diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 907d6723b..f0013f13a 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success +event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success ''' diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 23dc89f56..ff837ff85 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success +event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 0565cb14b..a51020e37 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success +event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 403b6875e..70fc658a0 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success +event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 59fb75af4..ff35c6f6f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success +event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 7ccc2b98c..4c2a2a55c 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success +event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index eb990a8be..470bc1356 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -32,6 +32,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.update" and event.outcome:success +event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 4da1427f9..89f6be253 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.setIamPermissions" and event.outcome:success +event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success ''' diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 0777913e5..152c0713a 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success +event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 4ffde449b..f98d8bdd6 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 7885762c1..9234a204d 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 00ffcb31d..51a3b4136 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 8c6af845f..92d22e0f5 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.delete" +event.dataset:gcp.audit and event.action:"storage.buckets.delete" ''' diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index b11570fac..5257a1e7d 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,6 +34,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success +event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml index da80efa4a..ecf56e798 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,6 +34,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") +event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") ''' diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index 4cb8b5edb..e415bfed0 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,6 +34,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success +event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success ''' diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index c2298cbf4..3659d02c7 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success +event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success ''' diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 48a8f04e9..131af16bd 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -38,7 +38,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success ''' diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index b2abb298b..085fa6c50 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -39,7 +39,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success +event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success ''' diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index af19e82b9..18a6408d6 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/07/15" integration = "gcp" [rule] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success +event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success ''' diff --git a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml index 7af1baa49..7a9209e16 100644 --- a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +++ b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2022/01/24" +updated_date = "2022/07/15" integration = "gcp" [rule]