As organizations go through the Autonomic Security modernization journey, this repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud. These may assist detection engineers, threat hunters and data governance analysts.
CSA is a set of foundational security analytics designed to provide organizations with a rich baseline of pre-built queries and rules that they can readily use to start analyzing their Google Cloud logs including Cloud Audit logs, VPC Flow logs, DNS logs, and more using cloud-native or third-party analytics tools. The source code is provided as is, without warranty. See Copyright & License below.
Current release include:
The security use cases below are grouped in 6 categories depending on underlying activity type and log sources:
- 🚦 Login & Access Patterns
- 🔑 IAM, Keys & Secrets Admin Activity
- 🏗️ Cloud Provisoning Activity
- ☁️ Cloud Workload Usage
- 💧 Data Usage
- ⚡ Network Activity
To learn more about the variety of Google Cloud logs, how to enable and natively export these logs to destinations like Chronicle or BigQuery for in-depth analytics, refer to Google Cloud Security and access analytics solution guide.
Caution: CSA is not meant to be a comprehensive set of threat detections, but a collection of community-contributed samples to get you started with detective controls. Use CSA in your threat detection and response capabilities (e.g. Security Command Center, Chronicle, BigQuery, Siemplify, or third-party SIEM) in conjunction with threat prevention capabilities (e.g. Security Command Center, Cloud Armor, BeyondCorp). To learn more about Google’s approach to modern Security Operations, check out the Autonomic Security Operations whitepaper.
Copyright 2022 Google LLC
Threat detection queries & rules under Threat Detections As Code are licensed under the Apache license, v2.0. Details can be found in LICENSE file.