Detectionmediumtest
Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Google Cloudgcp.audit
ProductGoogle Cloud← raw: gcp
Servicegcp.audit← raw: gcp.audit
Detection Logic
Detection Logic1 selector
detection:
selection:
gcp.audit.method_name:
- v*.Compute.PacketMirrorings.Get
- v*.Compute.PacketMirrorings.Delete
- v*.Compute.PacketMirrorings.Insert
- v*.Compute.PacketMirrorings.Patch
- v*.Compute.PacketMirrorings.List
- v*.Compute.PacketMirrorings.aggregatedList
condition: selectionFalse Positives
Full Network Packet Capture may be done by a system or network administrator.
If known behavior is causing false positives, it can be exempted from the rule.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
980a7598-1e7f-4962-9372-2d754c930d0e
Status
test
Level
medium
Type
Detection
Created
Fri Aug 13
Modified
Sun Oct 09
Author
Path
rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml
Raw Tags
attack.collectionattack.t1074