1 |
🚦 Login & Access Patterns |
|
|
|
|
| 1.01 |
Login from a highly-privileged account |
Workspace Login Audit (Cloud Identity Logs) |
|
✅ |
T1078.004 |
| 1.02 |
Suspicious login attempt flagged by Google Workspace |
Workspace Login Audit (Cloud Identity Logs) |
|
✅ |
T1078.004 |
| 1.03 |
Excessive login failures from any user identity |
Workspace Login Audit (Cloud Identity Logs) |
|
✅ |
T1078.004, T1110 |
| 1.10 |
Access attempts violating VPC Service Controls |
Audit Logs - Policy |
✅ |
✅ |
T1078.004, T1537 |
| 1.20 |
Access attempts violating IAP (i.e. BeyondCorp) access controls |
HTTP(S) LB Logs |
✅ |
✅ |
|
| 1.30 |
Cloud Console accesses |
Audit Logs - Data Access |
✅ |
|
T1078.004 |
2 |
🔑 IAM, Keys & Secrets Changes |
|
|
|
|
| 2.02 |
User added to highly-privileged Google Group |
Workspace Admin Audit |
✅ |
✅ |
T1078.004, T1484.001 |
| 2.20 |
Permissions granted over a Service Account |
Audit Logs - Admin Activity |
✅ |
✅ |
T1484.002 |
| 2.21 |
Permissions granted to impersonate Service Account |
Audit Logs - Admin Activity |
✅ |
✅ |
T1484.002 |
| 2.22 |
Permissions granted to create or manage Service Account keys |
Audit Logs - Admin Activity |
✅ |
✅ |
T1484.002 |
| 2.30 |
Service accounts or keys created by non-approved identity |
Audit Logs - Admin Activity |
✅ |
✅ |
T1136.003 |
| 2.40 |
User access added (or removed) from IAP-protected HTTPS services |
Audit Logs - Admin Activity |
✅ |
✅ |
T1484.002 |
3 |
🏗️ Cloud Provisioning Activity |
|
|
|
|
| 3.01 |
Changes made to logging settings |
Audit Logs - Admin Activity |
✅ |
✅ |
T1562.008 |
| 3.02 |
Disabling VPC Flows logging |
Audit Logs - Admin Activity |
|
✅ |
T1562.008 |
| 3.11 |
Unusual number of firewall rules modified in the last 7 days |
Audit Logs - Admin Activity |
|
✅ |
T1562.007 |
| 3.12 |
Firewall rules modified or deleted in the last 24 hrs |
Audit Logs - Admin Activity |
✅ |
✅ |
T1562.007 |
| 3.13 |
VPN tunnels created or deleted |
Audit Logs - Admin Activity |
✅ |
✅ |
T1133 |
| 3.14 |
DNS zones modified or deleted |
Audit Logs - Admin Activity |
✅ |
✅ |
T1578 |
| 3.15 |
Cloud Storage buckets modified or deleted by unfamiliar user identities |
Audit Logs - Admin Activity |
✅ |
✅ |
T1578 |
| 3.20 |
VMs deleted in the last 7 days |
Audit Logs - Admin Activity |
✅ |
|
T1578 |
| 3.21 |
Cloud SQL databases created, modified or deleted |
Audit Logs - Admin Activity |
✅ |
|
T1578 |
4 |
☁️ Cloud Workload Usage |
|
|
|
|
| 4.01 |
Unusually high API usage by any user identity |
Audit Logs |
✅ |
✅ |
T1106 |
| 4.10 |
Autoscaling usage in the past month |
Audit Logs - Admin Activity |
✅ |
|
T1496 |
| 4.11 |
Autoscaling usage per day in the past month |
Audit Logs - Admin Activity |
✅ |
|
T1496 |
| 4.20 |
Resource access by certain user identities in the past month |
Audit Logs |
✅ |
|
T1106 |
| 4.21 |
Resource access by certain user identities in the past month (aggregated by day) |
Audit Logs |
✅ |
|
T1106 |
| 4.30 |
Which users most frequently used LLM models? |
Audit Logs - Data Access |
✅ |
✅ |
T1496, AML.T0051, AML.T0057 |
| 4.31 |
Usage of LLM models over time |
Audit Logs - Data Access |
✅ |
✅ |
T1496, AML.T0051, AML.T0057 |
5 |
💧 Data Usage |
|
|
|
|
| 5.01 |
Which users most frequently accessed data in the past week? |
Audit Logs - Data Access |
✅ |
|
T1530 |
| 5.02 |
Which users accessed most amount of data in the past week? |
Audit Logs - Data Access |
✅ |
|
T1530 |
| 5.03 |
How much data was accessed by each user per day in the past week? |
Audit Logs - Data Access |
✅ |
|
T1530 |
| 5.04 |
Which users accessed data in a given table in the past month? |
Audit Logs - Data Access |
✅ |
|
T1078.004 |
| 5.05 |
What tables are most frequently accessed and by whom? |
Audit Logs - Data Access |
✅ |
|
T1530 |
| 5.06 |
Top 10 queries against BigQuery in the past week |
Audit Logs - Data Access |
✅ |
|
T1530 |
| 5.07 |
Any queries doing very large scans? |
Audit Logs - Data Access |
✅ |
✅ |
T1530 |
| 5.08 |
Any destructive queries or jobs (i.e. update or delete)? |
Audit Logs |
✅ |
✅ |
T1565.001 |
| 5.10 |
Recent data read with granular access and permissions details |
Audit Logs - Data Access |
✅ |
|
T1074, T1213 |
| 5.11 |
Recent dataset activity with granular permissions details |
Audit Logs - Admin Activity |
✅ |
|
T1074, T1213 |
| 5.20 |
Most common data (and metadata) access actions in the past month |
Audit Logs - Data Access |
✅ |
✅ |
T1530 |
| 5.30 |
Cloud Storage buckets enumerated by unfamiliar user identities |
Audit Logs - Data Access |
✅ |
✅ |
T1530 |
| 5.31 |
Cloud Storage objects accessed from a new IP |
Audit Logs - Data Access |
✅ |
✅ |
T1530 |
6 |
⚡ Network Activity |
|
|
|
|
| 6.01 |
Hosts reaching out to many other hosts or ports per hour |
VPC Flow Logs |
✅ |
✅ |
T1046 |
| 6.10 |
Connections from a new IP to an in-scope network |
VPC Flow Logs |
✅ |
✅ |
T1018 |
| 6.15 |
List all IP addresses with any associated entities |
VPC Flow Logs |
✅ |
|
T1018, T1046 |
| 6.20 |
Connections blocked by Cloud Armor |
HTTP(S) LB Logs |
✅ |
✅ |
T1071 |
| 6.21 |
Log4j 2 vulnerability exploit attempts |
HTTP(S) LB Logs |
|
✅ |
T1190 |
| 6.22 |
Any remote IP addresses attempting to exploit Log4j 2 vulnerability? |
HTTP(S) LB Logs |
|
✅ |
T1190 |
| 6.23 |
Spring4Shell vulnerability exploit attempts (CVE-2022-22965) |
HTTP(S) LB Logs |
|
✅ |
T1190 |
| 6.30 |
Virus or malware detected by Cloud IDS |
Cloud IDS Threat Logs |
|
✅ |
T1059 |
| 6.31 |
Traffic sessions of high severity threats detected by Cloud IDS |
Cloud IDS Threat Logs, Cloud IDS Traffic Logs |
|
✅ |
T1071 |
| 6.40 |
Top 10 DNS queried domains |
Cloud DNS Logs |
✅ |
✅ |
T1071.004 |