• Stars
    star
    315
  • Rank 132,951 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud

Community Security Analytics (CSA)

Community Security Analytics Logo

As organizations go through the Autonomic Security modernization journey, this repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud. These may assist detection engineers, threat hunters and data governance analysts.

CSA is a set of foundational security analytics designed to provide organizations with a rich baseline of pre-built queries and rules that they can readily use to start analyzing their Google Cloud logs including Cloud Audit logs, VPC Flow logs, DNS logs, and more using cloud-native or third-party analytics tools. The source code is provided as is, without warranty. See Copyright & License below.

Current release include:

The security use cases below are grouped in 6 categories depending on underlying activity type and log sources:

  1. ๐Ÿšฆ Login & Access Patterns
  2. ๐Ÿ”‘ IAM, Keys & Secrets Admin Activity
  3. ๐Ÿ—๏ธ Cloud Provisoning Activity
  4. โ˜๏ธ Cloud Workload Usage
  5. ๐Ÿ’ง Data Usage
  6. โšก Network Activity

To learn more about the variety of Google Cloud logs, how to enable and natively export these logs to destinations like Chronicle or BigQuery for in-depth analytics, refer to Google Cloud Security and access analytics solution guide.

Caution: CSA is not meant to be a comprehensive set of threat detections, but a collection of community-contributed samples to get you started with detective controls. Use CSA in your threat detection and response capabilities (e.g. Security Command Center, Chronicle, BigQuery, Siemplify, or third-party SIEM) in conjunction with threat prevention capabilities (e.g. Security Command Center, Cloud Armor, BeyondCorp). To learn more about Googleโ€™s approach to modern Security Operations, check out the Autonomic Security Operations whitepaper.

Security Analytics Use Cases

Security Monitoring

# Cloud Security Threat Log Source Audit Detect ATT&CKยฎ Techniques
1
๐Ÿšฆ Login & Access Patterns
1.01 Login from a highly-privileged account Workspace Login Audit (Cloud Identity Logs) โœ… T1078.004
1.02 Suspicious login attempt flagged by Google Workspace Workspace Login Audit (Cloud Identity Logs) โœ… T1078.004
1.03 Excessive login failures from any user identity Workspace Login Audit (Cloud Identity Logs) โœ… T1078.004, T1110
1.10 Access attempts violating VPC Service Controls Audit Logs - Policy โœ… โœ… T1078.004, T1537
1.20 Access attempts violating IAP (i.e. BeyondCorp) access controls HTTP(S) LB Logs โœ… โœ…
1.30 Cloud Console accesses Audit Logs - Data Access โœ… T1078.004
2
๐Ÿ”‘ IAM, Keys & Secrets Changes
2.02 User added to highly-privileged Google Group Workspace Admin Audit โœ… โœ… T1078.004, T1484.001
2.20 Permissions granted over a Service Account Audit Logs - Admin Activity โœ… โœ… T1484.002
2.21 Permissions granted to impersonate Service Account Audit Logs - Admin Activity โœ… โœ… T1484.002
2.22 Permissions granted to create or manage Service Account keys Audit Logs - Admin Activity โœ… โœ… T1484.002
2.30 Service accounts or keys created by non-approved identity Audit Logs - Admin Activity โœ… โœ… T1136.003
2.40 User access added (or removed) from IAP-protected HTTPS services Audit Logs - Admin Activity โœ… โœ… T1484.002
3
๐Ÿ—๏ธ Cloud Provisioning Activity
3.01 Changes made to logging settings Audit Logs - Admin Activity โœ… โœ… T1562.008
3.02 Disabling VPC Flows logging Audit Logs - Admin Activity โœ… T1562.008
3.11 Unusual number of firewall rules modified in the last 7 days Audit Logs - Admin Activity โœ… T1562.007
3.12 Firewall rules modified or deleted in the last 24 hrs Audit Logs - Admin Activity โœ… โœ… T1562.007
3.13 VPN tunnels created or deleted Audit Logs - Admin Activity โœ… โœ… T1133
3.14 DNS zones modified or deleted Audit Logs - Admin Activity โœ… โœ… T1578
3.15 Cloud Storage buckets modified or deleted by unfamiliar user identities Audit Logs - Admin Activity โœ… โœ… T1578
3.20 VMs deleted in the last 7 days Audit Logs - Admin Activity โœ… T1578
3.21 Cloud SQL databases created, modified or deleted Audit Logs - Admin Activity โœ… T1578
4
โ˜๏ธ Cloud Workload Usage
4.01 Unusually high API usage by any user identity Audit Logs โœ… โœ… T1106
4.10 Autoscaling usage in the past month Audit Logs - Admin Activity โœ… T1496
4.11 Autoscaling usage per day in the past month Audit Logs - Admin Activity โœ… T1496
4.20 Resource access by certain user identities in the past month Audit Logs โœ… T1106
4.21 Resource access by certain user identities in the past month (aggregated by day) Audit Logs โœ… T1106
5
๐Ÿ’ง Data Usage
5.01 Which users most frequently accessed data in the past week? Audit Logs - Data Access โœ… T1530
5.02 Which users accessed most amount of data in the past week? Audit Logs - Data Access โœ… T1530
5.03 How much data was accessed by each user per day in the past week? Audit Logs - Data Access โœ… T1530
5.04 Which users accessed data in a given table in the past month? Audit Logs - Data Access โœ… T1078.004
5.05 What tables are most frequently accessed and by whom? Audit Logs - Data Access โœ… T1530
5.06 Top 10 queries against BigQuery in the past week Audit Logs - Data Access โœ… T1530
5.07 Any queries doing very large scans? Audit Logs - Data Access โœ… โœ… T1530
5.08 Any destructive queries or jobs (i.e. update or delete)? Audit Logs โœ… โœ… T1565.001
5.10 Recent data read with granular access and permissions details Audit Logs - Data Access โœ… T1074, T1213
5.11 Recent dataset activity with granular permissions details Audit Logs - Admin Activity โœ… T1074, T1213
5.20 Most common data (and metadata) access actions in the past month Audit Logs - Data Access โœ… โœ… T1530
5.30 Cloud Storage buckets enumerated by unfamiliar user identities Audit Logs - Data Access โœ… โœ… T1530
5.31 Cloud Storage objects accessed from a new IP Audit Logs - Data Access โœ… โœ… T1530
6
โšก Network Activity
6.01 Hosts reaching out to many other hosts or ports per hour VPC Flow Logs โœ… โœ… T1046
6.10 Connections from a new IP to an in-scope network VPC Flow Logs โœ… โœ… T1018
6.15 List all IP addresses with any associated entities VPC Flow Logs โœ… T1018, T1046
6.20 Connections blocked by Cloud Armor HTTP(S) LB Logs โœ… โœ… T1071
6.21 Log4j 2 vulnerability exploit attempts HTTP(S) LB Logs โœ… T1190
6.22 Any remote IP addresses attemting to exploit Log4j 2 vulnerability? HTTP(S) LB Logs โœ… T1190
6.23 Spring4Shell vulnerability exploit attempts (CVE-2022-22965) HTTP(S) LB Logs โœ… T1190
6.30 Virus or malware detected by Cloud IDS Cloud IDS Threat Logs โœ… T1059
6.31 Traffic sessions of high severity threats detected by Cloud IDS Cloud IDS Threat Logs, Cloud IDS Traffic Logs โœ… T1071
6.40 Top 10 DNS queried domains Cloud DNS Logs โœ… โœ… T1071.004

Dataform for CSA on BigQuery

The dataform folder contains the Dataform repo to automate deployment of CSA queries in BigQuery for optimized performance and cost. Use this Dataform repo to operationalize CSA use cases as reports and alerts powered by BigQuery. This Dataform project deploys and orchestrates pre-built ELT pipelines to filter, normalize and model log data leveraging incremental summary tables, lookup tables and views for fast, cost-effective and simpler querying. See underlying README for more details.

CI/CD for CSA on Chronicle

The cicd folder contains a set of scripts to help you with storing CSA YARA-L detection rules as code and testing/deploying updates you and your team make in an automated fashion. Whether you use GitHub Actions, Google Cloud Build or Azure DevOps, you can use the corresponding scripts to automatically test and deploy new or modified rules into your Chronicle instance. See underlying README for more details.

Support

This is not an officially supported Google product. Queries, rules and other assets in Community Security Analytics (CSA) are community-supported. Please don't hesitate to open a GitHub issue if you have any question or a feature request.

Contributions are also welcome via Github pull requests if you have fixes or enhancements to source code or docs. Please refer to our Contributing guidelines.

Copyright & License

Copyright 2022 Google LLC

Queries, rules and other assets under Community Security Analytics (CSA) are licensed under the Apache license, v2.0. Details can be found in LICENSE file.

More Repositories

1

microservices-demo

Sample cloud-first application with 10 microservices showcasing Kubernetes, Istio, and gRPC.
Go
16,790
star
2

terraformer

CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code
Go
12,352
star
3

training-data-analyst

Labs and demos for courses for GCP Training (http://cloud.google.com/training).
Jupyter Notebook
7,867
star
4

python-docs-samples

Code samples used on cloud.google.com
Jupyter Notebook
7,432
star
5

generative-ai

Sample code and notebooks for Generative AI on Google Cloud, with Gemini on Vertex AI
Jupyter Notebook
6,517
star
6

golang-samples

Sample apps and code written for Google Cloud in the Go programming language.
Go
4,284
star
7

professional-services

Common solutions and tools developed by Google Cloud's Professional Services team. This repository and its contents are not an officially supported Google product.
Python
2,825
star
8

nodejs-docs-samples

Node.js samples for Google Cloud Platform products.
JavaScript
2,807
star
9

tensorflow-without-a-phd

A crash course in six episodes for software developers who want to become machine learning practitioners.
Jupyter Notebook
2,772
star
10

gcsfuse

A user-space file system for interacting with Google Cloud Storage
Go
2,046
star
11

community

Java
1,919
star
12

PerfKitBenchmarker

PerfKit Benchmarker (PKB) contains a set of benchmarks to measure and compare cloud offerings. The benchmarks use default settings to reflect what most users will see. PerfKit Benchmarker is licensed under the Apache 2 license terms. Please make sure to read, understand and agree to the terms of the LICENSE and CONTRIBUTING files before proceeding.
Python
1,885
star
13

asl-ml-immersion

This repos contains notebooks for the Advanced Solutions Lab: ML Immersion
Jupyter Notebook
1,799
star
14

vertex-ai-samples

Notebooks, code samples, sample apps, and other resources that demonstrate how to use, develop and manage machine learning and generative AI workflows using Google Cloud Vertex AI.
Jupyter Notebook
1,659
star
15

java-docs-samples

Java and Kotlin Code samples used on cloud.google.com
Java
1,610
star
16

ml-design-patterns

Source code accompanying O'Reilly book: Machine Learning Design Patterns
Jupyter Notebook
1,600
star
17

continuous-deployment-on-kubernetes

Get up and running with Jenkins on Google Kubernetes Engine
Shell
1,582
star
18

cloudml-samples

Cloud ML Engine repo. Please visit the new Vertex AI samples repo at https://github.com/GoogleCloudPlatform/vertex-ai-samples
Python
1,516
star
19

cloud-foundation-fabric

End-to-end modular samples and landing zones toolkit for Terraform on GCP.
HCL
1,509
star
20

localllm

Python
1,505
star
21

cloud-builders

Builder images and examples commonly used for Google Cloud Build
Go
1,374
star
22

cloud-sql-proxy

A utility for connecting securely to your Cloud SQL instances
Go
1,263
star
23

cloud-builders-community

Community-contributed images for Google Cloud Build
Go
1,258
star
24

berglas

A tool for managing secrets on Google Cloud
Go
1,236
star
25

data-science-on-gcp

Source code accompanying book: Data Science on the Google Cloud Platform, Valliappa Lakshmanan, O'Reilly 2017
Jupyter Notebook
1,230
star
26

kubernetes-engine-samples

Sample applications for Google Kubernetes Engine (GKE)
HCL
1,228
star
27

functions-framework-nodejs

FaaS (Function as a service) framework for writing portable Node.js functions
TypeScript
1,162
star
28

DataflowTemplates

Cloud Dataflow Google-provided templates for solving in-Cloud data tasks
Java
1,135
star
29

bigquery-utils

Useful scripts, udfs, views, and other utilities for migration and data warehouse operations in BigQuery.
Java
1,117
star
30

cloud-vision

Sample code for Google Cloud Vision
Python
1,097
star
31

bank-of-anthos

Retail banking sample application showcasing Kubernetes and Google Cloud
Java
994
star
32

buildpacks

Builders and buildpacks designed to run on Google Cloud's container platforms
Go
982
star
33

php-docs-samples

A collection of samples that demonstrate how to call Google Cloud services from PHP.
PHP
961
star
34

cloud-foundation-toolkit

The Cloud Foundation toolkit provides GCP best practices as code.
Go
958
star
35

deploymentmanager-samples

Deployment Manager samples and templates.
Jinja
938
star
36

flask-talisman

HTTP security headers for Flask
Python
896
star
37

k8s-config-connector

GCP Config Connector, a Kubernetes add-on for managing GCP resources
Go
891
star
38

gsutil

A command line tool for interacting with cloud storage services.
Python
874
star
39

DataflowJavaSDK

Google Cloud Dataflow provides a simple, powerful model for building both batch and streaming parallel data processing pipelines.
857
star
40

nodejs-getting-started

A tutorial for creating a complete application using Node.js on Google Cloud Platform
JavaScript
806
star
41

magic-modules

Add Google Cloud Platform support to Terraform
Go
804
star
42

gcr-cleaner

Delete untagged image refs in Google Container Registry or Artifact Registry
Go
802
star
43

keras-idiomatic-programmer

Books, Presentations, Workshops, Notebook Labs, and Model Zoo for Software Engineers and Data Scientists wanting to learn the TF.Keras Machine Learning framework
Jupyter Notebook
797
star
44

metacontroller

Lightweight Kubernetes controllers as a service
Go
790
star
45

awesome-google-cloud

A curated list of awesome stuff for Google Cloud.
777
star
46

mlops-on-gcp

Jupyter Notebook
773
star
47

getting-started-python

Code samples for using Python on Google Cloud Platform
Python
756
star
48

dotnet-docs-samples

.NET code samples used on https://cloud.google.com
C#
736
star
49

click-to-deploy

Source for Google Click to Deploy solutions listed on Google Cloud Marketplace.
Python
729
star
50

iap-desktop

IAP Desktop is a Windows application that provides zero-trust Remote Desktop and SSH access to Linux and Windows VMs on Google Cloud.
C#
708
star
51

cloud-sdk-docker

Google Cloud CLI Docker Image - Docker Image containing the gcloud CLI and its bundled components.
Dockerfile
697
star
52

tf-estimator-tutorials

This repository includes tutorials on how to use the TensorFlow estimator APIs to perform various ML tasks, in a systematic and standardised way
Jupyter Notebook
671
star
53

functions-framework-python

FaaS (Function as a service) framework for writing portable Python functions
Python
670
star
54

flink-on-k8s-operator

[DEPRECATED] Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
657
star
55

terraform-google-examples

Collection of examples for using Terraform with Google Cloud Platform.
HCL
573
star
56

functions-framework-dart

FaaS (Function as a service) framework for writing portable Dart functions
Dart
535
star
57

cloud-run-button

Let anyone deploy your GitHub repos to Google Cloud Run with a single click
Go
527
star
58

bigquery-oreilly-book

Source code accompanying: BigQuery: The Definitive Guide by Lakshmanan & Tigani to be published by O'Reilly Media
Jupyter Notebook
523
star
59

govanityurls

Use a custom domain in your Go import path
Go
518
star
60

ml-on-gcp

Machine Learning on Google Cloud Platform
Python
484
star
61

practical-ml-vision-book

Jupyter Notebook
482
star
62

getting-started-java

Java
478
star
63

ipython-soccer-predictions

Sample iPython notebook with soccer predictions
Jupyter Notebook
473
star
64

monitoring-dashboard-samples

Google Cloud Monitoring Dashboard Samples
TypeScript
471
star
65

covid-19-open-data

Datasets of daily time-series data related to COVID-19 for over 20,000 distinct locations around the world.
Python
471
star
66

ai-platform-samples

Official Repo for Google Cloud AI Platform. Find samples for Vertex AI, Google Cloud's new unified ML platform at: https://github.com/GoogleCloudPlatform/vertex-ai-samples
Jupyter Notebook
457
star
67

hackathon-toolkit

GCP Hackathon Toolkit
HTML
440
star
68

gradle-appengine-templates

Freemarker based templates that build with the gradle-appengine-plugin
439
star
69

distributed-load-testing-using-kubernetes

Distributed load testing using Kubernetes on Google Container Engine
Smarty
438
star
70

terraform-validator

Terraform Validator is not an officially supported Google product; it is a library for conversion of Terraform plan data to CAI Assets. If you have been using terraform-validator directly in the past, we recommend migrating to `gcloud beta terraform vet`.
Go
437
star
71

cloud-code-vscode

Cloud Code for Visual Studio Code: Issues, Documentation and more
416
star
72

nodejs-docker

The Node.js Docker image used by Google App Engine Flexible.
TypeScript
407
star
73

cloud-ops-sandbox

Cloud Operations Sandbox is an open source collection of tools that helps practitioners to learn O11y and R9y practices from Google and apply them using Cloud Operations suite of tools.
HCL
405
star
74

professional-services-data-validator

Utility to compare data between homogeneous or heterogeneous environments to ensure source and target tables match
Python
403
star
75

k8s-stackdriver

Go
390
star
76

cloud-code-samples

Code templates to make working with Kubernetes feel like editing and debugging local code.
Java
387
star
77

healthcare

Python
374
star
78

require-so-slow

`require`s taking too much time? Profile 'em.
TypeScript
373
star
79

functions-framework-go

FaaS (Function as a service) framework for writing portable Go functions
Go
373
star
80

k8s-multicluster-ingress

kubemci: Command line tool to configure L7 load balancers using multiple kubernetes clusters
Go
372
star
81

compute-image-packages

Packages for Google Compute Engine Linux images.
Python
370
star
82

android-docs-samples

Java
365
star
83

stackdriver-errors-js

Client-side JavaScript exception reporting library for Cloud Error Reporting
JavaScript
358
star
84

applied-ai-engineering-samples

This repository compiles code samples and notebooks demonstrating how to use Generative AI on Google Cloud Vertex AI.
Jupyter Notebook
344
star
85

mlops-with-vertex-ai

An end-to-end example of MLOps on Google Cloud using TensorFlow, TFX, and Vertex AI
Jupyter Notebook
343
star
86

google-cloud-iot-arduino

Google Cloud IOT Example on ESP8266
C++
340
star
87

istio-samples

Istio demos and sample applications for GCP
Shell
331
star
88

ios-docs-samples

iOS samples that demonstrate APIs and services of Google Cloud Platform.
Swift
325
star
89

cloud-code-intellij

Plugin to support the Google Cloud Platform in IntelliJ IDEA - Docs and Issues Repository
319
star
90

gke-networking-recipes

Shell
307
star
91

gcping

The source for the CLI and web app at gcping.com
Go
303
star
92

solutions-terraform-cloudbuild-gitops

HCL
301
star
93

spring-cloud-gcp

New home for Spring Cloud GCP development starting with version 2.0.
Java
299
star
94

airflow-operator

Kubernetes custom controller and CRDs to managing Airflow
Go
296
star
95

genai-for-marketing

Showcasing Google Cloud's generative AI for marketing scenarios via application frontend, backend, and detailed, step-by-step guidance for setting up and utilizing generative AI tools, including examples of their use in crafting marketing materials like blog posts and social media content, nl2sql analysis, and campaign personalization.
Jupyter Notebook
296
star
96

elixir-samples

A collection of samples on using Elixir with Google Cloud Platform.
Elixir
291
star
97

gcpdiag

gcpdiag is a command-line diagnostics tool for GCP customers.
Python
288
star
98

kotlin-samples

Kotlin
285
star
99

compute-archlinux-image-builder

A tool to build a Arch Linux Image for GCE
Shell
284
star
100

datalab-samples

Jupyter Notebook
281
star