- Overview of TDIR for Public Cloud
- Supported Cloud Environments and Log Sources
- Types of Threat Detection Enabled by TDIR for Public Cloud
- Prepare to Use TDIR for Public Cloud
- View Cloud Content Activity
Google Cloud Platform – Rules by Use Case
Advanced Analytics versions that support GCP rules:
Legacy Data Structure Versions: not yet supported
Common Information Model Versions: i63.5 (supports all the rules listed in each use case)
Note
All model-based rules have rule names that end with "-F" or "-A". Rules without these rule name endings are fact-based rules.
Use Case | Rule ID: Rule Name |
|---|---|
Abnormal Authentication & Access | GCP-Region-User-F: First time region for user GCP-Region-Org-F: First time region for org GCP-Operation-User-F: First time operation for user GCP-DistinctOperationCount-User-A: Abnormal amount of distinct operations GCP-UnauthorizedOperationCount-User-A: Abnormal amount of unauthorized operations GCP-Service-User-F: First time cloud service for user GCP-UserAgent-Org-F: First time user agent for org GCP-Country-User-F: First time country for user GCP-Time-User-A: Abnormal time for user activity in GCP GCP-UserAgent-User-F: First time user agent seen for user |
Privilege Escalation | GCP-SetIAMPublic: A cloud resource in GCP was set to public GCP-IAMPublicFound: A public IAM policy was found on cloud resource in GCP GCP-SetIAMAdmin: A cloud resource policy in GCP was modified with high permissions GCP-UserRoleList-Org-F: First time role enumeration for user GCP-UserRoleWrite-Org-F: First time role creation or modification for user GCP-UserSetPolicy-Org-F: First time IAM policy modification for user GCP-UserSetPolicyCritical-Org-F: First time critical IAM policy modification for user GCP-ResourceSetPolicy-Org-F: First time IAM policy modification for resource GCP-ResourceSetPolicyCritical-Org-F: First time critical IAM policy modification for resource GCP-UserSetPolicy-Resource-F: First time IAM policy modification for user on this resource GCP-DomainSetPolicy-Org-F: First time domain seen in IAM policy modification GCP-MemberTypeSetPolicy-Org-F: First time user type seen in IAM policy modification GCP-UserCreateServiceAccountCreds-Org-F: First time service account key/token creation for user GCP-UserAddInstanceSSH-Org-F: First time instance SSH key modification for user |
Cloud Data Protection | GCP-SetObjectPublic: An object in GCP storage was set to public GCP-UserStorageList-Org-F: First time enumeration of storage buckets or objects for user GCP-StorageListCount-User-A: Abnormal amount of enumeration operations of storage buckets or objects for this user GCP-UserSetObjectACL-Org-F: First time modification of storage object ACL for user GCP-UserSetObjectACL-Bucket-F: First time modification of storage object ACL for user in this bucket GCP-UserSetObjectPublic-Org-F: First time public modification of storage object ACL for user GCP-UserSetObjectPublic-Bucket-F: First time public modification of storage object ACL for user in this bucket GCP-UserCreateBucket-Org-F: First time storage bucket creation for user GCP-StorageGetCount-User-A: Abnormal amount of storage objects Get operations for this user GCP-UserComputeList-Org-F: First time enumeration of compute resources for user GCP-UserGetScreenshot-Org-F: First time instance screenshot for user GCP-UserCreateSnapshot-Org-F: First time snapshot creation for user GCP-UserCreateFromSnapshot-Org-F: First time instance/disk creation from a snapshot for user GCP-UserAttachDisks-Org-F: First time disk attachment for user B-GCP-StorageGetCount-User-A: Abnormal amount of storage objects get operations for this user B-GCP-UserSetObjectACL-Org-F: First time modification of storage object ACL for user B-GCP-UserSetObjectACL-Bucket-F: First time modification of storage object ACL for user in this bucket B-GCP-UserSetObjectPublic-Org-F: First time public modification of storage object ACL for user B-GCP-UserSetObjectPublic-Bucket-F: First time public modification of storage object ACL for user in this bucket B-GCP-User-Bucket-F: First time this user has accessed this bucket B-GCP-UserAgent-Bucket-F: First time this user agent was used to access this bucket B-GCP-Operation-Bucket-F: First time this operation was used on this bucket |
Malware | GCP-InstanceAutomatedScript: A startup/shutdown script was added to an instance in GCP GCP-UserCreateObject-Org-F: First time storage object creation for user GCP-UserCreateObjectCritical-Org-F: First time critical storage object creation for user GCP-UserCreateImage-Org-F: First time image creation for user B-GCP-UserCreateObject-Org-F: First time storage object creation for user B-GCP-UserCreateObjectCritical-Org-F: First time critical storage object creation for user |
Account Manipulation | GCP-UserCreateServiceAccount-Org-F: First time service account creation for user |
Cryptomining | GCP-UserCreateInstance-Org-F: First time instance creation for user |