Skip to content

GCP Threat Dectection

GCP Threat Dectection

About

Detect some of the most common container attacks, including suspicious binary, suspicious library, and reverse shell.

Product Details

Vendor URL: Overview of Event Threat Detection

Product Type: Cloud Security

Product Tier: Tier II

Integration Method: API

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: GCP_THREAT_DETECTION

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
GENERIC_EVENT metadata.event_type
GCP Threat Detection metadata.vendor_name
incident.resource.type principal.resource.type
incident.resource.labels.project_id principal.resource.product_object_id
incident.incident_id security_result.rule_id
incident.policy_name security_result.summary
incident.documentation.content security_result.description
incident.state security_result.action_details
incident.url security_result.url_back_to_product
GOOGLE_CLOUD_PLATFORM target.cloud.environment

Product Event Types

Event UDM Event Classification
All GENERIC_EVENT

Log Sample

{
    "attributes": {},
    "message": {
        "incident": {
            "condition": {
                "conditionMonitoringQueryLanguage": {
                    "duration": "0s",
                    "query": "query",
                    "trigger": {
                        "count": 1
                    }
                },
                "displayName": "Elapsed time",
                "name": "projects/ob-00000-000000/alertPolicies/63712346788181111/conditions/"
            },
            "condition_name": "Elapsed time",
            "documentation": {
                "content": "**Environment: A Dataflow Job has been running for an exceptionally long time. Review dataflow job runbook documentation: www.domain.com",
                "mime_type": "text/markdown"
            },
            "ended_at": 1647063085,
            "incident_id": "0.aaaabbbb1111",
            "metadata": {
                "system_labels": {},
                "user_labels": {}
            },
            "metric": {
                "displayName": "",
                "labels": {
                    "job_id": "job_id"
                },
                "type": ""
            },
            "policy_name": "Dataflow Job Elapsed Policy",
            "policy_user_labels": {
                "alertgroup": "gcp",
                "apm_id": "ad00006000",
                "incaction": "0",
                "inctarget": "production_support",
                "manager": "gcp-cloud-operations",
                "pageaction": "0",
                "pagetarget": "production_support",
                "severity": "2"
            },
            "resource": {
                "labels": {
                    "job_name": "job_name,
                    "project_id": "ob-00000-000000",
                    "region": "us-central"
                },
                "type": "timeseries_query"
            },
            "resource_id": "",
            "resource_name": "ob-00000-000000 labels {project_id=ob-00000-000000, region=us-central, job_name=jobname}",
            "resource_type_display_name": "",
            "scoping_project_id": "ob-00000-000000",
            "scoping_project_number": 111122223333,
            "started_at": 1646458074,
            "state": "closed",
            "summary": "Dataflow Job Elapsed Policy Elapsed time alert for cs-asdd-ad00006880-prd4104 labels {project_id=cs-asdd-ad00006880-prd4104, region=us-central, job_name=jobname} with metric labels {job_id=job_id} resolved.",
            "url": "www.domain.com"
        },
        "version": "1.2"
    },
    "product": "alerts.gcp",
    "rt": "1647063087052",
    "topic": "gcp.alert.prod",
    "vendor": "GCP"
}

Sample Parsing

metadata.event_timestamp = "2022-04-01T06:56:52.192872Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "GCP Threat Detection"
principal.asset.attribute.creation_time:1646458074
principal.asset.attribute.last_update_time:1646458074
resource.type: "timeseries_query"
resource.product_object_id: "ob-00000-000000"
security_result.rule_id: "0.aaaabbbb1111"
security_result.summary: "Dataflow Job Elapsed Policy"
security_result.description: "**Environment: A Dataflow Job has been running for an exceptionally long time.Review dataflow job runbook documentation: www.domain.com
security_result.action_details: "closed"        
security_result.url_back_to_product: www.domain1.com
target.cloud.environment = "GOOGLE_CLOUD_PLATFORM"

Parser Alerting

This product currently does not have any parser-based alerting