Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add references to rules (gcp_audit_rules) #1008

Merged
merged 2 commits into from
Dec 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: An access attempt violating VPC service controls (such as Perimeter
DisplayName: "GCP Access Attempts Violating VPC Service Controls"
Enabled: true
Filename: gcp_access_attempts_violating_vpc_service_controls.py
Reference: https://cloud.google.com/vpc-service-controls/docs/troubleshooting#debugging
Severity: Medium
Tests:
- ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_bigquery_large_scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: Detect any BigQuery query that is doing a very large scan (> 1 GB).
DisplayName: "GCP BigQuery Large Scan"
Enabled: true
Filename: gcp_bigquery_large_scan.py
Reference: https://cloud.google.com/bigquery/docs/running-queries
Severity: Info
Tests:
- ExpectedResult: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: Detects GCP cloud storage bucket updates and deletes.
DisplayName: "GCP Cloud Storage Buckets Modified Or Deleted"
Enabled: true
Filename: gcp_cloud_storage_buckets_modified_or_deleted.py
Reference: https://cloud.google.com/storage/docs/buckets
Severity: Low
Tests:
- ExpectedResult: false
Expand Down
3 changes: 2 additions & 1 deletion rules/gcp_audit_rules/gcp_destructive_queries.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
AnalysisType: rule
Description: Detect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate.
DisplayName: "'GCP Destructive Queries '"
DisplayName: "GCP Destructive Queries"
Enabled: true
Filename: gcp_destructive_queries.py
Reference: https://cloud.google.com/bigquery/docs/managing-tables
Severity: Info
Tests:
- ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "GCP DNS Zone Modified or Deleted"
Enabled: true
Filename: gcp_dns_zone_modified_or_deleted.py
Runbook: Verify that this modification or deletion was expected. These operations are high-impact events and can result in downtimes or total outages.
Reference: https://cloud.google.com/dns/docs/zones
Severity: Low
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_gcs_iam_changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ Severity: Low
Description: >
Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket.
Runbook: Validate the GCS bucket change was safe.
Reference: https://cloud.google.com/storage/docs/access-control/iam-permissions
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_gcs_public.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ Reports:
Severity: High
Description: Adversaries may access data objects from improperly secured cloud storage.
Runbook: Validate the GCS bucket change was safe.
Reference: https://cloud.google.com/storage/docs/access-control/making-data-public
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
3 changes: 2 additions & 1 deletion rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,9 @@ Reports:
MITRE ATT&CK:
- TA0004:T1078
Severity: Medium
Description: Attaching an audit role manually could be a sign of privilege escalation
Description: Attaching an admin role manually could be a sign of privilege escalation
Runbook: Verify with the user who attached the role or add to a allowlist
Reference: https://cloud.google.com/looker/docs/admin-panel-users-roles
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_iam_corp_email.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Reports:
Severity: Low
Description: A Gmail account is being used instead of a corporate email
Runbook: Remove the user
Reference: https://cloud.google.com/iam/docs/service-account-overview
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Reports:
Severity: Info
Description: A custom role has been created, deleted, or updated.
Runbook: No action needed, informational
Reference: https://cloud.google.com/iam/docs/creating-custom-roles
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Runbook: >
Direct them to make the change in Terraform to avoid automated rollback.
Grep for google_org and google_folder in terraform repos for places to
put your new policy bindings.
Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_logging_settings_modified.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: Detects any changes made to logging settings
DisplayName: "GCP Logging Settings Modified"
Enabled: true
Filename: gcp_logging_settings_modified.py
Reference: https://cloud.google.com/logging/docs/default-settings
Severity: Low
Tests:
- ExpectedResult: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: Permissions granted to impersonate a service account. This includes
DisplayName: GCP Permissions Granted to Create or Manage Service Account Key
Enabled: true
Filename: gcp_permissions_granted_to_create_or_manage_service_account_key.py
Reference: https://cloud.google.com/iam/docs/keys-create-delete
Severity: Low
Tests:
- ExpectedResult: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: Detects when a service account or key is created manually by a user
DisplayName: "GCP Service Account or Keys Created "
Enabled: true
Filename: gcp_service_account_or_keys_created.py
Reference: https://cloud.google.com/iam/docs/keys-create-delete
Severity: Low
Tests:
- ExpectedResult: true
Expand Down
3 changes: 2 additions & 1 deletion rules/gcp_audit_rules/gcp_sql_config_changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ Reports:
- 2.11
Severity: Low
Description: >
Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server.
Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server.
Runbook: Validate the Sql Instance configuration change was safe
Reference: https://cloud.google.com/sql/docs/mysql/instance-settings
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_unused_regions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Severity: Medium
Description: >
Adversaries may create cloud instances in unused geographic service regions in order to evade detection.
Runbook: Validate the user making the request and the resource created.
Reference: https://cloud.google.com/docs/geography-and-regions
SummaryAttributes:
- severity
- p_any_ip_addresses
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "GCP User Added to IAP Protected Service"
Enabled: true
Filename: gcp_user_added_to_iap_protected_service.py
Runbook: 'Note: GCP logs all bindings everytime this event occurs, not just changes. Bindings should be reviewed to ensure no unintended users have been added. '
Reference: https://cloud.google.com/iap/docs/managing-access
Severity: Low
Tests:
- ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: VPC flow logs were disabled for a subnet.
DisplayName: "GCP VPC Flow Logs Disabled"
Enabled: true
Filename: gcp_vpc_flow_logs_disabled.py
Reference: https://cloud.google.com/vpc/docs/using-flow-logs
Severity: Medium
Tests:
- ExpectedResult: true
Expand Down