Sysdig Secure for cloud
Sysdig Secure for cloud is the software that connects Sysdig Secure features to your cloud environments to provide unified threat detection, compliance, forensics, and analysis.
Because modern cloud applications are no longer just virtualized compute
resources, but a superset of cloud services on which businesses depend,
controlling the security of your cloud accounts is essential. Errors can
expose an organization to risks that could bring resources down,
infiltrate workloads, exfiltrate secrets, create unseen assets, or
otherwise compromise the business or reputation. As the number of cloud
services and configurations available grows exponentially, using a cloud
security platform protects against having an unseen misconfiguration
turn into a serious security issue.
Supported Clouds
Features
Installation
Setup options, details, troubleshooting, and validation steps for the various cloud vendors under Installations
1 - AWS
This section covers offering description
Check setup options, details, troubleshooting, and validation steps under Installations - Cloud - AWS
Available Features
- Threat detection based on auditing CloudTrail events
- Compliance Security Posture Management (CSPM), including CIS AWS
Benchmark compliance assessments
- Container registry scanning for ECR
- Image scanning for Fargate on ECS
- Permissions and Entitlements management (CIEM)

Threat Detection Based on CloudTrail
Threat Detection leverages audit logs from AWS CloudTrail plus Falco
rules to detect threats as soon as they occur and bring governance,
compliance, and risk auditing for your cloud accounts.
A rich set of Falco rules, an AWS Best Practices default policy, and
an AWS CloudTrail policy type for creating customized policies are
included. These correspond to security standards and benchmarks such as:
NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, CIS AWS, and AWS
Foundational Security Best Practices

CSPM/Compliance with CIS AWS Benchmarks
A new cloud compliance standard has been added to the Sysdig compliance
feature - CIS AWS Benchmark. This assessment is based on an
open-source engine - Cloud Custodian - and is an initial release of
Sysdig Cloud Security Posture Management (CSPM) engine. This first
Sysdig cloud compliance standard will be followed by additional security
compliance and regulatory standards for GCP, IBM Cloud and Azure.
The CIS AWS Benchmarks assessment evaluates your AWS services against
the benchmark requirements and returns the results and remediation
activities you need to fix misconfigurations in your cloud environment.
We’ve also included several UI improvements to provide additional
details such as: control descriptions, affected resources, failing
assets, and guided remediation steps, both manual and CLI-based when
available.

ECR Registry Scanning
ECR Registry Scanning automatically scans all container images pushed to
all your Elastic Container Registries, so you have a vulnerability
report available in your Sysdig Secure dashboard at all times, without
having to set up any additional pipeline.
An ephemeral CodeBuild pipeline is created each time a new image is
pushed, which executes an inline scan based on your defined scan
policies. Default policies cover vulnerabilities and dockerfile best
practices, and you can define advanced rules yourself.
Fargate Image Scanning on ECS
Fargate Image Scanning automatically scans any container image deployed
on a serverless Fargate task that run on Elastic Container Service. This
includes public images that live in registries other than ECR, as well
as private ones for which you set the credentials.
An ephemeral CodeBuild pipeline is automatically created when a
container is deployed on ECS Fargate to execute the inline scan.
Identity and Access Management
As cloud accounts proliferate, excessive permissions can become a security risk and a management headache. Sysdig Secure for cloud provides a Permissions and Entitlements module under Posture, that allows you to:
- Gain visibility into all cloud identities and their privileges: get a comprehensive view into access permissions across all AWS users and services
- Enforce least privilege: eliminate excessive permissions by applying least-privilege policies to users and services with automatically generated IAM policies. Sysdig proposes policies based on analyzing which entitlements are granted versus which are actually used.
- Simplify audit of access controls to meet compliance requirements: use reports for regular access reviews to evaluate active and inactive user permissions and activity.

1.1 - CloudTrail Falco rules
Scroll Top
APPRUNNER 4rules
AUTOSCALING 2rules
CLOUDSHELL 1rules
CLOUDTRAIL 7rules
CLOUDWATCH 3rules
CONFIG 19rules
CONSOLE 3rules
DMS 1rules
EBS 1rules
EC2 20rules
ECR 1rules
ECS 8rules
ECS EXEC 3rules
EFS 1rules
ELASTICSEARCH 2rules
ELB 4rules
FARGATE 8rules
GUARDDUTY 6rules
IAM 39rules
KMS 5rules
LAMBDA 6rules
RDS 13rules
ROUTE53 3rules
S3 14rules
SAGEMAKER 1rules
SECRETSMANAGER 1rules
SECURITYHUB 9rules
VPC 14rules
WAF 2rules
OTHER 2rules
Total 189 rules.
APPRUNNER
Create App Runner Service from Code Repository
Detect the building and deployment of an App Runner service from a code repository.
cloud aws aws_apprunnerCreate App Runner Service from Image Repository
Detect the deployment of an App Runner service from an image repository.
cloud aws aws_apprunnerDelete App Runner Service
Detect the deletion of an App Runner service.
cloud aws aws_apprunnerDeploy App Runner Service
Detect the deployment of an App Runner service.
cloud aws aws_apprunnerAUTOSCALING
Create Autoscaling Group without ELB Health Checks
Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks.
cloud aws aws_autoscalingUpdate Autoscaling Group without ELB Health Checks
Detect the update of an autoscaling group associated with with a load balancer which is not using health checks.
cloud aws aws_autoscalingCLOUDSHELL
CloudShell Environment Created
Detect creation of a new Cloud Shell environment.
cloud aws aws_cloudshellCLOUDTRAIL
CloudTrail Trail Created
Detect creation of a new trail.
cloud aws aws_cloudtrail mitre_TA0009-collection mitre_T1530-data-from-cloud-storage-objectCloudTrail Trail Deleted
Detect deletion of an existing trail.
cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsCloudTrail Logfile Encryption Disabled
Detect disabling the CloudTrail logfile encryption.
cloud aws aws_cloudtrailCloudTrail Logfile Validation Disabled
Detect disabling the CloudTrail logfile validation.
cloud aws aws_cloudtrailCloudTrail Logging Disabled
The CloudTrail logging has been disabled, this could be potentially malicious.
cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsCloudTrail Multi-region Disabled
Detect disabling CloudTrail multi-region.
cloud aws aws_cloudtrailCloudTrail Trail Updated
Detect update of an existing trail.
cloud aws aws_cloudtrail mitre_TA0009-collection mitre_TA0040-impact mitre_T1492-store-data-manipulation mitre_T1530-data-from-cloud-storage-objectCLOUDWATCH
CloudWatch Delete Alarms
Detect deletion of an alarm.
cloud aws aws_cloudwatch mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-toolsCloudWatch Delete Log Group
Detect deletion of a CLoudWatch log group.
cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destructionCloudWatch Delete Log Stream
Detect deletion of a CLoudWatch log stream.
cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destructionCONFIG
Delete Config Rule
Detect deletion of a configuration rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Configuration Aggregator
Detect deletion of the configuration aggregator.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Configuration Recorder
Detect deletion of the configuration recorder.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Conformance Pack
Detect deletion of a conformance pack.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Delivery Channel
Detect deletion of the delivery channel.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Organization Config Rule
Detect deletion of an organization config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Organization Conformance Pack
Detect deletion of an organization conformance pack.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Remediation Configuration
Detect deletion of a remediation configuration.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Retention Configuration
Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Config Rule
Detect addition or update in an AWS Config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Configuration Aggregator
Detect creation and update of the configuration aggregator with the selected source accounts and regions.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Conformance Pack
Detect creation or update of a conformance pack.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Delivery Channel
Detect creation of a delivery channel.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Organization Config Rule
Detect addition or update in an AWS Organization Config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Organization Conformance Pack
Detect deployment of conformance packs across member accounts in an AWS Organization.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Remediation Configurations
Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Remediation Exceptions
Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Retention Configuration
Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsStop Configuration Recorder
Detect stoping the configuration recorder.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsCONSOLE
Console Login Through Assume Role
Detect a console login through Assume Role.
cloud aws aws_console aws_iamConsole Login Without MFA
Detect a console login without MFA.
cloud aws aws_console aws_iamConsole Root Login Without MFA
Detect root console login without MFA.
cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removalDMS
Create Public DMS Replication Instance
Detect creation of a public DMS replication instance.
cloud aws aws_dmsEBS
EBS Volume Creation without Encryption at Rest
Detect creation of an EBS volume without encryption at rest enabled.
cloud aws aws_ebsEC2
Allocate New Elastic IP Address to AWS Account
Detect that a public IP address has been allocated to the account.
cloud aws aws_ec2Associate Elastic IP Address to AWS Network Interface
Detect that a public IP address has been associated with a network interface.
cloud aws aws_ec2Authorize Security Group Egress
Detect addition of the specified egress rules to a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsAuthorize Security Group Ingress
Detect addition of the specified ingress rules to a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate Snapshot
Detect creation of an EBS volume snapshot and stores it in Amazon S3.
cloud aws aws_ec2Delete Subnet
Detect deletion of the specified subnet.
cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destructionDescribe Instances
Detect description of the specified EC2 instances or all EC2 instances.
cloud aws aws_ec2Disable EBS Encryption by Default
Detect disabling EBS encryption by default for an account in the current region.
cloud aws aws_ec2 mitre_TA0040-impact mitre_T1492-store-data-manipulationMake EBS Snapshot Public
Detect making public an EBS snapshot.
cloud aws aws_ec2EC2 Serial Console Access Enabled
Detect EC2 serial Console Acess enabled in the account for a specific region.
cloud aws aws_ec2Get Password Data
Detect retrieval of the encrypted administrator password for a running Windows instance.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_T1108-redundant-accessModify Image Attribute
Detect modification of the specified attribute of the specified AMI.
cloud aws aws_ec2 mitre_TA0010-exfiltrationModify Snapshot Attribute
Detect addition or removal of permission settings for the specified EC2 snapshot.
cloud aws aws_ec2 mitre_TA0010-exfiltration mitre_T1537-transfer-data-to-cloud-accountReplace Route
Detect replacing an existing route within a route table in a VPC.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsRevoke Security Group Egress
Detect removal of the specified egress rules from a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsRevoke Security Group Ingress
Detect removal of the specified ingress rules from a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsRun Instances in Non-approved Region
Detect launching of a specified number of instances in a non-approved region.
cloud aws aws_ec2Run Instances with Non-standard Image
Detect launching of a specified number of instances with a non-standard image.
cloud aws aws_ec2Run Instances
Detect launching of a specified number of instances.
cloud aws aws_ec2Delete Cluster
Detect deletion of the specified cluster.
cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destructionECR
ECR Image Pushed
Detect a new image has been pushed to an ECR registry
cloud aws aws_ecrECS
ECS Service Created
Detect a new service is created in ECS.
cloud aws aws_ecs aws_fargateECS Service Deleted
Detect a service is deleted in ECS.
cloud aws aws_ecs aws_fargateExecute Interactive Command inside an ECS Container
Detect execution of an interactive command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreterExecute Command inside an ECS Container
Detect execution of a command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-executionECS Task Run or Started
Detect a new task is started in ECS.
cloud aws aws_ecs aws_fargateECS Task Stopped
Detect a task is stopped in ECS.
cloud aws aws_ecs aws_fargateTerminal Shell in ECS Container
A terminal shell has been executed inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shellECS Service Task Definition Updated
Detect a service task definition is updated in ECS.
cloud aws aws_ecs aws_fargateECS EXEC
Execute Interactive Command inside an ECS Container
Detect execution of an interactive command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreterExecute Command inside an ECS Container
Detect execution of a command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-executionTerminal Shell in ECS Container
A terminal shell has been executed inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shellEFS
Create Unencrypted EFS
Detect creation of an unencrypted elastic file system.
cloud aws aws_efsELASTICSEARCH
Elasticsearch Domain Creation without Encryption at Rest
Detect creation of an Elasticsearch domain without encryption at rest enabled.
cloud aws aws_elasticsearchElasticsearch Domain Creation without VPC
Detect creation of an Elasticsearch domain without a VPC.
cloud aws aws_elasticsearchELB
Create HTTP Target Group without SSL
Detect creation of HTTP target group not using SSL.
cloud aws aws_elbCreate Internet-facing AWS Public Facing Load Balancer
Detect creation of an AWS internet-facing load balancer.
cloud aws aws_elbDelete Listener
Detect deletion of the specified listener.
cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-applicationModify Listener
Detect replacing the specified properties of the specified listener.
cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-applicationFARGATE
ECS Service Created
Detect a new service is created in ECS.
cloud aws aws_ecs aws_fargateECS Service Deleted
Detect a service is deleted in ECS.
cloud aws aws_ecs aws_fargateExecute Interactive Command inside an ECS Container
Detect execution of an interactive command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreterExecute Command inside an ECS Container
Detect execution of a command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-executionECS Task Run or Started
Detect a new task is started in ECS.
cloud aws aws_ecs aws_fargateECS Task Stopped
Detect a task is stopped in ECS.
cloud aws aws_ecs aws_fargateTerminal Shell in ECS Container
A terminal shell has been executed inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shellECS Service Task Definition Updated
Detect a service task definition is updated in ECS.
cloud aws aws_ecs aws_fargateGUARDDUTY
Delete Detector
Detect deletion of an Amazon GuardDuty detector.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsGuard Duty Delete Members
Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDisable GuardDuty
Detect disabling of GuardDuty.
cloud aws aws_guarddutyGuard Duty Disassociate from Master Account
Detect disassociation of the current GuardDuty member account from its administrator account.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsGuard Duty Disassociate Members
Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsStop Monitoring Members
Detect stopping GuardDuty monitoring for the specified member accounts.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsIAM
Console Login Failure
Detect a console login failure
cloud aws aws_iamConsole Login Success From Untrusted IP
Detect a console login success from an untrusted IP address
cloud aws aws_iamConsole Login Success
Detect a console login success
cloud aws aws_iamConsole Login Through Assume Role
Detect a console login through Assume Role.
cloud aws aws_console aws_iamConsole Login Without MFA
Detect a console login without MFA.
cloud aws aws_console aws_iamConsole Root Login Without MFA
Detect root console login without MFA.
cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removalLogged in without Using MFA
(DEPRECATED) Detect user login without using MFA (multi-factor authentication). Use "Console Login Without MFA" instead.
cloud aws aws_iamPassword Recovery Requested
Detect AWS IAM password recovery requests.
cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accountsPut Inline Policy in Group to Allow Access to All Resources
Detect putting an inline policy in a group that allows access to all resources.
cloud aws aws_iamCreate Access Key for Root User
Detect creation of an access key for root.
cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accountsDeactivate Hardware MFA for Root User
Detect deactivating hardware MFA configuration for root.
cloud aws aws_iamDeactivate MFA for Root User
Detect deactivating MFA configuration for root.
cloud aws aws_iamDeactivate Virtual MFA for Root User
Detect deactivating virtual MFA configuration for root.
cloud aws aws_iamDelete Virtual MFA for Root User
Detect deleting MFA configuration for root.
cloud aws aws_iam pcs_dss_iam.5Root User Executing AWS Command
Detect root user executing AWS command.
cloud aws aws_iamAdd AWS User to Group
Detect adding an user to a group.
cloud aws aws_iamAttach Administrator Policy
Detect attaching an administrator policy to a user.
cloud aws aws_iamAttach IAM Policy to User
Detect attaching an IAM policy to a user.
cloud aws aws_iamCreate Group
Detect creation of a new user group.
cloud aws aws_iam mitre_TA0003-persistence mitre_T1108-redundant-accessCreate Security Group Rule Allowing SSH Ingress
Detect creation of security group rule allowing SSH ingress.
cloud aws aws_iamCreate Security Group Rule Allowing Ingress Open to the World
Detect creation of security group rule allowing ingress open to the world.
cloud aws aws_iamCreate AWS user
Detect creation of a new AWS user.
cloud aws aws_iam mitre_TA0003-persistence mitre_T1136-create-accountCreate IAM Policy that Allows All
Detect creation of IAM policy that allows all.
cloud aws aws_iamDeactivate MFA for User Access
Detect deactivating MFA configuration for user access.
cloud aws aws_iamDelete Group
Detect deletion of a user group.
cloud aws aws_iam mitre_TA0040-impact mitre_T1531-account-access-removalDelete AWS user
Detect deletion of an AWS user.
cloud aws aws_iamPut IAM Inline Policy to User
Detect putting an IAM inline policy to an user.
cloud aws aws_iamRemove AWS User from Group
Detect removing a user from a group.
cloud aws aws_iamUpdate Account Password Policy Not Expiring
Detect updating password policy not expiring at all.
cloud aws aws_iamUpdate Account Password Policy Expiring in More Than 90 Days
Detect updating password policy expiring in more than 90 days.
cloud aws aws_iamUpdate Account Password Policy Not Preventing Reuse of Last 24 Passwords
Detect updating password policy not preventing reuse of the last 24 passwords.
cloud aws aws_iamUpdate Account Password Policy Not Preventing Reuse of Last 4 Passwords
Detect updating password policy not preventing reuse of the last 4 passwords.
cloud aws aws_iamUpdate Account Password Policy Not Requiring 14 Characters
Detect updating password policy not requiring a minimum length of 14 characters.
cloud aws aws_iamUpdate Account Password Policy Not Requiring 7 Characters
Detect updating password policy not requiring a minimum length of 7 characters.
cloud aws aws_iamUpdate Account Password Policy Not Requiring Lowercase
Detect updating password policy not requiring the use of an lowercase letter
cloud aws aws_iamUpdate Account Password Policy Not Requiring Number
Detect updating password policy not requiring the use of a number
cloud aws aws_iamUpdate Account Password Policy Not Requiring Symbol
Detect updating password policy not requiring the use of a symbol
cloud aws aws_iamUpdate Account Password Policy Not Requiring Uppercase
Detect updating password policy not requiring the use of an uppercase letter
cloud aws aws_iamUpdate Assume Role Policy
Detect modifying a role.
cloud aws aws_iam mitre_TA0006-credential-access mitre_T1110-brute-forceKMS
Create Customer Master Key
Detect creation of a new CMK (with rotation disabled).
cloud aws aws_kmsDisable CMK Rotation
Detect disabling of a customer master key's rotation.
cloud aws aws_kmsDisable Key
Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations.
cloud aws aws_kmsRemove KMS Key Rotation
Detect removal of KMS key rotation.
cloud aws aws_kmsSchedule Key Deletion
Detect scheduling of the deletion of a customer master key.
cloud aws aws_kmsLAMBDA
Create Lambda Function Not Using Latest Runtime
Detect creation of a Lambda function not using the latest runtime.
cloud aws aws_lambda mitre_T1190-exploit-public-facing-applicationCreate Lambda Function Using Unsupported Runtime
Detect creation of a Lambda function using an unsupported runtime.
cloud aws aws_lambda mitre_T1190-exploit-public-facing-applicationCreate Lambda Function
Detect creation of a Lambda function.
cloud aws aws_lambda mitre_TA0003-persistenceDissociate Lambda Function from VPC
Detect dissociation of a Lambda function from a VPC.
cloud aws aws_lambdaUpdate Lambda Function Code
Detect updates to a Lambda function code.
cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijackingUpdate Lambda Function Configuration
Detect updates to a Lambda function configuration.
cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijackingRDS
Authorize DB Security Group Ingress
Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization.
cloud aws aws_rdsCreate DB Cluster
Detect creation of a database cluster.
cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-accessCreate DB Security Group
Detect creation of a database security group.
cloud aws aws_rdsCreate Global Cluster
Detect creation of a global cluster.
cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-accessDelete DB Cluster
Detect deletion of a database cluster.
cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destructionDelete DB Security Group
Detect deletion of a database security group.
cloud aws aws_rdsDelete DB Snapshot
Detect deletion of a database snapshot.
cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destructionMake RDS DB Instance Public
Detect making public an RDS DB instance.
cloud aws aws_rdsMake RDS Snapshot Public
Detect making public an RDS snapshot.
cloud aws aws_rdsModify RDS Snapshot Attribute
Detect modification of an RDS snapshot attribute.
cloud aws aws_rds mitre_TA0010-exfitration mitre_T1537-transfer-data-to-cloud-accountRevoke DB Security Group Ingress
Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups.
cloud aws aws_rdsStop DB Cluster
Detect stopping of a database cluster.
cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stopStop DB Instance
Detect stopping of a database instance.
cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stopROUTE53
Associate VPC with Hosted Zone
Detect association of an Amazon VPC with a private hosted zone.
cloud aws aws_route53Change Resource Record Sets
Detect creation, changes, or deletion of a resource record set.
cloud aws aws_route53Register Domain
Detect registry of a new domain.
cloud aws aws_route53S3
Delete Bucket CORS
Detect deletion of the cors configuration for a bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Encryption
Detect deleting configuration to use encryption for bucket storage.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Lifecycle
Detect deletion of the lifecycle configuration from the specified bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Policy
Detect deletion of the policy of a specified bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Public Access Block
Detect deleting blocking public access to bucket.
cloud aws aws_s3Delete Bucket Replication
Detect deletion of the replication configuration from the bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostRead Object in Watched Bucket
Detect a Read operation on objects in watched buckets.
cloud aws aws_s3List Buckets
Detect listing of all S3 buckets.
cloud aws aws_s3 mitre_TA0007-discovery mitre_T1083-file-and-directory-discoveryPut Bucket ACL
Detect setting the permissions on an existing bucket using access control lists.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket CORS
Detect setting the cors configuration for a bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket Lifecycle
Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use `Put Bucket Lifecycle Configuration` instead].
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket Policy
Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket Replication
Detect creation of a replication configuration or the replacement of an existing one..
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Object in Watched Bucket
Detect a Put operation on objects in watched buckets.
cloud aws aws_s3SAGEMAKER
Create SageMaker Notebook Instance with Direct Internet Access
Detect creation of a SageMaker notebook instance with direct internet access.
cloud aws aws_sagemakerSECRETSMANAGER
Get Secret Value
Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.
cloud aws aws_secretsmanager mitre_TA0006-credential-access mitre_T1528-steal-application-access-tokenSECURITYHUB
Batch Disable Standards
Detect disabling of the standards specified by the provided StandardsSubscriptionArns.
cloud aws aws_securityhubDelete Action Target
Detect deletion of a custom action target from Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsSecurity Hub Delete Members
Detect deletion the specified member accounts from Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDisable Import Findings for Product
Detect disabling of the integration of the specified product with Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDisable Security Hub
Detect disabling the Security Hub in the current region.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsSecurity Hub Disassociate From Master Account
Detect disassociation of the current Security Hub member account from the associated master account.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsSecurity Hub Disassociate Members
Detect disassociation of the current Security Hub member account from the associated master account.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsUpdate Action Target
Detect updating the name and description of a custom action target in Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsUpdate Standards Control
Detect enabling or disabling of a standard control.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsVPC
Accept VPC Peering Connection
Detect accepting an VPC peering connection.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsAttach Internet Gateway
Detect attaching an internet gateway.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate a Network ACL Entry Allowing Ingress Open to the World
Detect creation of access control list entry allowing ingress open to the world.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate a Network ACL Entry
Detect creating a network ACL entry.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate a Network ACL
Detect creating a network ACL.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate VPC Route
Detect creating an VPC route.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate VPC Peering Connection
Detect creating an VPC peering connection.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate VPC with Default Security Group
Detect creation of a new VPC with default security group.
cloud aws aws_vpcCreate VPC with No Flow Log
Detect creation of a new VPC with no flow log.
cloud aws aws_vpcDelete VPC Flow Log
Detect deleting VPC flow log.
cloud aws aws_vpc mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-toolsDelete a Network ACL Entry
Detect deletion of a network ACL entry.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsDelete a Network ACL
Detect deleting a network ACL.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsReplace a Network ACL Association
Detect replacement of a network ACL association.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsReplace a Network ACL Entry
Detect replacement of a network ACL entry.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsWAF
Delete WAF Rule Group
Detect deleting a WAF rule group.
cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Web ACL
Detect deleting a web ACL.
cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsOTHER
AWS Command Executed by Untrusted User
Detect AWS command execution by an untrusted user.
cloud awsAWS Command Executed on Unused Region
Detect AWS command execution on unused regions.
cloud aws mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions2 - GCP
This section covers offering description
Check setup options, details, troubleshooting, and validation steps under Installations - Cloud - GCP
Available Features
- Threat detection based on GCP Cloud Audit Logs integration
- Compliance Security Posture Management (CSPM), including CIS GCP and CIS GKE
Benchmark compliance assessments
- GCP Cloud Container scanning
- Image scanning on GCP
Threat Detection Based on GCP Cloud Audit Logs
Threat Detection leverages audit logs from GCP Cloud Audit logs plus Falco
rules to detect threats as soon as they occur and bring governance,
compliance, and risk auditing for your cloud accounts.
A rich set of Falco rules, a GCP Best Practices default policy, and
a GCP policy type for creating customized policies are
included. These correspond to security standards and benchmarks such as:
NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, and Google Cloud Security best practices.
CSPM/Compliance with CIS GKE and CIS GCP Benchmarks
A new cloud compliance standard has been added to the Sysdig compliance
feature - CIS GCP benchmarks. These assessments are based on an
open-source engine - Cloud Custodian - in Sysdig’s Cloud Security Posture Management (CSPM) engine.
The assessments evaluate your Google Cloud services against
the benchmark requirements and returns the results and remediation
activities you need to fix misconfigurations in your cloud environment.
GCP Cloud Container Scanning
GCP Cloud Container Scanning uses a PubSub topic to automatically detect any container image pushed to registries on Google Container Registry or Google Artifact Registry, as well as images deployed to Google Cloud Run. An ephemeral Google Cloud Build pipeline is then created to scan that image so a vulnerability report is available in your Sysdig backend.
2.1 - Auditlog Falco rules
Scroll Top
APIKEYS 1rules
CLOUDFUNCTIONS 3rules
CLOUDKMS 2rules
CLOUDRESOURCEMANAGER 1rules
CLOUDRUN 2rules
DNS 1rules
GCE 1rules
GKE 4rules
IAM 5rules
LOGGING 1rules
MONITORING 2rules
SQL 3rules
STORAGE BUCKETS 7rules
VM 5rules
VPC 2rules
VPC NETWORKS 2rules
OTHER 2rules
Total 44 rules.
APIKEYS
GCP Create API Keys for a Project
Detect creation of API keys for a project.
cloud gcp gcp_apikeys cis_controls_16 cis_gcp_1.12CLOUDFUNCTIONS
GCP Create Cloud Function Not Using Latest Runtime
Detect creation of a Cloud Function using and old or deprecated runtime.
cloud gcp gcp_cloudfunctions soc2 soc2_CC7.1 mitre_T1190-exploit-public-facing-applicationGCP Create Cloud Function
Detect creation of a Cloud function.
cloud gcp gcp_cloudfunctions mitre_TA0003-persistenceGCP Update Cloud Function
Detect updates to a Cloud Function.
cloud gcp gcp_cloudfunctions mitre_TA0003-persistence mitre_T1496-resource-hijackingCLOUDKMS
GCP Create KMS Key Without Rotation
Detect creation of a new KMS with rotation disabled.
cloud gcp gcp_cloudkms soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2GCP Remove KMS Key Rotation
Detect removal of KMS key rotation.
cloud gcp gcp_cloudkms soc2 soc2_CC6.1 soc2_CC8.1 ISO_27001 ISO_27001_A.10.1.2 ISO_27001_A.18.1.5 GDPR GDPR_32.1 GDPR_32.2CLOUDRESOURCEMANAGER
GCP Invitation Sent to Non-corporate Account
Detect sending invitations to not allowed corporate account.
cloud gcp gcp_cloudresourcemanager HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1 mitre_T1136-create-accountCLOUDRUN
CloudRun Create Service
Detect creation of a CloudRun Service.
cloud gcp gcp_cloudrunCloudRun Replace Service
Detect the replacement of a CloudRun Service.
cloud gcp gcp_cloudrunDNS
GCP Create or Patch DNS Zone without DNSSEC
Detect creation of a DNS zone with DNSSEC disabled or a modification of a DNS zone to disable DNSSEC.
cloud gcp gcp_dns cis_controls_11.1 cis_gcp_3.3GCE
GCP Describe Instance
Detect description of the specified GCE instance.
cloud gcp gcp_gceGKE
GCP Delete DNS Zone
Detect the deletion of a DNS zone.
cloud gcp gcp_gkeGCP Delete GKE Cluster
Detect the deletion of a GKE cluster.
cloud gcp gcp_gkeGCP Delete GKE Node Pool
Detect the deletion of a GKE node pool.
cloud gcp gcp_gkeGCP Delete Router
Detect the deletion of a router.
cloud gcp gcp_gkeIAM
GCP Create GCP-managed Service Account Key
Detect creating an access key for a GCP-managed service account.
cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 mitre_T1550-use-alternate-authentication-materialGCP Create User-managed Service Account Key
Detect creating an access key for a user-managed service account.
cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 cis_gcp_1.4 mitre_T1550-use-alternate-authentication-materialGCP Delete IAM Role
Detect the deletion of an IAM role.
cloud gcp gcp_iamGCP Operation by a Non-corporate Account
Detect executing an operation by a non-corporate account.
cloud gcp gcp_iam HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1GCP Super Admin Executing Command
Detect super admin executing GPC command.
cloud gcp gcp_iam soc2 soc2_CC6.2 soc2_CC6.6 FedRAMP FedRAMP_AC-2(12) ISO_27001 ISO_27001_A.6.1.2 ISO_27001_A.9.2.3 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_09.aa GDPR GDPR_25.1 GDPR_25.2 GDPR_25.3LOGGING
GCP Update, Disable or Delete Sink
Detect the updating, disabling or deletion of a sink.
cloud gcp gcp_logging FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_6.4 cis_gcp_2.2MONITORING
GCP Monitoring Alert Deleted
Detect deletion of an alert.
cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools mitre_T1562-impair-defenses mitre_T1562.008-disable-cloud-logsGCP Monitoring Alert Updated
Detect updating of an alert.
cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-toolsSQL
GCP Disable Automatic Backups for a Cloud SQL Instance
Detect that automatic backups have been disabled for a Cloud SQL instance.
cloud gcp gcp_sql cis_controls_10.1 cis_gcp_6.7GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance
Detect that the requirement for all incoming connections to use SSL for a Cloud SQL instance has been disabled.
cloud gcp gcp_sql FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s HITRUST_CSF_10.k cis_controls_13 cis_controls_14.4 cis_controls_16.5 cis_gcp_6.4GCP Set a Public IP for a Cloud SQL Instance
Detect that a public IP address has been set for a Cloud SQL instance.
cloud gcp gcp_sql FedRAMP FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_09.m cis_controls_13 cis_gcp_6.6STORAGE BUCKETS
GCP Create Bucket
Detect creation of a bucket.
cloud gcp gcp_storage_buckets mitre_T1074-data-stagedGCP Delete Bucket
Detect deletion of a bucket.
cloud gcp gcp_storage_bucketsGCP List Buckets
Detect listing of all storage buckets.
cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discoveryGCP List Bucket Objects
Detect listing of all objects in a bucket.
cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discoveryGCP Put Bucket ACL
Detect setting the permissions on an existing bucket using access control lists.
cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host mitre_T1530-data-from-cloud-storage-objectGCP Set Bucket IAM Policy
Detect setting the permissions on an existing bucket using IAM policies.
cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_T1530-data-from-cloud-storage-objectGCP Update Bucket
Detect the update of a bucket.
cloud gcp gcp_storage_bucketsVM
GCP Enable Connecting to Serial Ports for a VM Instance
Detect enabling of connection to serial ports for a VM instance.
cloud gcp gcp_vm FedRAMP FedRAMP_CM-3(1) HITRUST_CSF HITRUST_CSF_10.k cis_controls_9.2 cis_gcp_4.5GCP Creation of a VM Instance with IP Forwarding Enabled
Detect creating a VM instance with IP forwarding enabled.
cloud gcp gcp_vm cis_controls_11.1 cis_controls_11.2 cis_gcp_4.6GCP Suspected Disable of OS Login in a VM Instance
Detect modification of the enable-oslogin metadata in an instance.
cloud gcp gcp_vm cis_controls_16 cis_gcp_4.4GCP Enable Project-wide SSH keys for a VM Instance
Detect enabling of project-wide SSH keys for a VM instance.
cloud gcp gcp_vm HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s cis_controls_16 cis_gcp_4.3GCP Shield Disabled for a VM Instance
Detect disabling of the Shielded VM parameter(s) of a VM instance.
cloud gcp gcp_vm cis_controls_13 cis_gcp_4.8VPC
GCP Delete VPC Network
Detect the deletion of a VPC network.
cloud gcp gcp_vpcGCP Delete VPC Subnetwork
Detect the deletion of a VPC subnetwork.
cloud gcp gcp_vpcVPC NETWORKS
GCP Create a Default VPC Network
Detect creation of a default network in a project.
cloud gcp gcp_vpc_networks FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_10.k cis_controls_11.1 cis_gcp_3.1GCP Disable Subnet Flow Logs
Detect disabling the flow logs of a subnet.
cloud gcp gcp_vpc_networks soc2 soc2_CC6.6 FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_12.8 cis_gcp_3.8OTHER
GCP Delete Resources from the PCI Blueprint Environment
Detect the deletion of resources from the blueprint environment.
cloud gcpGCP Command Executed on Unused Region
Detect GCP command execution on unused regions.
cloud gcp FedRAMP FedRAMP_AC-2(12) HIPAA HIPAA_164.308(a) HIPAA_164.312(a) mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions3 - Azure
This section covers offering description
Check setup options, details, troubleshooting, and validation steps under Installations - Cloud - Azure
Available Features
- Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets
- Cloud Threat Detection: Identify threats in your Azure environment using Falco rules for Azure
- Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Azure Container Registry and images executed on Azure Container Instances
3.1 - Platformlogs Falco rules
Scroll Top
DATABASE SERVICES 2rules
FUNCTION APPS 5rules
LOGGING AND MONITORING 1rules
NETWORKING 2rules
SQL SERVER 2rules
STORAGE ACCOUNTS 11rules
Total 21 rules.
DATABASE SERVICES
Azure Auditing on SQL Server Has Been Disabled
The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.
Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3Azure Server Vulnerability Assessment on SQL Server Has Been Removed
Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1FUNCTION APPS
Azure Function App Deleted
A function app has been deleted.
cloud azure azure_function_appsAzure Function App Deployment Slot Deleted
A function app deployment slot has been deleted.
cloud azure azure_function_appsAzure Function App Host Key Deleted
A function app host key has been deleted.
cloud azure azure_function_appsAzure Function App Host Master Key Modified
A function app host master key has been renewed.
cloud azure azure_function_appsAzure Function Key Deleted
A function key has been deleted.
cloud azure azure_function_appsLOGGING AND MONITORING
Azure Diagnostic Setting Has Been Disabled
A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.
cloud azure azure_logging_and_monitoring cis_azure_5.1.1 cis_controls_6.5NETWORKING
Azure RDP Access Is Allowed from The Internet
The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.
cloud azure azure_networking cis_azure_6.1 cis_controls_9.2Azure SSH Access Is Allowed from The Internet
The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.
cloud azure azure_networking cis_azure_6.2 cis_controls_9.2SQL SERVER
Azure Auditing on SQL Server Has Been Disabled
The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.
Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3Azure Server Vulnerability Assessment on SQL Server Has Been Removed
Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1STORAGE ACCOUNTS
Azure Access Level creation attempt for Blob Container Set to Public
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.
cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16Creation attempt Azure Secure Transfer Required Set to Disabled
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.
cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16Creation attempt Azure Default Network Access Rule for Storage Account Set to Allow
Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.
cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16Azure Access Level for Blob Container Set to Public
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.
cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16Azure Default Network Access Rule for Storage Account Set to Allow
Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.
cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16Azure Secure Transfer Required Set to Disabled
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.
cloud azure azure_storage_accounts cis_azure_3.1 cis_controls_14.4Azure Blob Created
A blob has been created in a storage container.
cloud azure azure_storage_accountsAzure Blob Deleted
A blob has been deleted from a storage container.
cloud azure azure_storage_accountsAzure Container Created
A Container has been created.
cloud azure azure_storage_accountsAzure Container Deleted
A Container has been deleted.
cloud azure azure_storage_accountsAzure Container ACL Modified
A container ACL has been modified.
cloud azure azure_storage_accounts