Vendor: Google

June 14, 2023 · View on GitHub

Product: Cloud Platform

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
277	124	39	22	22

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	app-activity ↳googlecloud-app-activity cloud-admin-activity ↳googlecloud-iam-activity ↳googlecloud-cloudresourcemanager-activity cloud-admin-activity-failed ↳googlecloud-iam-activity ↳googlecloud-cloudresourcemanager-activity storage-access ↳googlecloud-storage-activity storage-activity ↳googlecloud-storage-activity storage-activity-failed ↳googlecloud-storage-activity web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1133 - External Remote Services T1136.003 - Create Account: Create: Cloud Account T1530 - Data from Cloud Storage Object	36 Rules 19 Models
Account Manipulation	app-activity ↳googlecloud-app-activity cloud-admin-activity ↳googlecloud-iam-activity ↳googlecloud-cloudresourcemanager-activity cloud-admin-activity-failed ↳googlecloud-iam-activity ↳googlecloud-cloudresourcemanager-activity storage-access ↳googlecloud-storage-activity storage-activity ↳googlecloud-storage-activity storage-activity-failed ↳googlecloud-storage-activity	T1078.004 - Valid Accounts: Cloud Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136.003 - Create Account: Create: Cloud Account T1530 - Data from Cloud Storage Object	13 Rules 6 Models
Cloud Data Protection	gcp-disk-attach ↳gcp-instancesattachdisk-json gcp-disk-create ↳gcp-disksinsert-json gcp-instance-create ↳gcp-instancesinsert-json gcp-snapshot-create ↳gcp-diskscreatesnapshot-json gcp-storageobject-acl ↳gcp-objectsupdate-json	T1530 - Data from Cloud Storage Object TA0004 - TA0004 TA0009 - TA0009	8 Rules 7 Models
Cryptomining	gcp-instance-create ↳gcp-instancesinsert-json web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1074 - Data Staged T1496 - Resource Hijacking	3 Rules 1 Models
Data Access	app-activity ↳googlecloud-app-activity	T1078 - Valid Accounts	19 Rules 11 Models
Data Exfiltration	netflow-connection ↳gcpvpc-netflow-connection web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1041 - Exfiltration Over C2 Channel T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1071.002 - Application Layer Protocol: File Transfer Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms	9 Rules 2 Models
Data Leak	app-activity ↳googlecloud-app-activity web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1041 - Exfiltration Over C2 Channel T1071.001 - Application Layer Protocol: Web Protocols T1114.003 - Email Collection: Email Forwarding Rule T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	9 Rules 2 Models
Lateral Movement	app-activity ↳googlecloud-app-activity netflow-connection ↳gcpvpc-netflow-connection web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1018 - Remote System Discovery T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1046 - Network Service Scanning T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1210 - Exploitation of Remote Services TA0008 - TA0008 TA0010 - TA0010 TA0011 - TA0011	60 Rules 21 Models
Phishing	web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1189 - Drive-by Compromise T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566.002 - Phishing: Spearphishing Link T1598.003 - T1598.003	4 Rules
Privileged Activity	app-activity ↳googlecloud-app-activity web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service	4 Rules 1 Models
Ransomware	app-activity ↳googlecloud-app-activity web-activity-allowed ↳googlecloud-web-activity web-activity-denied ↳googlecloud-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	2 Rules
Workforce Protection	web-activity-allowed ↳googlecloud-web-activity	T1071.001 - Application Layer Protocol: Web Protocols	4 Rules 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Valid Accounts: Cloud Accounts Exploit Public Fasing Application Phishing	User Execution	Boot or Logon Initialization Scripts Create Account External Remote Services Valid Accounts Account Manipulation Create Account: Create: Cloud Account Account Manipulation: Exchange Email Delegate Permissions	Boot or Logon Initialization Scripts Valid Accounts	Obfuscated Files or Information: Indicator Removal from Tools Valid Accounts Obfuscated Files or Information Unused/Unsupported Cloud Regions		Network Service Scanning Remote System Discovery	Exploitation of Remote Services Remote Services Remote Services: Remote Desktop Protocol Internal Spearphishing	Email Collection Data from Cloud Storage Object Data Staged Email Collection: Email Forwarding Rule	Web Service Application Layer Protocol: File Transfer Protocols Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Resource Hijacking