Sigma Rules
23 rules found
GCP Access Policy Deleted
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
GCP Break-glass Container Workload Deployed
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Google Cloud Storage Buckets Enumeration
Detects when storage bucket is enumerated in Google Cloud.
Google Cloud Storage Buckets Modified or Deleted
Detects when storage bucket is modified or deleted in Google Cloud.
Google Cloud Re-identifies Sensitive Information
Identifies when sensitive information is re-identified in google Cloud.
Google Cloud DNS Zone Modified or Deleted
Identifies when a DNS Zone is modified or deleted in Google Cloud.
Google Cloud Firewall Modified or Deleted
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Google Cloud Kubernetes Admission Controller
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Google Cloud Kubernetes CronJob
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Google Cloud Kubernetes RoleBinding
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
Google Cloud Service Account Disabled or Deleted
Identifies when a service account is disabled or deleted in Google Cloud.
Google Cloud Service Account Modified
Identifies when a service account is modified in Google Cloud.
Google Cloud SQL Database Modified or Deleted
Detect when a Cloud SQL DB has been modified or deleted.
Google Cloud VPN Tunnel Modified or Deleted
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
Google Workspace Application Access Level Modified
Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
Google Workspace Application Removed
Detects when an an application is removed from Google Workspace.
Google Workspace Granted Domain API Access
Detects when an API access service account is granted domain authority.
Google Workspace MFA Disabled
Detects when multi-factor authentication (MFA) is disabled.
Google Workspace Role Modified or Deleted
Detects when an a role is modified or deleted in Google Workspace.
Google Workspace Role Privilege Deleted
Detects when an a role privilege is deleted in Google Workspace.
Google Workspace User Granted Admin Privileges
Detects when an Google Workspace user is granted admin privileges.