security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removed googlecloud.audit from event datasets (#2105)

Browse Source 
(cherry picked from commit 9cefd88b90)
This commit is contained in:
Terrance DeJesus
2022-07-21 12:11:15 -04:00
committed by github-actions[bot]
parent dd5501d167
commit fc26e83bfb
21 changed files with 41 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/23"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success
event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success
'''
rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/23"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success
event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success
'''
rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/21"
maturity = "production"
updated_date = "2022/02/28"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success
event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success
'''
rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/18"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success
event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success
'''
rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/23"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success
event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success
'''
rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/18"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success
event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success
'''
rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -32,6 +32,6 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.update" and event.outcome:success
event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success
'''
rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/21"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.setIamPermissions" and event.outcome:success
event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success
'''
rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success
event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success
'''
rules/integrations/gcp/impact_gcp_iam_role_deletion.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success
event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success
'''
rules/integrations/gcp/impact_gcp_service_account_deleted.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success
event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success
'''
rules/integrations/gcp/impact_gcp_service_account_disabled.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success
event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success
'''
rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/21"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.delete"
event.dataset:gcp.audit and event.action:"storage.buckets.delete"
'''
rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,6 +34,6 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success
event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success
'''
rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2022/02/16"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,6 +34,6 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
'''
rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,6 +34,6 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success
event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success
'''
rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/21"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success
event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success
'''
rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/21"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -38,7 +38,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success
event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success
'''
rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/21"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -39,7 +39,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success
event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success
'''
rules/integrations/gcp/persistence_gcp_service_account_created.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/07/15"
integration = "gcp"
[rule]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success
event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success
'''
rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
+1 -1
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/06/06"
maturity = "production"
updated_date = "2022/01/24"
updated_date = "2022/07/15"
integration = "gcp"
[rule]