Home

Awesome

Community Security Analytics (CSA)

<p align="center"> <img src="./assets/csa_logo.png" alt="Community Security Analytics Logo"> </p>

As organizations go through the Autonomic Security modernization journey, this repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud. These may assist detection engineers, threat hunters and data governance analysts.

CSA is a set of foundational security analytics designed to provide organizations with a rich baseline of pre-built queries and rules that they can readily use to start analyzing their Google Cloud logs including Cloud Audit logs, VPC Flow logs, DNS logs, and more using cloud-native or third-party analytics tools. The source code is provided as is, without warranty. See Copyright & License below.

Current release include:

The security use cases below are grouped in 6 categories depending on underlying activity type and log sources:

  1. :vertical_traffic_light: Login & Access Patterns
  2. :key: IAM, Keys & Secrets Admin Activity
  3. :building_construction: Cloud Provisoning Activity
  4. :cloud: Cloud Workload Usage
  5. :droplet: Data Usage
  6. :zap: Network Activity

To learn more about the variety of Google Cloud logs, how to enable and natively export these logs to destinations like BigQuery or Google Security Operations for in-depth analytics, refer to Google Cloud Security and access analytics solution guide.

Caution: CSA is not meant to be a comprehensive set of threat detections, but a collection of community-contributed samples to get you started with detective controls. Use CSA in your threat detection and response capabilities (e.g. Security Command Center, Google Security Operations, BigQuery, or third-party SIEM) in conjunction with threat prevention capabilities (e.g. Security Command Center, Cloud Armor, Identity-Aware Proxy and Chrome Enterprise Premium). To learn more about Google’s approach to modern Security Operations, check out the Autonomic Security Operations whitepaper.

Security Analytics Use Cases

Security Monitoring

#Cloud Security ThreatLog SourceAuditDetectATT&CK® Techniques
<div id="login-access-patterns">1</div>:vertical_traffic_light: Login & Access Patterns
1.01Login from a highly-privileged accountWorkspace Login Audit (Cloud Identity Logs):white_check_mark:T1078.004
1.02Suspicious login attempt flagged by Google WorkspaceWorkspace Login Audit (Cloud Identity Logs):white_check_mark:T1078.004
1.03Excessive login failures from any user identityWorkspace Login Audit (Cloud Identity Logs):white_check_mark:T1078.004, T1110
1.10Access attempts violating VPC Service ControlsAudit Logs - Policy:white_check_mark::white_check_mark:T1078.004, T1537
1.20Access attempts violating IAP (i.e. BeyondCorp) access controlsHTTP(S) LB Logs:white_check_mark::white_check_mark:
1.30Cloud Console accessesAudit Logs - Data Access:white_check_mark:T1078.004
<div id="iam-keys-secrets-changes">2</div>:key: IAM, Keys & Secrets Changes
2.02User added to highly-privileged Google GroupWorkspace Admin Audit:white_check_mark::white_check_mark:T1078.004, T1484.001
2.20Permissions granted over a Service AccountAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1484.002
2.21Permissions granted to impersonate Service AccountAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1484.002
2.22Permissions granted to create or manage Service Account keysAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1484.002
2.30Service accounts or keys created by non-approved identityAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1136.003
2.40User access added (or removed) from IAP-protected HTTPS servicesAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1484.002
<div id="cloud-provisioning-activity">3</div>:building_construction: Cloud Provisioning Activity
3.01Changes made to logging settingsAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1562.008
3.02Disabling VPC Flows loggingAudit Logs - Admin Activity:white_check_mark:T1562.008
3.11Unusual number of firewall rules modified in the last 7 daysAudit Logs - Admin Activity:white_check_mark:T1562.007
3.12Firewall rules modified or deleted in the last 24 hrsAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1562.007
3.13VPN tunnels created or deletedAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1133
3.14DNS zones modified or deletedAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1578
3.15Cloud Storage buckets modified or deleted by unfamiliar user identitiesAudit Logs - Admin Activity:white_check_mark::white_check_mark:T1578
3.20VMs deleted in the last 7 daysAudit Logs - Admin Activity:white_check_mark:T1578
3.21Cloud SQL databases created, modified or deletedAudit Logs - Admin Activity:white_check_mark:T1578
<div id="cloud-workload-usage">4</div>:cloud: Cloud Workload Usage
4.01Unusually high API usage by any user identityAudit Logs:white_check_mark::white_check_mark:T1106
4.10Autoscaling usage in the past monthAudit Logs - Admin Activity:white_check_mark:T1496
4.11Autoscaling usage per day in the past monthAudit Logs - Admin Activity:white_check_mark:T1496
4.20Resource access by certain user identities in the past monthAudit Logs:white_check_mark:T1106
4.21Resource access by certain user identities in the past month (aggregated by day)Audit Logs:white_check_mark:T1106
4.30Which users most frequently used LLM models?Audit Logs - Data Access:white_check_mark::white_check_mark:T1496, AML.T0051, AML.T0057
4.31Usage of LLM models over timeAudit Logs - Data Access:white_check_mark::white_check_mark:T1496, AML.T0051, AML.T0057
<div id="data-usage">5</div>:droplet: Data Usage
5.01Which users most frequently accessed data in the past week?Audit Logs - Data Access:white_check_mark:T1530
5.02Which users accessed most amount of data in the past week?Audit Logs - Data Access:white_check_mark:T1530
5.03How much data was accessed by each user per day in the past week?Audit Logs - Data Access:white_check_mark:T1530
5.04Which users accessed data in a given table in the past month?Audit Logs - Data Access:white_check_mark:T1078.004
5.05What tables are most frequently accessed and by whom?Audit Logs - Data Access:white_check_mark:T1530
5.06Top 10 queries against BigQuery in the past weekAudit Logs - Data Access:white_check_mark:T1530
5.07Any queries doing very large scans?Audit Logs - Data Access:white_check_mark::white_check_mark:T1530
5.08Any destructive queries or jobs (i.e. update or delete)?Audit Logs:white_check_mark::white_check_mark:T1565.001
5.10Recent data read with granular access and permissions detailsAudit Logs - Data Access:white_check_mark:T1074, T1213
5.11Recent dataset activity with granular permissions detailsAudit Logs - Admin Activity:white_check_mark:T1074, T1213
5.20Most common data (and metadata) access actions in the past monthAudit Logs - Data Access:white_check_mark::white_check_mark:T1530
5.30Cloud Storage buckets enumerated by unfamiliar user identitiesAudit Logs - Data Access:white_check_mark::white_check_mark:T1530
5.31Cloud Storage objects accessed from a new IPAudit Logs - Data Access:white_check_mark::white_check_mark:T1530
<div id="network-activity">6</div>:zap: Network Activity
6.01Hosts reaching out to many other hosts or ports per hourVPC Flow Logs:white_check_mark::white_check_mark:T1046
6.10Connections from a new IP to an in-scope networkVPC Flow Logs:white_check_mark::white_check_mark:T1018
6.15List all IP addresses with any associated entitiesVPC Flow Logs:white_check_mark:T1018, T1046
6.20Connections blocked by Cloud ArmorHTTP(S) LB Logs:white_check_mark::white_check_mark:T1071
6.21Log4j 2 vulnerability exploit attemptsHTTP(S) LB Logs:white_check_mark:T1190
6.22Any remote IP addresses attempting to exploit Log4j 2 vulnerability?HTTP(S) LB Logs:white_check_mark:T1190
6.23Spring4Shell vulnerability exploit attempts (CVE-2022-22965)HTTP(S) LB Logs:white_check_mark:T1190
6.30Virus or malware detected by Cloud IDSCloud IDS Threat Logs:white_check_mark:T1059
6.31Traffic sessions of high severity threats detected by Cloud IDSCloud IDS Threat Logs, Cloud IDS Traffic Logs:white_check_mark:T1071
6.40Top 10 DNS queried domainsCloud DNS Logs:white_check_mark::white_check_mark:T1071.004

Dataform for CSA on BigQuery

The dataform folder contains the Dataform repo to automate deployment of CSA queries in BigQuery for optimized performance and cost. Use this Dataform repo to operationalize CSA use cases as reports and alerts powered by BigQuery. This Dataform project deploys and orchestrates pre-built ELT pipelines to filter, normalize and model log data leveraging incremental summary tables, lookup tables and views for fast, cost-effective and simpler querying. See underlying README for more details.

CI/CD for CSA on Google Security Operations

The cicd folder contains a set of scripts to help you with storing CSA YARA-L detection rules as code and testing/deploying updates you and your team make in an automated fashion. Whether you use GitHub Actions, Google Cloud Build or Azure DevOps, you can use the corresponding scripts to automatically test and deploy new or modified rules into your Google Security Operations instance. See underlying README for more details.

Support

This is not an officially supported Google product. Queries, rules and other assets in Community Security Analytics (CSA) are community-supported. Please don't hesitate to open a GitHub issue if you have any question or a feature request.

Contributions are also welcome via Github pull requests if you have fixes or enhancements to source code or docs. Please refer to our Contributing guidelines.

Copyright & License

Copyright 2022 Google LLC

Queries, rules and other assets under Community Security Analytics (CSA) are licensed under the Apache license, v2.0. Details can be found in LICENSE file.