GCP Threat Dectection¶
About¶
Detect some of the most common container attacks, including suspicious binary, suspicious library, and reverse shell.
Product Details¶
Vendor URL: Overview of Event Threat Detection
Product Type: Cloud Security
Product Tier: Tier II
Integration Method: API
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: GCP_THREAT_DETECTION
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
GENERIC_EVENT | metadata.event_type |
GCP Threat Detection | metadata.vendor_name |
incident.resource.type | principal.resource.type |
incident.resource.labels.project_id | principal.resource.product_object_id |
incident.incident_id | security_result.rule_id |
incident.policy_name | security_result.summary |
incident.documentation.content | security_result.description |
incident.state | security_result.action_details |
incident.url | security_result.url_back_to_product |
GOOGLE_CLOUD_PLATFORM | target.cloud.environment |
Product Event Types¶
Event | UDM Event Classification |
---|---|
All | GENERIC_EVENT |
Log Sample¶
{
"attributes": {},
"message": {
"incident": {
"condition": {
"conditionMonitoringQueryLanguage": {
"duration": "0s",
"query": "query",
"trigger": {
"count": 1
}
},
"displayName": "Elapsed time",
"name": "projects/ob-00000-000000/alertPolicies/63712346788181111/conditions/"
},
"condition_name": "Elapsed time",
"documentation": {
"content": "**Environment: A Dataflow Job has been running for an exceptionally long time. Review dataflow job runbook documentation: www.domain.com",
"mime_type": "text/markdown"
},
"ended_at": 1647063085,
"incident_id": "0.aaaabbbb1111",
"metadata": {
"system_labels": {},
"user_labels": {}
},
"metric": {
"displayName": "",
"labels": {
"job_id": "job_id"
},
"type": ""
},
"policy_name": "Dataflow Job Elapsed Policy",
"policy_user_labels": {
"alertgroup": "gcp",
"apm_id": "ad00006000",
"incaction": "0",
"inctarget": "production_support",
"manager": "gcp-cloud-operations",
"pageaction": "0",
"pagetarget": "production_support",
"severity": "2"
},
"resource": {
"labels": {
"job_name": "job_name,
"project_id": "ob-00000-000000",
"region": "us-central"
},
"type": "timeseries_query"
},
"resource_id": "",
"resource_name": "ob-00000-000000 labels {project_id=ob-00000-000000, region=us-central, job_name=jobname}",
"resource_type_display_name": "",
"scoping_project_id": "ob-00000-000000",
"scoping_project_number": 111122223333,
"started_at": 1646458074,
"state": "closed",
"summary": "Dataflow Job Elapsed Policy Elapsed time alert for cs-asdd-ad00006880-prd4104 labels {project_id=cs-asdd-ad00006880-prd4104, region=us-central, job_name=jobname} with metric labels {job_id=job_id} resolved.",
"url": "www.domain.com"
},
"version": "1.2"
},
"product": "alerts.gcp",
"rt": "1647063087052",
"topic": "gcp.alert.prod",
"vendor": "GCP"
}
Sample Parsing¶
metadata.event_timestamp = "2022-04-01T06:56:52.192872Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "GCP Threat Detection"
principal.asset.attribute.creation_time:1646458074
principal.asset.attribute.last_update_time:1646458074
resource.type: "timeseries_query"
resource.product_object_id: "ob-00000-000000"
security_result.rule_id: "0.aaaabbbb1111"
security_result.summary: "Dataflow Job Elapsed Policy"
security_result.description: "**Environment: A Dataflow Job has been running for an exceptionally long time.Review dataflow job runbook documentation: www.domain.com
security_result.action_details: "closed"
security_result.url_back_to_product: www.domain1.com
target.cloud.environment = "GOOGLE_CLOUD_PLATFORM"
Parser Alerting¶
This product currently does not have any parser-based alerting