| 1 |
🚦 Login & Access Patterns |
|
|
|
|
|
| 1.01 |
Login from a highly-privileged account |
Cloud Identity Logs (Google Workspace Login) |
|
✅ |
|
T1078.004 |
| 1.02 |
Suspicious login attempt flagged by Google Workspace |
Cloud Identity Logs (Google Workspace Login) |
|
✅ |
|
T1078.004 |
| 1.03 |
Excessive login failures from any user identity |
Cloud Identity Logs (Google Workspace Login) |
|
✅ |
|
T1078.004, T1110 |
| 1.10 |
Access attempts violating VPC service controls |
Audit Logs - Policy |
✅ |
✅ |
|
|
| 1.20 |
Access attempts violating IAP (i.e. BeyondCorp) access controls |
HTTP(S) Load Balancer Logs |
✅ |
✅ |
|
|
| 2 |
🔑 IAM, Keys & Secrets Changes |
|
|
|
|
|
| 2.01 |
Super admin or Admin permissions granted |
Audit Logs - Admin Activity (Google Workspace Admin) |
✅ |
✅ |
|
T1484.001 |
| 2.10 |
Organization admin permissions granted |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1484.002 |
| 2.11 |
Permissions granted to a user from a non-allowed domain |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1484.002 |
| 2.20 |
Permissions granted over a Service Account |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1484.002 |
| 2.21 |
Permissions granted to impersonate Service Account |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1484.002 |
| 2.22 |
Permissions granted to create or manage Service Account keys |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1484.002 |
| 2.30 |
Service accounts or keys created by non-approved identity |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1136.003 |
| 2.40 |
User access added (or removed) from IAP-protected HTTPS services |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1484.002 |
| 3 |
🏗️ Cloud Provisioning Activity |
|
|
|
|
|
| 3.01 |
Changes made to logging settings |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1562.008 |
| 3.10 |
Unusual admin activity by user & country in the last 7 days |
Audit Logs - Admin Activity |
|
✅ |
|
|
| 3.11 |
Unusual number of firewall rules modified in the last 7 days |
Audit Logs - Admin Activity |
|
✅ |
|
T1562.007 |
| 3.12 |
Firewall rules modified or deleted in the last 24 hrs |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1562.007 |
| 3.13 |
VPN tunnels created or deleted |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1133 |
| 3.14 |
DNS zones modified or deleted |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1578 |
| 3.15 |
Cloud Storage buckets modified or deleted by unfamiliar user identities |
Audit Logs - Admin Activity |
✅ |
✅ |
|
T1578 |
| 3.20 |
VMs deleted in the last 7 days |
Audit Logs - Admin Activity |
✅ |
|
|
T1578 |
| 3.21 |
Cloud SQL databases created, modified or deleted |
Audit Logs - Admin Activity |
✅ |
|
|
T1578 |
| 4 |
☁️ Cloud Workload Usage |
|
|
|
|
|
| 4.01 |
Unusually high API usage by any user identity |
Audit Logs |
✅ |
✅ |
|
T1106 |
| 4.10 |
Autoscaling usage in the past month |
Audit Logs - Admin Activity |
✅ |
|
|
T1496 |
| 4.11 |
Autoscaling usage per day in the past month |
Audit Logs - Admin Activity |
✅ |
|
|
T1496 |
| 5 |
💧 Data Usage |
|
|
|
|
|
| 5.01 |
Which users most frequently accessed data in the past week? |
Audit Logs - Data Access |
✅ |
|
|
T1530 |
| 5.02 |
Which users accessed most amount of data in the past week? |
Audit Logs - Data Access |
✅ |
|
|
T1530 |
| 5.03 |
How much data was accessed by each user per day in the past week? |
Audit Logs - Data Access |
✅ |
|
|
T1530 |
| 5.04 |
Which users accessed data in a given table in the past month? |
Audit Logs - Data Access |
✅ |
|
✅ |
T1078.004 |
| 5.05 |
What tables are most frequently accessed and by whom? |
Audit Logs - Data Access |
✅ |
|
|
T1530 |
| 5.06 |
Top 10 queries against BigQuery in the past week |
Audit Logs - Data Access |
✅ |
|
|
T1530 |
| 5.07 |
Any queries doing very large scans? |
Audit Logs - Data Access |
✅ |
✅ |
|
T1530 |
| 5.08 |
Any destructive queries or jobs (i.e. update or delete)? |
Audit Logs |
✅ |
✅ |
|
T1565.001 |
| 5.09 |
Any exfiltration queries or jobs (i.e. copy or export)? |
Audit Logs - Data Access |
✅ |
✅ |
|
T1530 |
| 5.20 |
Most common data (and metadata) access actions in the past month |
Audit Logs - Data Access |
✅ |
✅ |
|
T1530 |
| 5.30 |
Cloud Storage buckets enumerated by unfamiliar user identities |
Audit Logs - Data Access |
✅ |
✅ |
|
T1530 |
| 5.31 |
Cloud Storage objects accessed from a new IP |
Audit Logs - Data Access |
✅ |
✅ |
|
T1530 |
| 6 |
⚡ Network Activity |
|
|
|
|
|
| 6.01 |
Hosts reaching out to many other hosts or ports per hour |
VPC Flow Logs |
✅ |
✅ |
|
T1046 |
| 6.10 |
Connections from a new IP to an in-scope network |
VPC Flow Logs |
✅ |
✅ |
✅ |
T1018 |
| 6.11 |
Connections to a malicious IP |
VPC Flow Logs |
|
✅ |
✅ |
T1071 |
| 6.20 |
Connections blocked by Cloud Armor |
HTTP(S) LB Logs |
✅ |
✅ |
|
T1071 |
| 6.21 |
Log4j 2 vulnerability exploit attempts |
HTTP(S) LB Logs |
|
✅ |
|
T1190 |
| 6.22 |
Any remote IP addresses attemting to exploit Log4j 2 vulnerability? |
HTTP(S) LB Logs |
|
✅ |
|
T1190 |
| 6.30 |
Virus or malware detected by Cloud IDS |
Cloud IDS Threat Logs |
|
✅ |
|
T1059 |
| 6.31 |
Traffic sessions of high severity threats detected by Cloud IDS |
Cloud IDS Threat Logs, Cloud IDS Traffic Logs |
|
✅ |
|
T1071 |
| 6.40 |
Top 10 DNS queried domains |
Cloud DNS Logs |
✅ |
✅ |
|
T1071.004 |