GithubHelp home page GithubHelp logo

isabella232 / security-analytics Goto Github PK

View Code? Open in Web Editor NEW

This project forked from googlecloudplatform/security-analytics

0.0 0.0 0.0 473 KB

Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud

License: Apache License 2.0

Ruby 67.97% HTML 32.03%

security-analytics's Introduction

Community Security Analytics (CSA)

As organizations go through the Autonomic Security modernization journey, this repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud. These may assist detection engineers, threat hunters and data governance analysts.

Security Monitoring

CSA is a set of foundational security analytics designed to provide organizations with a rich baseline of pre-built queries and rules that they can readily use to start analyzing their Google Cloud logs including Cloud Audit logs, VPC Flow logs, DNS logs, and more using cloud-native or third-party analytics tools. The source code is provided as is, without warranty. See Copyright & License below.

Current release include:

The security use cases below are grouped in 6 categories depending on underlying activity type and log sources:

  1. ๐Ÿšฆ Login & Access Patterns
  2. ๐Ÿ”‘ IAM, Keys & Secrets Admin Activity
  3. ๐Ÿ—๏ธ Cloud Provisoning Activity
  4. โ˜๏ธ Cloud Workload Usage
  5. ๐Ÿ’ง Data Usage
  6. โšก Network Activity

To learn more about the variety of Google Cloud logs, how to enable and natively export these logs to destinations like Chronicle or BigQuery for in-depth analytics, refer to Google Cloud Security and access analytics solution guide.

Caution: CSA is not meant to be a comprehensive set of threat detections, but a collection of community-contributed samples to get you started with detective controls. Use CSA in your threat detection and response capabilities (e.g. Security Command Center, Chronicle, BigQuery, Siemplify, or third-party SIEM) in conjunction with threat prevention capabilities (e.g. Security Command Center, Cloud Armor, BeyondCorp). To learn more about Googleโ€™s approach to modern Security Operations, check out the Autonomic Security Operations whitepaper.

Security Analytics Use Cases

# Cloud Security Threat Log Source Audit Detect ATT&CKยฎ Techniques
1
 ๐Ÿšฆ Login & Access Patterns
1.01 Login from a highly-privileged account Workspace Login Audit (Cloud Identity Logs) โœ… T1078.004
1.02 Suspicious login attempt flagged by Google Workspace Workspace Login Audit (Cloud Identity Logs) โœ… T1078.004
1.03 Excessive login failures from any user identity Workspace Login Audit (Cloud Identity Logs) โœ… T1078.004, T1110
1.10 Access attempts violating VPC Service Controls Audit Logs - Policy โœ… โœ… T1078.004, T1537
1.20 Access attempts violating IAP (i.e. BeyondCorp) access controls HTTP(S) LB Logs โœ… โœ…
2
 ๐Ÿ”‘ IAM, Keys & Secrets Changes
2.02 User added to highly-privileged Google Group Workspace Admin Audit โœ… โœ… T1078.004, T1484.001
2.20 Permissions granted over a Service Account Audit Logs - Admin Activity โœ… โœ… T1484.002
2.21 Permissions granted to impersonate Service Account Audit Logs - Admin Activity โœ… โœ… T1484.002
2.22 Permissions granted to create or manage Service Account keys Audit Logs - Admin Activity โœ… โœ… T1484.002
2.30 Service accounts or keys created by non-approved identity Audit Logs - Admin Activity โœ… โœ… T1136.003
2.40 User access added (or removed) from IAP-protected HTTPS services Audit Logs - Admin Activity โœ… โœ… T1484.002
3
 ๐Ÿ—๏ธ Cloud Provisioning Activity
3.01 Changes made to logging settings Audit Logs - Admin Activity โœ… โœ… T1562.008
3.11 Unusual number of firewall rules modified in the last 7 days Audit Logs - Admin Activity โœ… T1562.007
3.12 Firewall rules modified or deleted in the last 24 hrs Audit Logs - Admin Activity โœ… โœ… T1562.007
3.13 VPN tunnels created or deleted Audit Logs - Admin Activity โœ… โœ… T1133
3.14 DNS zones modified or deleted Audit Logs - Admin Activity โœ… โœ… T1578
3.15 Cloud Storage buckets modified or deleted by unfamiliar user identities Audit Logs - Admin Activity โœ… โœ… T1578
3.20 VMs deleted in the last 7 days Audit Logs - Admin Activity โœ… T1578
3.21 Cloud SQL databases created, modified or deleted Audit Logs - Admin Activity โœ… T1578
4
 โ˜๏ธ Cloud Workload Usage
4.01 Unusually high API usage by any user identity Audit Logs โœ… โœ… T1106
4.10 Autoscaling usage in the past month Audit Logs - Admin Activity โœ… T1496
4.11 Autoscaling usage per day in the past month Audit Logs - Admin Activity โœ… T1496
5
 ๐Ÿ’ง Data Usage
5.01 Which users most frequently accessed data in the past week? Audit Logs - Data Access โœ… T1530
5.02 Which users accessed most amount of data in the past week? Audit Logs - Data Access โœ… T1530
5.03 How much data was accessed by each user per day in the past week? Audit Logs - Data Access โœ… T1530
5.04 Which users accessed data in a given table in the past month? Audit Logs - Data Access โœ… T1078.004
5.05 What tables are most frequently accessed and by whom? Audit Logs - Data Access โœ… T1530
5.06 Top 10 queries against BigQuery in the past week Audit Logs - Data Access โœ… T1530
5.07 Any queries doing very large scans? Audit Logs - Data Access โœ… โœ… T1530
5.08 Any destructive queries or jobs (i.e. update or delete)? Audit Logs โœ… โœ… T1565.001
5.20 Most common data (and metadata) access actions in the past month Audit Logs - Data Access โœ… โœ… T1530
5.30 Cloud Storage buckets enumerated by unfamiliar user identities Audit Logs - Data Access โœ… โœ… T1530
5.31 Cloud Storage objects accessed from a new IP Audit Logs - Data Access โœ… โœ… T1530
6
 โšก Network Activity
6.01 Hosts reaching out to many other hosts or ports per hour VPC Flow Logs โœ… โœ… T1046
6.10 Connections from a new IP to an in-scope network VPC Flow Logs โœ… โœ… T1018
6.20 Connections blocked by Cloud Armor HTTP(S) LB Logs โœ… โœ… T1071
6.21 Log4j 2 vulnerability exploit attempts HTTP(S) LB Logs โœ… T1190
6.22 Any remote IP addresses attemting to exploit Log4j 2 vulnerability? HTTP(S) LB Logs โœ… T1190
6.23 Spring4Shell vulnerability exploit attempts (CVE-2022-22965) HTTP(S) LB Logs โœ… T1190
6.30 Virus or malware detected by Cloud IDS Cloud IDS Threat Logs โœ… T1059
6.31 Traffic sessions of high severity threats detected by Cloud IDS Cloud IDS Threat Logs, Cloud IDS Traffic Logs โœ… T1071
6.40 Top 10 DNS queried domains Cloud DNS Logs โœ… โœ… T1071.004

Support

This is not an officially supported Google product. Queries, rules and other assets in Community Security Analytics (CSA) are community-supported. Please don't hesitate to open a GitHub issue if you have any question or a feature request.

Contributions are also welcome via Github pull requests if you have fixes or enhancements to source code or docs. Please refer to our Contributing guidelines.

Copyright & License

Copyright 2022 Google LLC

Queries, rules and other assets under Community Security Analytics (CSA) are licensed under the Apache license, v2.0. Details can be found in LICENSE file.

security-analytics's People

Contributors

m3mike avatar olivierba avatar r1shal1n avatar rarsan avatar sailingd avatar shapor avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.