Reference: https://cloud.google.com/iap/docs/managing-access
 Severity: Low
 Tests:
     - ExpectedResult: false

diff --git a/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml b/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml
@@ -3,6 +3,7 @@ Description: VPC flow logs were disabled for a subnet.
 DisplayName: "GCP VPC Flow Logs Disabled"
 Enabled: true
 Filename: gcp_vpc_flow_logs_disabled.py
+Reference: https://cloud.google.com/vpc/docs/using-flow-logs
 Severity: Medium
 Tests:
     - ExpectedResult: true