|
| 1 | +# GCP audit logs Events Plugin, Rust version |
| 2 | + |
| 3 | +This is a Rust version fo the GCP Audit Logs Plugin and is designed to ingest GCP audit logs for several GCP services, including Compute Engine, KMS, Cloud Armor WAF, IAM, Firewall, Cloud Storage, BigQuery, CloudSQL, Pub/Sub, Cloud Logging, and Cloud Functions. |
| 4 | + |
| 5 | +The GCP Audit Logs Plugin's primary purpose is to detect security threats, vulnerabilities, and compliance risks by analyzing the ingested GCP audit logs. The default security detection rules were built with the MITRE & ATT&CK framework in mind, which provides a comprehensive and industry-standard way to identify and classify different types of security threats. |
| 6 | + |
| 7 | +The GCP Audit Logs Plugin can help security teams identify and respond to security incidents quickly, improve compliance posture, and reduce overall risk to the organization. It provides a comprehensive and centralized view of security events across multiple GCP services and can help detect and prevent unauthorized access, data exfiltration, and other types of malicious activity. |
| 8 | + |
| 9 | +By leveraging GCP audit logs, the GCP Audit Logs Plugin provides deep insights into the activities of different users, services, and resources in your GCP environment. The GCP Audit Logs Plugin's advanced ebpf capabilities enable it to identify anomalous activities and raise alerts when it detects suspicious or malicious behavior. |
| 10 | + |
| 11 | +The GCP Audit Logs Plugin also offers customizable detection rules that enable you to fine-tune the detection capabilities to suit your organization's specific needs. You can customize the rules to detect specific types of security threats, monitor specific users or services, and track specific resources or data types. |
| 12 | + |
| 13 | + |
| 14 | +For more details about what GCP Audit logs are, see the [GCP official documentation](https://cloud.google.com/logging/docs/audit/understanding-audit-logs). |
| 15 | + |
| 16 | +### Functionality |
| 17 | + |
| 18 | +The GCP Audit Logs Plugin comes with pre-built security detection rules designed to detect security threats based on the MITRE & ATT&CK framework. These rules are constantly updated to ensure that the security agent is always detecting the latest threats and vulnerabilities. |
| 19 | + |
| 20 | +The default security detection rules cover the following areas: |
| 21 | + |
| 22 | +* Identity and Access Management (IAM) |
| 23 | +* Network Security |
| 24 | +* Data Security |
| 25 | +* Compliance |
| 26 | +* Infrastructure Security |
| 27 | +* Cloud Service Providers |
| 28 | + |
| 29 | +The GCP Audit Logs Plugin's detection rules can identify threats such as: |
| 30 | + |
| 31 | +* Privilege escalation |
| 32 | +* Unauthorized access |
| 33 | +* Data exfiltration |
| 34 | +* Denial of Service (DoS) attacks |
| 35 | +* Insider threats |
| 36 | +* Suspicious network activity |
| 37 | + |
| 38 | +- [GCP Audit Logs Plugin](#GCP Audit Logs Plugin) |
| 39 | +- [Event Source](#event-source) |
| 40 | +- [Supported Fields](#supported-fields) |
| 41 | +- [Development](#development) |
| 42 | + - [Requirements](#requirements) |
| 43 | + - [Build](#build) |
| 44 | +- [Settings](#settings) |
| 45 | +- [Configurations](#configurations) |
| 46 | +- [Usage](#usage) |
| 47 | + - [Requirements](#requirements-1) |
| 48 | + - [Results](#results) |
| 49 | + |
| 50 | +# Event Source |
| 51 | + |
| 52 | +The event source for `GCP Audit Logs Plugin` events is `GCP Audit Logs`. |
| 53 | + |
| 54 | +This GCP Audit Logs Plugin is designed to ingest GCP audit logs from several GCP services, including: |
| 55 | +* Compute Engine |
| 56 | +* KMS |
| 57 | +* Cloud Armor WAF |
| 58 | +* IAM |
| 59 | +* Firewall |
| 60 | +* Cloud Storage |
| 61 | +* BigQuery |
| 62 | +* Cloud SQL |
| 63 | +* Pub/Sub |
| 64 | +* Cloud Logging |
| 65 | +* Cloud Functions |
| 66 | + |
| 67 | +The GCP Audit Logs Plugin subscribes to a Pub/Sub topic service and is backed by an optimized sink that exports the most important log entries. |
| 68 | + |
| 69 | +```sql |
| 70 | +log_name="projects/your-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity" AND |
| 71 | +(protoPayload.serviceName="cloudsql.googleapis.com" OR |
| 72 | +protoPayload.serviceName="logging.googleapis.com" OR |
| 73 | +protoPayload.serviceName="iam.googleapis.com" OR |
| 74 | +(protoPayload.serviceName="compute.googleapis.com" AND NOT protoPayload.authenticationInfo.principalEmail=~"^service-") OR |
| 75 | +protoPayload.serviceName="pubsub.googleapis.com" OR |
| 76 | +protoPayload.serviceName="cloudkms.googleapis.com" OR |
| 77 | +protoPayload.serviceName="cloudfunctions.googleapis.com" OR |
| 78 | +protoPayload.serviceName="storage.googleapis.com" OR |
| 79 | +protoPayload.serviceName="cloudresourcemanager.googleapis.com" OR |
| 80 | +protoPayload.serviceName="bigquery.googleapis.com") |
| 81 | +``` |
| 82 | + |
| 83 | +You can change the log query to fit your specific needs. |
| 84 | + |
| 85 | +For more details about what Cloud logging log queries, see the [GCP official documentation](https://cloud.google.com/logging/docs/view/logging-query-language). |
| 86 | + |
| 87 | +# Supported Fields |
| 88 | + |
| 89 | +<!-- README-PLUGIN-FIELDS --> |
| 90 | +| NAME | TYPE | ARG | DESCRIPTION | |
| 91 | +|-------------------------------|----------|------|------------------------------------------| |
| 92 | +| `gcp.user` | `string` | None | GCP principal, actor of the action | |
| 93 | +| `gcp.callerIP` | `string` | None | Actor's IP | |
| 94 | +| `gcp.userAgent` | `string` | None | Actor's User Agent | |
| 95 | +| `gcp.authorizationInfo` | `string` | None | GCP authorization (JSON) | |
| 96 | +| `gcp.serviceName` | `string` | None | GCP API service name | |
| 97 | +| `gcp.policyDelta` | `string` | None | GCP service resource access policy delta | |
| 98 | +| `gcp.request` | `string` | None | GCP API raw request (JSON) | |
| 99 | +| `gcp.methodName` | `string` | None | GCP API service method executed | |
| 100 | +| `gcp.cloudfunctions.function` | `string` | None | GCF name | |
| 101 | +| `gcp.cloudsql.databaseId` | `string` | None | GCP SQL database ID | |
| 102 | +| `gcp.compute.instanceId` | `string` | None | GCE instance ID | |
| 103 | +| `gcp.compute.networkId` | `string` | None | GCP network ID | |
| 104 | +| `gcp.compute.subnetwork` | `string` | None | GCP subnetwork name | |
| 105 | +| `gcp.compute.subnetworkId` | `string` | None | GCP subnetwork ID | |
| 106 | +| `gcp.dns.zone` | `string` | None | GCP DNS zone | |
| 107 | +| `gcp.iam.serviceAccount` | `string` | None | GCP service account | |
| 108 | +| `gcp.iam.serviceAccountId` | `string` | None | GCP IAM unique ID | |
| 109 | +| `gcp.location` | `string` | None | GCP region | |
| 110 | +| `gcp.logging.sink` | `string` | None | GCP logging sink | |
| 111 | +| `gcp.projectId` | `string` | None | GCP project ID | |
| 112 | +| `gcp.resourceName` | `string` | None | GCP resource name | |
| 113 | +| `gcp.resourceType` | `string` | None | GCP resource type | |
| 114 | +| `gcp.resourceLabels` | `string` | None | GCP resource labels (JSON) | |
| 115 | +| `gcp.storage.bucket` | `string` | None | GCP bucket name | |
| 116 | +| `gcp.time` | `string` | None | Timestamp of the event in RFC3339 format | |
| 117 | +<!-- /README-PLUGIN-FIELDS --> |
| 118 | + |
| 119 | +# Development |
| 120 | +## Requirements |
| 121 | + |
| 122 | +You need: |
| 123 | +* `Go` >= 1.17 |
| 124 | + |
| 125 | +## Build |
| 126 | + |
| 127 | +```shell |
| 128 | +make |
| 129 | +``` |
| 130 | + |
| 131 | +# Settings |
| 132 | + |
| 133 | +Only `init` accepts settings: |
| 134 | +* `project_id`: the name of your GCP project |
| 135 | +* `num_goroutines`: is the number of goroutines that each datastructure along the Receive path will spawn (default: 10) |
| 136 | +* `maxout_stand_messages`: is the maximum number of unprocessed messages (default: 1000) |
| 137 | +* `sub_id`: The subscriber name for your pub/sub topic |
| 138 | + |
| 139 | +# Configurations |
| 140 | + |
| 141 | +* `falco.yaml` |
| 142 | + |
| 143 | + ```yaml |
| 144 | + plugins: |
| 145 | + - name: json |
| 146 | + library_path: libjson.so |
| 147 | + |
| 148 | + - name: gcpaudit |
| 149 | + library_path: libgcpaudit.so |
| 150 | + open_params: "your-subscription-ID" |
| 151 | + init_config: |
| 152 | + project_id: "your-gcp-project-ID" |
| 153 | + load_plugins: [gcpaudit, json] |
| 154 | + ``` |
| 155 | +
|
| 156 | +* `rules.yaml` |
| 157 | + |
| 158 | +The `source` for rules must be `gcp_auditlog`. |
| 159 | + |
| 160 | +See example: |
| 161 | +```yaml |
| 162 | +- rule: GCP Bucket configured to be public |
| 163 | + desc: Detect when access on a GCP Bucket granted to the public internet. |
| 164 | + condition: is_gcs_service and gcp.methodName="storage.setIamPermissions" and is_binded_delta_to_public |
| 165 | + output: > |
| 166 | + project=%gcp.projectId |
| 167 | + A GCP bucket access granted to be public by user=%gcp.user userIP=%gcp.callerIP userAgent=%gcp.userAgent bindedDelta=%gcp.policyDelta |
| 168 | + authorizationInfo=%gcp.authorizationInfo |
| 169 | + rawRequest=%gcp.request |
| 170 | + bucketName=%gcp.storage.bucket |
| 171 | + priority: CRITICAL |
| 172 | + source: auditlogs |
| 173 | + tags: [GCP, buckets, compliance] |
| 174 | +``` |
| 175 | + |
| 176 | +# Usage |
| 177 | + |
| 178 | +```shell |
| 179 | +falco -c falco.yaml -r auditlogs_rules.yaml |
| 180 | +``` |
| 181 | + |
| 182 | +## Requirements |
| 183 | + |
| 184 | +* `Falco` >= 0.35 |
| 185 | + |
| 186 | +## Results |
| 187 | + |
| 188 | +```shell |
| 189 | +{"hostname":"sherlock","output":"01:43:54.476694000: Notice project=********** A GCP WAF network policy or waf rule modified by user=ahmed.amin@test.com userIP=41.45.115.69 userAgent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe) authorizationInfo=[{\"granted\":true,\"permission\":\"compute.securityPolicies.update\",\"resourceAttributes\":{\"name\":\"projects/=**********/global/securityPolicies/**********\",\"service\":\"compute\",\"type\":\"compute.securityPolicies\"}}] rawRequest={\"@type\":\"type.googleapis.com/compute.securityPolicies.addRule\",\"action\":\"deny(403)\",\"description\":\"\",\"match\":{\"config\":{\"srcIpRanges\":[\"1.1.1.1\"]},\"versionedExpr\":\"SRC_IPS_V1\"},\"preview\":false,\"priority\":\"0\"} policyName=**********","priority":"Notice","rule":"GCP WAF rule modified or deleted","source":"gcp_auditlog","tags":["CloudArmor","GCP","T1562-impair-defenses","TA0005-defense-evasion","WAF"],"time":"2023-07-06T22:43:54.476694000Z", "output_fields": {"evt.time":1688683434476694000,"gcp.authorizationInfo":"[{\"granted\":true,\"permission\":\"compute.securityPolicies.update\",\"resourceAttributes\":{\"name\":\"projects/=**********/global/securityPolicies/**********\",\"service\":\"compute\",\"type\":\"compute.securityPolicies\"}}]","gcp.callerIP":"41.45.115.69","gcp.request":"{\"@type\":\"type.googleapis.com/compute.securityPolicies.addRule\",\"action\":\"deny(403)\",\"description\":\"\",\"match\":{\"config\":{\"srcIpRanges\":[\"1.1.1.1\"]},\"versionedExpr\":\"SRC_IPS_V1\"},\"preview\":false,\"priority\":\"0\"}","gcp.user":"ahmed.amin@test.com","gcp.userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","json.value[/resource/labels/policy_name]":"**********","gcp.projectId":"****"}} |
| 190 | +
|
| 191 | +{"hostname":"sherlock","output":"03:36:21.780289000: Critical project=********** A GCP bucket access granted to be public by user=ahmed.amin@test.com userIP=156.204.230.94 userAgent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe) bindedDelta=[{\"action\":\"ADD\",\"member\":\"allUsers\",\"role\":\"roles/storage.objectViewer\"}] authorizationInfo=[{\"granted\":true,\"permission\":\"storage.buckets.setIamPolicy\",\"resource\":\"projects/_/buckets/amin-test\",\"resourceAttributes\":{}}] bucketName=ahmed-test","priority":"Critical","rule":"GCP Bucket configured to be public","source":"gcp_auditlog","tags":["GCP","buckets","compliance"],"time":"2023-06-30T00:36:21.780289000Z", "output_fields": {"evt.time":1688085381780289000,"gcp.authorizationInfo":"[{\"granted\":true,\"permission\":\"storage.buckets.setIamPolicy\",\"resource\":\"projects/_/buckets/ahmed-test\",\"resourceAttributes\":{}}]","gcp.callerIP":"156.204.230.94","gcp.policyDelta":"[{\"action\":\"ADD\",\"member\":\"allUsers\",\"role\":\"roles/storage.objectViewer\"}]","gcp.user":"ahmed.amin@test.com","gcp.userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","gcp.storage.bucket":"ahmed-test","gcp.projectId":"**********"}} |
| 192 | +
|
| 193 | +{"hostname":"sherlock","output":"01:36:49.223570000: Notice project=-***-**-*** A GCP WAF network policy or waf rule modified by user=ahmed.amin@test.com userIP=x.x.x.x userAgent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe) authorizationInfo=[{\"granted\":true,\"permission\":\"compute.securityPolicies.update\",\"resourceAttributes\":{\"name\":\"projects/-***-**-***/global/securityPolicies/xxx-xxxx-xxxx\",\"service\":\"compute\",\"type\":\"compute.securityPolicies\"}}] policyName=xxx-xxxx-xxxx","priority":"Notice","rule":"GCP WAF rule modified or deleted","source":"auditlogs","tags":["CloudArmor","GCP","T1562-impair-defenses","TA0005-defense-evasion","WAF"],"time":"2023-04-22T23:36:49.223570000Z", "output_fields": {"gcp.authorizationInfo ":"[{\"granted\":true,\"permission\":\"compute.securityPolicies.update\",\"resourceAttributes\":{\"name\":\"projects/-***-**-***/global/securityPolicies/xxx-xxxx-xxxx\",\"service\":\"compute\",\"type\":\"compute.securityPolicies\"}}]","gcp.user":"ahmed.amin@test.com","al.principal.ip":"x.x.x.x","gcp.userAgent ":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","evt.time":1682206609223570000,"json.value[/resource/labels/policy_name]":"xxx-xxxx-xxxx","gcp.projectId":"-***-**-***"}} |
| 194 | +
|
| 195 | +{"hostname":"sherlock-ThinkBook-15-G2-ITL","output":"02:48:23.599777000: Notice project=xxx-xxxx-xxxx A GCP serviceAccount delete by user=ahmed.amin@test.com userIP=156.204.230.94 userAgent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36,gzip(gfe) authorizationInfo=[{\"granted\":true,\"permission\":\"iam.serviceAccounts.delete\",\"resource\":\"projects/-/serviceAccounts/101363364166838521279\",\"resourceAttributes\":{\"name\":\"projects/-/serviceAccounts/101363364166838521279\"}}]","priority":"Notice","rule":"GCP IAM serviceAccount deleted","source":"gcp_auditlog","tags":["GCP","IAM","abuse-elevation-control-mechanism"],"time":"2023-06-29T23:48:23.599777000Z", "output_fields": {"evt.time":1688082503599777000,"gcp.authorizationInfo":"[{\"granted\":true,\"permission\":\"iam.serviceAccounts.delete\",\"resource\":\"projects/-/serviceAccounts/101363364166838521279\",\"resourceAttributes\":{\"name\":\"projects/-/serviceAccounts/101363364166838521279\"}}]","gcp.callerIP":"156.204.230.94","gcp.user":"ahmed.amin@test.com","gcp.userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36,gzip(gfe)","gcp.projectId":"xxx-xxxx-xxxx"}} |
| 196 | +
|
| 197 | +
|
| 198 | +``` |
0 commit comments