GCP Auditlog Falco rules

Scroll Top APIKEYS 1rules CLOUDFUNCTIONS 3rules CLOUDKMS 2rules CLOUDRESOURCEMANAGER 1rules CLOUDRUN 2rules DNS 1rules GCE 1rules GKE 4rules IAM 5rules LOGGING 1rules MONITORING 2rules SQL 3rules STORAGE BUCKETS 7rules VM 5rules VPC 2rules VPC NETWORKS 2rules OTHER 2rules

Total 44 rules.

APIKEYS

GCP Create API Keys for a Project

Detect creation of API keys for a project.

cloud gcp gcp_apikeys cis_controls_16 cis_gcp_1.12

CLOUDFUNCTIONS

GCP Create Cloud Function Not Using Latest Runtime

Detect creation of a Cloud Function using and old or deprecated runtime.

cloud gcp gcp_cloudfunctions soc2 soc2_CC7.1 mitre_T1190-exploit-public-facing-application
GCP Create Cloud Function

Detect creation of a Cloud function.

cloud gcp gcp_cloudfunctions mitre_TA0003-persistence
GCP Update Cloud Function

Detect updates to a Cloud Function.

cloud gcp gcp_cloudfunctions mitre_TA0003-persistence mitre_T1496-resource-hijacking

CLOUDKMS

GCP Create KMS Key Without Rotation

Detect creation of a new KMS with rotation disabled.

cloud gcp gcp_cloudkms soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2
GCP Remove KMS Key Rotation

Detect removal of KMS key rotation.

cloud gcp gcp_cloudkms soc2 soc2_CC6.1 soc2_CC8.1 ISO_27001 ISO_27001_A.10.1.2 ISO_27001_A.18.1.5 GDPR GDPR_32.1 GDPR_32.2

CLOUDRESOURCEMANAGER

GCP Invitation Sent to Non-corporate Account

Detect sending invitations to not allowed corporate account.

cloud gcp gcp_cloudresourcemanager HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1 mitre_T1136-create-account

CLOUDRUN

CloudRun Create Service

Detect creation of a CloudRun Service.

cloud gcp gcp_cloudrun
CloudRun Replace Service

Detect the replacement of a CloudRun Service.

cloud gcp gcp_cloudrun

DNS

GCP Create or Patch DNS Zone without DNSSEC

Detect creation of a DNS zone with DNSSEC disabled or a modification of a DNS zone to disable DNSSEC.

cloud gcp gcp_dns cis_controls_11.1 cis_gcp_3.3

GCE

GCP Describe Instance

Detect description of the specified GCE instance.

cloud gcp gcp_gce

GKE

GCP Delete DNS Zone

Detect the deletion of a DNS zone.

cloud gcp gcp_gke
GCP Delete GKE Cluster

Detect the deletion of a GKE cluster.

cloud gcp gcp_gke
GCP Delete GKE Node Pool

Detect the deletion of a GKE node pool.

cloud gcp gcp_gke
GCP Delete Router

Detect the deletion of a router.

cloud gcp gcp_gke

IAM

GCP Create GCP-managed Service Account Key

Detect creating an access key for a GCP-managed service account.

cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 mitre_T1550-use-alternate-authentication-material
GCP Create User-managed Service Account Key

Detect creating an access key for a user-managed service account.

cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 cis_gcp_1.4 mitre_T1550-use-alternate-authentication-material
GCP Delete IAM Role

Detect the deletion of an IAM role.

cloud gcp gcp_iam
GCP Operation by a Non-corporate Account

Detect executing an operation by a non-corporate account.

cloud gcp gcp_iam HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1
GCP Super Admin Executing Command

Detect super admin executing GPC command.

cloud gcp gcp_iam soc2 soc2_CC6.2 soc2_CC6.6 FedRAMP FedRAMP_AC-2(12) ISO_27001 ISO_27001_A.6.1.2 ISO_27001_A.9.2.3 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_09.aa GDPR GDPR_25.1 GDPR_25.2 GDPR_25.3

LOGGING

GCP Update, Disable or Delete Sink

Detect the updating, disabling or deletion of a sink.

cloud gcp gcp_logging FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_6.4 cis_gcp_2.2

MONITORING

GCP Monitoring Alert Deleted

Detect deletion of an alert.

cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools mitre_T1562-impair-defenses mitre_T1562.008-disable-cloud-logs
GCP Monitoring Alert Updated

Detect updating of an alert.

cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools

SQL

GCP Disable Automatic Backups for a Cloud SQL Instance

Detect that automatic backups have been disabled for a Cloud SQL instance.

cloud gcp gcp_sql cis_controls_10.1 cis_gcp_6.7
GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance

Detect that the requirement for all incoming connections to use SSL for a Cloud SQL instance has been disabled.

cloud gcp gcp_sql FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s HITRUST_CSF_10.k cis_controls_13 cis_controls_14.4 cis_controls_16.5 cis_gcp_6.4
GCP Set a Public IP for a Cloud SQL Instance

Detect that a public IP address has been set for a Cloud SQL instance.

cloud gcp gcp_sql FedRAMP FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_09.m cis_controls_13 cis_gcp_6.6

STORAGE BUCKETS

GCP Create Bucket

Detect creation of a bucket.

cloud gcp gcp_storage_buckets mitre_T1074-data-staged
GCP Delete Bucket

Detect deletion of a bucket.

cloud gcp gcp_storage_buckets
GCP List Buckets

Detect listing of all storage buckets.

cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
GCP List Bucket Objects

Detect listing of all objects in a bucket.

cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
GCP Put Bucket ACL

Detect setting the permissions on an existing bucket using access control lists.

cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host mitre_T1530-data-from-cloud-storage-object
GCP Set Bucket IAM Policy

Detect setting the permissions on an existing bucket using IAM policies.

cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_T1530-data-from-cloud-storage-object
GCP Update Bucket

Detect the update of a bucket.

cloud gcp gcp_storage_buckets

VM

GCP Enable Connecting to Serial Ports for a VM Instance

Detect enabling of connection to serial ports for a VM instance.

cloud gcp gcp_vm FedRAMP FedRAMP_CM-3(1) HITRUST_CSF HITRUST_CSF_10.k cis_controls_9.2 cis_gcp_4.5
GCP Creation of a VM Instance with IP Forwarding Enabled

Detect creating a VM instance with IP forwarding enabled.

cloud gcp gcp_vm cis_controls_11.1 cis_controls_11.2 cis_gcp_4.6
GCP Suspected Disable of OS Login in a VM Instance

Detect modification of the enable-oslogin metadata in an instance.

cloud gcp gcp_vm cis_controls_16 cis_gcp_4.4
GCP Enable Project-wide SSH keys for a VM Instance

Detect enabling of project-wide SSH keys for a VM instance.

cloud gcp gcp_vm HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s cis_controls_16 cis_gcp_4.3
GCP Shield Disabled for a VM Instance

Detect disabling of the Shielded VM parameter(s) of a VM instance.

cloud gcp gcp_vm cis_controls_13 cis_gcp_4.8

VPC

GCP Delete VPC Network

Detect the deletion of a VPC network.

cloud gcp gcp_vpc
GCP Delete VPC Subnetwork

Detect the deletion of a VPC subnetwork.

cloud gcp gcp_vpc

VPC NETWORKS

GCP Create a Default VPC Network

Detect creation of a default network in a project.

cloud gcp gcp_vpc_networks FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_10.k cis_controls_11.1 cis_gcp_3.1
GCP Disable Subnet Flow Logs

Detect disabling the flow logs of a subnet.

cloud gcp gcp_vpc_networks soc2 soc2_CC6.6 FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_12.8 cis_gcp_3.8

OTHER

GCP Delete Resources from the PCI Blueprint Environment

Detect the deletion of resources from the blueprint environment.

cloud gcp
GCP Command Executed on Unused Region

Detect GCP command execution on unused regions.

cloud gcp FedRAMP FedRAMP_AC-2(12) HIPAA HIPAA_164.308(a) HIPAA_164.312(a) mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions