From 4d5d0404d69213fefe67ccb11e84503ab590d8e1 Mon Sep 17 00:00:00 2001 From: sumgang45 <102499046+sumgang45@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:12:38 +0530 Subject: [PATCH] Create gcp_auditlog_rules.yaml additional rules for auditing GCP envs with Falco --- gcp_auditlog_rules.yaml | 583 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 583 insertions(+) create mode 100644 gcp_auditlog_rules.yaml diff --git a/gcp_auditlog_rules.yaml b/gcp_auditlog_rules.yaml new file mode 100644 index 0000000..281b76d --- /dev/null +++ b/gcp_auditlog_rules.yaml @@ -0,0 +1,583 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# Copyright (C) 2023 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +- required_engine_version: 11 + +- required_plugin_versions: + - name: gcpaudit + version: 0.3.0 + - name: json + version: 0.7.0 + +- macro: is_binded_delta_to_public + condition: > + gcp.policyDelta contains "ADD" and (gcp.policyDelta contains "allAuthenticatedUsers" + or gcp.policyDelta contains "allUsers") + +- macro: is_bigquery_service + condition: gcp.serviceName="bigquery.googleapis.com" + +- macro: is_crm_service + condition: gcp.serviceName="cloudresourcemanager.googleapis.com" + +- macro: is_gcs_service + condition: gcp.serviceName="storage.googleapis.com" + +- macro: is_cloudfunctions_service + condition: gcp.serviceName="cloudfunctions.googleapis.com" + +- macro: is_kms_service + condition: gcp.serviceName="cloudkms.googleapis.com" + +- macro: is_pubsub_service + condition: gcp.serviceName="pubsub.googleapis.com" + +- macro: is_compute_service + condition: gcp.serviceName="compute.googleapis.com" + +- macro: is_iam_service + condition: gcp.serviceName="iam.googleapis.com" + +- macro: is_logging_service + condition: gcp.serviceName="logging.googleapis.com" + +- macro: is_cloudsql_service + condition: gcp.serviceName="cloudsql.googleapis.com" + +- rule: GCP Cloud SQL database user modified or deleted + desc: Detect when a Cloud SQL DB user has been modified or deleted. + condition: > + is_cloudsql_service and (gcp.methodName="cloudsql.users.update" + or gcp.methodName="cloudsql.users.delete") + output: > + project=%gcp.projectId + A CloudSQL DB user has been updated by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + databaseName=%gcp.cloudsql.databaseId + priority: NOTICE + source: gcp_auditlog + tags: [GCP, cloudsql, compliance] + +- rule: GCP Cloud SQL database backup deleted + desc: Detect when a Cloud SQL DB backup has been deleted. + condition: is_cloudsql_service and gcp.methodName="cloudsql.backupRuns.delete" + output: > + project=%gcp.projectId + A Cloud SQL DB backup has been deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + databaseName=%gcp.cloudsql.databaseId + priority: NOTICE + source: gcp_auditlog + tags: [GCP, cloudsql, impact, T1490-inhibit-system-recovery] + + +- rule: GCP Cloud SQL database instance data exported + desc: Detect when a Cloud SQL DB instance data has been exported to cloud storage bucket. + condition: is_cloudsql_service and gcp.methodName="cloudsql.instances.export" + output: > + project=%gcp.projectId + A Cloud SQL DB instance data has been exported to a cloud storage bucket by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + databaseName=%gcp.cloudsql.databaseId + priority: NOTICE + source: gcp_auditlog + tags: [GCP, cloudsql, data-exfiltration, T1567-exfiltration-to-Cloud-Storage] + +- rule: GCP Cloud SQL database instance deleted + desc: Detect when a Cloud SQL DB instance has been deleted. + condition: is_cloudsql_service and gcp.methodName="cloudsql.instances.delete" + output: > + project=%gcp.projectId + A Cloud SQL DB instance has been deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + databaseName=%gcp.cloudsql.databaseId + priority: NOTICE + source: gcp_auditlog + tags: [GCP, cloudsql, impact, T1485-data-destruction] + +- rule: GCP Cloud SQL database instance modified or created + desc: Detect when a Cloud SQL DB instance has been modified or created. + condition: > + is_cloudsql_service and (gcp.methodName="cloudsql.instances.update" + or gcp.methodName="cloudsql.instances.create" + or gcp.methodName="cloudsql.instances.patch") + output: > + project=%gcp.projectId + A Cloud SQL DB instance has been modified or created by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + databaseName=%gcp.cloudsql.databaseId + priority: NOTICE + source: gcp_auditlog + tags: [GCP, cloudsql, compliance] + +- rule: GCP Bucket configured to be public + desc: Detect when access on a GCP Bucket is granted to the public internet. + condition: is_gcs_service and gcp.methodName="storage.setIamPermissions" and is_binded_delta_to_public + output: > + project=%gcp.projectId + A GCP bucket has been granted public access by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent bindedDelta=%gcp.policyDelta + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + bucketName=%gcp.storage.bucket + priority: CRITICAL + source: gcp_auditlog + tags: [GCP, buckets, compliance] + +- rule: GCP Bucket objects configured to be public + desc: Detect when access on a GCP Bucket objects has been granted to the public internet. + condition: > + is_gcs_service + and gcp.methodName="storage.objects.update" + and is_binded_delta_to_public + output: > + project=%gcp.projectId + Access to a A GCP bucket object has been granted public access by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + bucketName=%gcp.storage.bucket + priority: CRITICAL + source: gcp_auditlog + tags: [GCP, buckets, objects, compliance] + +- rule: GCP Bucket enumerated + desc: Detect deletion of a GCS bucket. + condition: is_gcs_service and gcp.methodName="storage.buckets.list" + output: > + project=%gcp.projectId + A GCS bucket's content has been listed to user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + bucketName=%gcp.storage.bucket + priority: NOTICE + source: gcp_auditlog + tags: [GCP, buckets, TA0007-discovery, T1083-file-and-directory-discovery] + +- rule: GCP Bucket deleted + desc: Detect deletion of a GCS bucket. + condition: is_gcs_service and gcp.methodName="storage.buckets.delete" + output: > + project=%gcp.projectId + A GCS bucket has been deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + bucketName=%gcp.storage.bucket + priority: NOTICE + source: gcp_auditlog + tags: [GCP, buckets, mitre_data_destruction] + +- rule: GCP Bucket updated + desc: Detect when an administrative change to a GCS Bucket has been made. + condition: is_gcs_service and gcp.methodName="storage.buckets.update" + output: > + project=%gcp.projectId + A GCS bucket has been updated by user=%gcp.user callerip=%gcp.callerIP useragent=%gcp.userAgent service=%gcp.serviceName method=%gcp.methodName zones= + bucketName=%gcp.storage.bucket rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, buckets, compliance] + +- rule: GCP Bucket permissions modified + desc: Detect when permissions have changed on a GCS Bucket. + condition: is_gcs_service and gcp.methodName="storage.setIamPermissions" + output: > + project=%gcp.projectId + A GCS bucket Iam policy has been changed by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + bucketName=%gcp.storage.bucket + priority: NOTICE + source: gcp_auditlog + tags: [GCP, buckets, compliance] + +- rule: GCP BigQuery Dataset access configured to be public + desc: Detect when access on a BigQuery Dataset has been set to public. + condition: > + is_bigquery_service + and gcp.methodName="google.iam.v1.IAMPolicy.SetIamPolicy" + and is_binded_delta_to_public + output: > + project=%gcp.projectId + Access to a GCP Bigquery has been set to public by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + datasetName=%json.value[/resource/labels/dataset_id] + priority: CRITICAL + source: gcp_auditlog + tags: [GCP, bigquery, datasets, compliance] + +- rule: GCP VM modified + desc: Detect when a virtual machine is modified or created. + condition: > + is_compute_service and (gcp.methodName contains "compute.instances.insert" + or gcp.methodName contains "compute.instances.update" + or gcp.methodName contains "compute.instances.setServiceAccount" + or gcp.methodName contains "compute.instances.setIamPolicy" + or gcp.methodName contains "compute.instances.updateAccessConfig" + or gcp.methodName contains "compute.instances.updateNetworkInterface") + output: > + project=%gcp.projectId + A GCP VM has been created or modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, VM, TA0005-defense-evasion, T1562-impair-defenses] + + +- rule: GCP VM stopped + desc: Detect when a virtual machine is stopped. + condition: is_compute_service and (gcp.methodName contains "compute.instances.stop") + output: > + project=%gcp.projectId + A GCP VM has been stopped by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, VM, TA0005-defense-evasion, T1562-impair-defenses] + + +- rule: GCP GCE Firewall rule modified + desc: Detect when a firewall rule is created, modified or deleted. + condition: > + is_compute_service and (gcp.methodName contains "compute.firewalls.delete" + or gcp.methodName contains "compute.firewalls.patch" + or gcp.methodName contains "compute.firewalls.insert") + output: > + project=%gcp.projectId + A GCP GCE Firewall rule was modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, Firewall, TA0005-defense-evasion, T1562-impair-defenses] + + +- rule: GCP WAF Network policy modified + desc: Detect when a WAF Network policy is created, modified or deleted. + condition: > + is_compute_service and (gcp.methodName contains "compute.securityPolicies.delete" + or gcp.methodName contains "compute.securityPolicies.insert" + or gcp.methodName contains "compute.securityPolicies.patch") + output: > + project=%gcp.projectId + A GCP WAF network policy or waf rule was modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.methodName rawRequest=%gcp.request + policyName=%json.value[/resource/labels/policy_name] + priority: NOTICE + source: gcp_auditlog + tags: [GCP, WAF, CloudArmor, TA0005-defense-evasion, T1562-impair-defenses] + + +- rule: GCP WAF rule modified or deleted + desc: Detect when a WAF rule is created, modified or deleted. + condition: > + is_compute_service and (gcp.methodName contains "compute.securityPolicies.removeRule" + or gcp.methodName contains "compute.securityPolicies.addRule" + or gcp.methodName contains "compute.securityPolicies.patchRule") + output: > + project=%gcp.projectId + A GCP WAF network policy or waf rule was modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo rawRequest=%gcp.request + policyName=%json.value[/resource/labels/policy_name] + priority: NOTICE + source: gcp_auditlog + tags: [GCP, WAF, CloudArmor, TA0005-defense-evasion, T1562-impair-defenses] + + +- rule: GCP CloudArmor edge security service modified + desc: Detect when a CloudArmor edge security service was created, modified or deleted. + condition: > + is_compute_service and (gcp.methodName contains "compute.networkEdgeSecurityServices.delete" + or gcp.methodName contains "compute.networkEdgeSecurityServices.create" + or gcp.methodName contains "compute.networkEdgeSecurityServices.update") + output: > + project=%gcp.projectId + A GCP CloudArmor edge security service was modified by user=%gcp.user user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + policyName=%json.value[/resource/labels/policy_name] + priority: NOTICE + source: gcp_auditlog + tags: [GCP, WAF, CloudArmor, TA0005-defense-evasion, T1562-impair-defenses] + + +- rule: GCP backend service deleted + desc: Detect when a backend service is deleted. + condition: is_compute_service and (gcp.methodName contains "compute.backendServices.delete") + output: > + project=%gcp.projectId + A GCP backend service was deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, backendService, T1498-DOS] + + +- rule: GCP IAM service account created + desc: Detect when a serviceAccount is created. + condition: is_iam_service and (gcp.methodName="google.iam.admin.v1.CreateServiceAccount") + output: > + project=%gcp.projectId + A GCP service account was created by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + + +- rule: GCP IAM service account deleted + desc: Detect when a service account deleted. + condition: is_iam_service and (gcp.methodName="google.iam.admin.v1.DeleteServiceAccount") + output: > + project=%gcp.projectId + A GCP service account was deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + +- rule: GCP IAM service account modified + desc: Detect when a service account is modified. + condition: is_iam_service and (gcp.methodName="google.iam.admin.v1.UpdateServiceAccount") + output: > + project=%gcp.projectId + A GCP service account was modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + + +- rule: GCP IAM service account key created + desc: Detect when a serviceAccount key is created. + condition: is_iam_service and (gcp.methodName="google.iam.admin.v1.CreateServiceAccountKey") + output: > + project=%gcp.projectId + A GCP service account key was created by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + + +- rule: GCP IAM service account key deleted + desc: Detect when a service account key is deleted. + condition: is_iam_service and (gcp.methodName="google.iam.admin.v1.DeleteServiceAccountKey") + output: > + project=%gcp.projectId + A GCP service account key was deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + +- rule: GCP IAM custom role created + desc: Detect when an IAM custom role is created. + condition: is_iam_service and (gcp.methodName="google.iam.admin.v1.CreateRole") + output: > + project=%gcp.projectId + A GCP IAM custom role was created by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + +- rule: GCP IAM custom role modified + desc: Detect when an IAM custom role is modified. + condition: is_iam_service and (gcp.methodName="google.iam.admin.v1.UpdateRole") + output: > + project=%gcp.projectId + A GCP IAM custom role was modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + +- rule: GCP IAM policy modified + desc: Detect when an IAM policy is modified. + condition: is_crm_service and (gcp.methodName="SetIamPolicy") + output: > + project=%gcp.projectId + A GCP IAM policy was modified by user=%gcp.user bindingPolicy=%gcp.policyDelta userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, IAM, abuse-elevation-control-mechanism] + + +- rule: GCP cloud function created + desc: Detect when a cloud function is created. + condition: is_cloudfunctions_service and (gcp.methodName="google.cloud.functions.v1.CloudFunctionsService.CreateFunction") + output: > + project=%gcp.projectId + A GCP cloud function was created by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + functionName=%gcp.cloudfunctions.function + priority: NOTICE + source: gcp_auditlog + tags: [GCP, CloudFunction, abuse-elevation-control-mechanism] + +- rule: GCP cloud function deleted + desc: Detect when a cloud function is deleted. + condition: is_cloudfunctions_service and (gcp.methodName="google.cloud.functions.v1.CloudFunctionsService.DeleteFunction") + output: > + project=%gcp.projectId + A GCP cloud function was deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + functionName=%gcp.cloudfunctions.function + priority: NOTICE + source: gcp_auditlog + tags: [GCP, CloudFunction, abuse-elevation-control-mechanism] + +- rule: GCP cloud function modified + desc: Detect when a cloud function is modified. + condition: > + is_cloudfunctions_service and (gcp.methodName="google.cloud.functions.v1.CloudFunctionsService.UpdateFunction") + output: > + project=%gcp.projectId + A GCP cloud function was modiefied by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + functionName=%gcp.cloudfunctions.function + priority: NOTICE + source: gcp_auditlog + tags: [GCP, CloudFunction, abuse-elevation-control-mechanism] + +- rule: GCP KMS keyring created + desc: Detect when a KMS keyring is created. + condition: is_kms_service and gcp.methodName="CreateKeyRing" + output: > + project=%gcp.projectId + A GCP KMS key ring was created by by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + ringName=%json.value[/resource/labels/key_ring_id] + priority: NOTICE + source: gcp_auditlog + tags: [GCP, KMS, abuse-elevation-control-mechanism] + +- rule: GCP KMS created + desc: Detect when a KMS key is created. + condition: is_kms_service and gcp.methodName="CreateCryptoKey" + output: > + project=%gcp.projectId + A GCP KMS key was created by by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + keyName=%json.value[/resource/labels/crypto_key_id] + priority: NOTICE + source: gcp_auditlog + tags: [GCP, KMS, abuse-elevation-control-mechanism] + +- rule: GCP KMS updated + desc: Detect when a KMS key is updated + condition: > + is_kms_service and (gcp.methodName="UpdateCryptoKey") + output: > + project=%gcp.projectId + A GCP KMS key was updated by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + keyName=%json.value[/resource/labels/crypto_key_id] + priority: NOTICE + source: gcp_auditlog + tags: [GCP, KMS, abuse-elevation-control-mechanism] + +- rule: GCP KMS deleted + desc: Detect when a KMS key is deleted + condition: > + is_kms_service and (gcp.methodName="DestroyCryptoKeyVersion") + output: > + project=%gcp.projectId + A GCP KMS was deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + keyName=%json.value[/resource/labels/crypto_key_id] + priority: NOTICE + source: gcp_auditlog + tags: [GCP, KMS, abuse-elevation-control-mechanism] + +- rule: GCP Pub/Sub topic deleted + desc: Detect when a GCP Pub/Sub topic has been deleted. This could stop audit logs from being sent to the GCP Audit Log plugin. + condition: is_pubsub_service and gcp.methodName="google.pubsub.v1.Publisher.DeleteTopic" + output: > + project=%gcp.projectId + A GCP Pub/Sub topic has been deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, Pub/Sub, TA0005-defense-evasion, T1562-impair-defenses] + +- rule: GCP Pub/Sub subscription modified + desc: Detect when a GCP Pub/Sub subscription has been modified. This could stop audit logs from being sent to the GCP Audit Log plugin. + condition: > + is_pubsub_service and (gcp.methodName="google.pubsub.v1.Subscriber.UpdateSubscription") + output: > + project=%gcp.projectId + A GCP Pub/Sub subscription has been modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, Pub/Sub, TA0005-defense-evasion, T1562-impair-defenses] + +- rule: GCP Pub/Sub subscription deleted + desc: Detect when a GCP Pub/Sub subscription has been deleted. This could stop audit logs from being sent to the GCP Audit Log plugin. + condition: > + is_pubsub_service and (gcp.methodName="google.pubsub.v1.Subscriber.DeleteSubscription") + output: > + project=%gcp.projectId + A GCP Pub/Sub subscription has been deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, Pub/Sub, TA0005-defense-evasion, T1562-impair-defenses] + + +- rule: GCP logging sink modified + desc: Detect when a GCP logging sink has been modified. This could stop audit logs from being sent to the GCP Audit Log plugin. + condition: > + is_logging_service and (gcp.methodName="google.logging.v2.ConfigServiceV2.UpdateSink") + output: > + project=%gcp.projectId + A GCP Pub/Sub subscription has been modified by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, Sink, TA0005-defense-evasion, T1562-impair-defenses] + +- rule: GCP logging sink deleted + desc: Detect when a GCP logging sink has been deleted. This could stop audit logs from being sent to the GCP Audit Log plugin. + condition: > + is_logging_service and (gcp.methodName="google.logging.v2.ConfigServiceV2.DeleteSink") + output: > + project=%gcp.projectId + A GCP Pub/Sub subscription has been deleted by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent + authorizationInfo=%gcp.authorizationInfo + rawRequest=%gcp.request + priority: NOTICE + source: gcp_auditlog + tags: [GCP, Sink, TA0005-defense-evasion, T1562-impair-defenses]