GCP Auditlog Falco rules

Scroll Top APIKEYS 1rules AUDITLOG 2rules CLOUDFUNCTIONS 3rules CLOUDRESOURCEMANAGER 1rules DNS 1rules GCE 1rules IAM 6rules LOGGING 1rules MONITORING 2rules SQL 14rules STORAGE BUCKETS 8rules VM 7rules VPC NETWORKS 3rules OTHER 1rules

Total 51 rules.

APIKEYS

GCP Create API Keys for a Project

Detect creation of API keys for a project.

cloud gcp gcp_apikeys cis_controls_16 cis_gcp_1.12

AUDITLOG

GCP Data Access Log Disabled

Detect disabling of a data access log.

cloud gcp gcp_auditlog mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1562-impair-defenses mitre_T1562.008-disable-cloud-logs
GCP Data Access Log Enabled

Detect enabling of a data access log.

cloud gcp gcp_auditlog mitre_TA0009-collection mitre_T1530-data-from-cloud-storage-object

CLOUDFUNCTIONS

GCP Create Cloud Function

Detect creation of a Cloud function.

cloud gcp gcp_cloudfunctions mitre_TA0003-persistence
GCP Create Cloud Function Not Using Latest Runtime

Detect creation of a Cloud Function using and old or deprecated runtime.

cloud gcp gcp_cloudfunctions mitre_T1190-exploit-public-facing-application
GCP Update Cloud Function

Detect updates to a Cloud Function.

cloud gcp gcp_cloudfunctions mitre_TA0003-persistence mitre_T1496-resource-hijacking

CLOUDRESOURCEMANAGER

GCP Invitation Sent to Non-corporate Account

Detect sending invitations to not allowed corporate account.

cloud gcp gcp_cloudresourcemanager cis_controls_16.2 cis_gcp_1.1 mitre_T1136-create-account

DNS

GCP Create or Patch DNS Zone without DNSSEC

Detect creation of a DNS zone with DNSSEC disabled or a modification of a DNS zone to disable DNSSEC.

cloud gcp gcp_dns cis_controls_11.1 cis_gcp_3.3

GCE

GCP Describe Instance

Detect description of the specified GCE instance.

cloud gcp gcp_gce

IAM

GCP Add Admin Privileges to Service Account

Detect addition of administrative privileges to a service account.

cloud gcp gcp_iam cis_controls_16 cis_gcp_1.5 mitre_T1098-account-manipulation mitre_T1098.001-additional-cloud-credentials
GCP Add Service Account Token Creator or Service Account User Roles to User

Detect adding "service account token creator" or "service account user" role to user.

cloud gcp gcp_iam cis_controls_14.6 cis_controls_16 cis_gcp_1.6
GCP Create GCP-managed Service Account Key

Detect creating an access key for a GCP-managed service account.

cloud gcp gcp_iam cis_controls_16 mitre_T1550-use-alternate-authentication-material
GCP Create User-managed Service Account Key

Detect creating an access key for a user-managed service account.

cloud gcp gcp_iam cis_controls_16 cis_gcp_1.4 mitre_T1550-use-alternate-authentication-material
GCP Operation by a Non-corporate Account

Detect executing an operation by a non-corporate account.

cloud gcp gcp_iam cis_controls_16.2 cis_gcp_1.1
GCP Super Admin Executing Command

Detect super admin executing GPC command.

cloud gcp gcp_iam

LOGGING

GCP Update, Disable or Delete Sink

Detect the updating, disabling or deletion of a sink.

cloud gcp gcp_logging cis_controls_6.2 cis_controls_6.4 cis_gcp_2.2

MONITORING

GCP Monitoring Alert Deleted

Detect deletion of an alert.

cloud gcp gcp_monitoring mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools mitre_T1562-impair-defenses mitre_T1562.008-disable-cloud-logs
GCP Monitoring Alert Updated

Detect updating of an alert.

cloud gcp gcp_monitoring mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools

SQL

GCP Disable Automatic Backups for a Cloud SQL Instance

Detect that automatic backups have been disabled for a Cloud SQL instance.

cloud gcp gcp_sql cis_controls_10.1 cis_gcp_6.7
GCP Accept Incoming Connections from the World to a Cloud SQL Instance

Detect that 0.0.0.0/0 has been added as an authorized network to access a Cloud SQL instance.

cloud gcp gcp_sql cis_controls_13 cis_controls_14.6 cis_gcp_6.5
GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance

Detect that the requirement for all incoming connections to use SSL for a Cloud SQL instance has been disabled.

cloud gcp gcp_sql cis_controls_13 cis_controls_14.4 cis_controls_16.5 cis_gcp_6.4
GCP Set a Public IP for a Cloud SQL Instance

Detect that a public IP address has been set for a Cloud SQL instance.

cloud gcp gcp_sql cis_controls_13 cis_gcp_6.6
GCP Set local_infile Database Flag to On for a Cloud SQL Mysql Instance

Detect that the local_infile database flag for a Cloud SQL Mysql instance is set to on.

cloud gcp gcp_sql cis_controls_13 cis_gcp_6.1.2
GCP Set log_checkpoints Database Flag to Off for a Cloud SQL PostgreSQL Instance

Detect that the log_checkpoints database flag for a Cloud SQL PostgreSQL instance is set to off.

cloud gcp gcp_sql cis_controls_6.3 cis_gcp_6.2.1
GCP Set log_connections Database Flag to Off for a Cloud SQL PostgreSQL Instance

Detect that the log_connections database flag for a Cloud SQL PostgreSQL instance is set to off.

cloud gcp gcp_sql cis_controls_6.3 cis_gcp_6.2.2
GCP Set log_disconnections Database Flag to Off for a Cloud SQL PostgreSQL Instance

Detect that the log_disconnections database flag for a Cloud SQL PostgreSQL instance is set to off.

cloud gcp gcp_sql cis_controls_6.3 cis_gcp_6.2.3
GCP Set log_lock_waits Database Flag to Off for a Cloud SQL PostgreSQL Instance

Detect that the log_lock_waits database flag for a Cloud SQL PostgreSQL instance is set to off.

cloud gcp gcp_sql cis_controls_6.3 cis_gcp_6.2.4
GCP Set log_min_duration_statement Database Flag to Other Than -1 for a Cloud SQL PostgreSQL Instance

Detect that the log_min_duration_statement database flag for a Cloud SQL PostgreSQL instance is set to other than -1.

cloud gcp gcp_sql cis_controls_6.3 cis_gcp_6.2.7
GCP Set log_min_error_statement Database Flag to an Inappropriate Value for a Cloud SQL PostgreSQL Instance

Detect that the log_min_error_statement database flag for a Cloud SQL PostgreSQL instance is set to an inappropriate value.

cloud gcp gcp_sql cis_controls_6.3 cis_gcp_6.2.5
GCP Set log_temp_files Database Flag to Other Than Zero for a Cloud SQL PostgreSQL Instance

Detect that the log_temp_files database flag for a Cloud SQL PostgreSQL instance is set to other than zero.

cloud gcp gcp_sql cis_controls_6.3 cis_gcp_6.2.6
GCP Set contained database authentication Database Flag to On for a Cloud SQL SQL Server Instance

Detect that the contained database authentication database flag for a Cloud SQL SQL Server instance is set to on.

cloud gcp gcp_sql cis_controls_14.6 cis_gcp_6.3.2
GCP Set cross db ownership chaining Database Flag to On for a Cloud SQL SQL Server Instance

Detect that the cross db ownership chaining database flag for a Cloud SQL SQL Server instance is set to on.

cloud gcp gcp_sql cis_controls_14.6 cis_gcp_6.3.1

STORAGE BUCKETS

GCP Create Bucket

Detect creation of a bucket.

cloud gcp gcp_storage_buckets mitre_T1074-data-staged
GCP Delete Bucket

Detect deletion of a bucket.

cloud gcp gcp_storage_buckets
GCP List Buckets

Detect listing of all storage buckets.

cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
GCP List Bucket Objects

Detect listing of all objects in a bucket.

cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
GCP Make Bucket Anonymously or Publicly Accessible

Detect making a bucket anonymously or publicly accessible.

cloud gcp gcp_storage_buckets cis_controls_12.4 cis_controls_16 cis_gcp_5.1
GCP Put Bucket ACL

Detect setting the permissions on an existing bucket using access control lists.

cloud gcp gcp_storage_buckets mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host mitre_T1530-data-from-cloud-storage-object
GCP Set Bucket IAM Policy

Detect setting the permissions on an existing bucket using IAM policies.

cloud gcp gcp_storage_buckets mitre_T1530-data-from-cloud-storage-object
GCP Update Bucket

Detect the update of a bucket.

cloud gcp gcp_storage_buckets

VM

GCP Enable Connecting to Serial Ports for a VM Instance

Detect enabling of connection to serial ports for a VM instance.

cloud gcp gcp_vm cis_controls_9.2 cis_gcp_4.5
GCP Creation of a VM Instance with IP Forwarding Enabled

Detect creating a VM instance with IP forwarding enabled.

cloud gcp gcp_vm cis_controls_11.1 cis_controls_11.2 cis_gcp_4.6
GCP Attach External IP Address to a VM Instance

Detect attaching an external IP address to a VM instance.

cloud gcp gcp_vm cis_controls_13 cis_gcp_4.9
GCP Enable Project-wide SSH keys for a VM Instance

Detect enabling of project-wide SSH keys for a VM instance.

cloud gcp gcp_vm cis_controls_16 cis_gcp_4.3
GCP Set a VM Instance to use the Default Service Account

Detect creation of a VM instance using the default service account, or setting an existing VM instance to use the default service account.

cloud gcp gcp_vm cis_controls_4.7 cis_controls_16 cis_gcp_4.1
GCP Allow Full Access to All Cloud APIs to a VM Instance Using the Default Service Account

Detect permission to access to all cloud APIs to a VM instance using the default service account.

cloud gcp gcp_vm cis_controls_4.7 cis_controls_16 cis_gcp_4.2
GCP Shield Disabled for a VM Instance

Detect disabling of the Shielded VM parameter(s) of a VM instance.

cloud gcp gcp_vm cis_controls_13 cis_gcp_4.8

VPC NETWORKS

GCP Create a Default VPC Network

Detect creation of a default network in a project.

cloud gcp gcp_vpc_networks cis_controls_11.1 cis_gcp_3.1
GCP Disable Subnet Flow Logs

Detect disabling the flow logs of a subnet.

cloud gcp gcp_vpc_networks cis_controls_6.2 cis_controls_12.8 cis_gcp_3.8
GCP Suspected Disable of OS Login in a VM Instance

Detect modification of the enable-oslogin metadata in an instance.

cloud gcp gcp_vpc_networks cis_controls_16 cis_gcp_4.4

OTHER

GCP Command Executed on Unused Region

Detect GCP command execution on unused regions.

cloud gcp mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions

Please visit any of the following sections for more information: