From cb2653bddce5bb15e4c1250d8680f9b738f37f9f Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Mon, 11 Dec 2023 15:14:55 +0200 Subject: [PATCH] Add references to rules (gcp_audit_rules) --- .../gcp_access_attempts_violating_vpc_service_controls.yml | 1 + rules/gcp_audit_rules/gcp_bigquery_large_scan.yml | 3 ++- .../gcp_cloud_storage_buckets_modified_or_deleted.yml | 1 + rules/gcp_audit_rules/gcp_destructive_queries.yml | 1 + rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml | 1 + rules/gcp_audit_rules/gcp_gcs_iam_changes.yml | 1 + rules/gcp_audit_rules/gcp_gcs_public.yml | 1 + rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml | 3 ++- rules/gcp_audit_rules/gcp_iam_corp_email.yml | 1 + rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml | 1 + rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml | 1 + rules/gcp_audit_rules/gcp_logging_settings_modified.yml | 1 + ...issions_granted_to_create_or_manage_service_account_key.yml | 1 + rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml | 1 + rules/gcp_audit_rules/gcp_sql_config_changes.yml | 3 ++- rules/gcp_audit_rules/gcp_unused_regions.yml | 1 + .../gcp_user_added_to_iap_protected_service.yml | 1 + rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml | 1 + 18 files changed, 21 insertions(+), 3 deletions(-) diff --git a/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml b/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml index 92f25b2b7..3643fa046 100644 --- a/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml +++ b/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml @@ -3,6 +3,7 @@ Description: An access attempt violating VPC service controls (such as Perimeter DisplayName: "GCP Access Attempts Violating VPC Service Controls" Enabled: true Filename: gcp_access_attempts_violating_vpc_service_controls.py +Reference: https://cloud.google.com/vpc-service-controls/docs/troubleshooting#debugging Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml b/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml index 6d958742f..1734ebdd9 100644 --- a/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml +++ b/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml @@ -3,8 +3,9 @@ Description: Detect any BigQuery query that is doing a very large scan (> 1 GB). DisplayName: "GCP BigQuery Large Scan" Enabled: true Filename: gcp_bigquery_large_scan.py +Reference: Severity: Info -Tests: +Tests: https://cloud.google.com/bigquery/docs/running-queries - ExpectedResult: false Log: insertid: ABCDEFGHIJKL diff --git a/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml b/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml index d99e225b9..92662a5b4 100644 --- a/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml +++ b/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml @@ -3,6 +3,7 @@ Description: Detects GCP cloud storage bucket updates and deletes. DisplayName: "GCP Cloud Storage Buckets Modified Or Deleted" Enabled: true Filename: gcp_cloud_storage_buckets_modified_or_deleted.py +Reference: https://cloud.google.com/storage/docs/buckets Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_destructive_queries.yml b/rules/gcp_audit_rules/gcp_destructive_queries.yml index 2d79a2ef0..aea28a201 100644 --- a/rules/gcp_audit_rules/gcp_destructive_queries.yml +++ b/rules/gcp_audit_rules/gcp_destructive_queries.yml @@ -3,6 +3,7 @@ Description: Detect any destructive BigQuery queries or jobs such as update, del DisplayName: "'GCP Destructive Queries '" Enabled: true Filename: gcp_destructive_queries.py +Reference: https://cloud.google.com/bigquery/docs/managing-tables Severity: Info Tests: - ExpectedResult: true diff --git a/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml b/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml index fbca2d1ff..033000dd6 100644 --- a/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml @@ -4,6 +4,7 @@ DisplayName: "GCP DNS Zone Modified or Deleted" Enabled: true Filename: gcp_dns_zone_modified_or_deleted.py Runbook: Verify that this modification or deletion was expected. These operations are high-impact events and can result in downtimes or total outages. +Reference: https://cloud.google.com/dns/docs/zones Severity: Low Tests: - ExpectedResult: true diff --git a/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml b/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml index 9919a83d7..9fe1a32e1 100644 --- a/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml +++ b/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml @@ -19,6 +19,7 @@ Severity: Low Description: > Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Runbook: Validate the GCS bucket change was safe. +Reference: https://cloud.google.com/storage/docs/access-control/iam-permissions SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_gcs_public.yml b/rules/gcp_audit_rules/gcp_gcs_public.yml index c6ef9584c..97ea5a66b 100644 --- a/rules/gcp_audit_rules/gcp_gcs_public.yml +++ b/rules/gcp_audit_rules/gcp_gcs_public.yml @@ -16,6 +16,7 @@ Reports: Severity: High Description: Adversaries may access data objects from improperly secured cloud storage. Runbook: Validate the GCS bucket change was safe. +Reference: https://cloud.google.com/storage/docs/access-control/making-data-public SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml b/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml index 723ee126a..7cfcb7e17 100644 --- a/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml +++ b/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml @@ -13,8 +13,9 @@ Reports: MITRE ATT&CK: - TA0004:T1078 Severity: Medium -Description: Attaching an audit role manually could be a sign of privilege escalation +Description: Attaching an admin role manually could be a sign of privilege escalation Runbook: Verify with the user who attached the role or add to a allowlist +Reference: https://cloud.google.com/looker/docs/admin-panel-users-roles SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_corp_email.yml b/rules/gcp_audit_rules/gcp_iam_corp_email.yml index b10cfc183..96a295c5a 100644 --- a/rules/gcp_audit_rules/gcp_iam_corp_email.yml +++ b/rules/gcp_audit_rules/gcp_iam_corp_email.yml @@ -18,6 +18,7 @@ Reports: Severity: Low Description: A Gmail account is being used instead of a corporate email Runbook: Remove the user +Reference: https://cloud.google.com/iam/docs/service-account-overview SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml b/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml index 93cc4f8e4..46314380a 100644 --- a/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml +++ b/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml @@ -18,6 +18,7 @@ Reports: Severity: Info Description: A custom role has been created, deleted, or updated. Runbook: No action needed, informational +Reference: https://cloud.google.com/iam/docs/creating-custom-roles SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml b/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml index 2f10997da..cbd5dd7cf 100644 --- a/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml +++ b/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml @@ -24,6 +24,7 @@ Runbook: > Direct them to make the change in Terraform to avoid automated rollback. Grep for google_org and google_folder in terraform repos for places to put your new policy bindings. +Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_logging_settings_modified.yml b/rules/gcp_audit_rules/gcp_logging_settings_modified.yml index d3f3829c7..c5fcc1867 100644 --- a/rules/gcp_audit_rules/gcp_logging_settings_modified.yml +++ b/rules/gcp_audit_rules/gcp_logging_settings_modified.yml @@ -3,6 +3,7 @@ Description: Detects any changes made to logging settings DisplayName: "GCP Logging Settings Modified" Enabled: true Filename: gcp_logging_settings_modified.py +Reference: https://cloud.google.com/logging/docs/default-settings Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml b/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml index 46b233e43..bbdf443b5 100644 --- a/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml +++ b/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml @@ -3,6 +3,7 @@ Description: Permissions granted to impersonate a service account. This includes DisplayName: GCP Permissions Granted to Create or Manage Service Account Key Enabled: true Filename: gcp_permissions_granted_to_create_or_manage_service_account_key.py +Reference: https://cloud.google.com/iam/docs/keys-create-delete Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml b/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml index 0d0cf7536..84d6d800b 100644 --- a/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml +++ b/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml @@ -3,6 +3,7 @@ Description: Detects when a service account or key is created manually by a user DisplayName: "GCP Service Account or Keys Created " Enabled: true Filename: gcp_service_account_or_keys_created.py +Reference: https://cloud.google.com/iam/docs/keys-create-delete Severity: Low Tests: - ExpectedResult: true diff --git a/rules/gcp_audit_rules/gcp_sql_config_changes.yml b/rules/gcp_audit_rules/gcp_sql_config_changes.yml index 40c900d5d..9869d37f1 100644 --- a/rules/gcp_audit_rules/gcp_sql_config_changes.yml +++ b/rules/gcp_audit_rules/gcp_sql_config_changes.yml @@ -14,8 +14,9 @@ Reports: - 2.11 Severity: Low Description: > - Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. + Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server. Runbook: Validate the Sql Instance configuration change was safe +Reference: https://cloud.google.com/sql/docs/mysql/instance-settings SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_unused_regions.yml b/rules/gcp_audit_rules/gcp_unused_regions.yml index 985f17741..654747d25 100644 --- a/rules/gcp_audit_rules/gcp_unused_regions.yml +++ b/rules/gcp_audit_rules/gcp_unused_regions.yml @@ -18,6 +18,7 @@ Severity: Medium Description: > Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Runbook: Validate the user making the request and the resource created. +Reference: https://attack.mitre.org/techniques/T1535/ SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml b/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml index ee4c30639..ac54512f6 100644 --- a/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml +++ b/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml @@ -4,6 +4,7 @@ DisplayName: "GCP User Added to IAP Protected Service" Enabled: true Filename: gcp_user_added_to_iap_protected_service.py Runbook: 'Note: GCP logs all bindings everytime this event occurs, not just changes. Bindings should be reviewed to ensure no unintended users have been added. ' +Reference: https://cloud.google.com/iap/docs/managing-access Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml b/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml index 508880fd5..1686bcedc 100644 --- a/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml +++ b/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml @@ -3,6 +3,7 @@ Description: VPC flow logs were disabled for a subnet. DisplayName: "GCP VPC Flow Logs Disabled" Enabled: true Filename: gcp_vpc_flow_logs_disabled.py +Reference: https://cloud.google.com/vpc/docs/using-flow-logs Severity: Medium Tests: - ExpectedResult: true