Community Security Analytics (CSA)

As organizations go through the Autonomic Security modernization journey, this repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud. These may assist detection engineers, threat hunters and data governance analysts.

CSA is a set of foundational security analytics designed to provide organizations with a rich baseline of pre-built queries and rules that they can readily use to start analyzing their Google Cloud logs including Cloud Audit logs, VPC Flow logs, DNS logs, and more using cloud-native or third-party analytics tools. The source code is provided as is, without warranty. See Copyright & License below.

Current release include:

• YARA-L rules for Chronicle
• SQL queries for BigQuery
• SQL queries for Log Analytics

The security use cases below are grouped in 6 categories depending on underlying activity type and log sources:

1. :vertical_traffic_light: Login & Access Patterns
2. :key: IAM, Keys & Secrets Admin Activity
3. :building_construction: Cloud Provisoning Activity
4. :cloud: Cloud Workload Usage
5. :droplet: Data Usage
6. :zap: Network Activity

To learn more about the variety of Google Cloud logs, how to enable and natively export these logs to destinations like Chronicle or BigQuery for in-depth analytics, refer to Google Cloud Security and access analytics solution guide.

Caution: CSA is not meant to be a comprehensive set of threat detections, but a collection of community-contributed samples to get you started with detective controls. Use CSA in your threat detection and response capabilities (e.g. Security Command Center, Chronicle, BigQuery, Siemplify, or third-party SIEM) in conjunction with threat prevention capabilities (e.g. Security Command Center, Cloud Armor, BeyondCorp). To learn more about Google’s approach to modern Security Operations, check out the Autonomic Security Operations whitepaper.

Security Analytics Use Cases

Dataform for CSA on BigQuery

The dataform folder contains the Dataform repo to automate deployment of CSA queries in BigQuery for optimized performance and cost. Use this Dataform repo to operationalize CSA use cases as reports and alerts powered by BigQuery. This Dataform project deploys and orchestrates pre-built ELT pipelines to filter, normalize and model log data leveraging incremental summary tables, lookup tables and views for fast, cost-effective and simpler querying. See underlying README for more details.

CI/CD for CSA on Chronicle

The cicd folder contains a set of scripts to help you with storing CSA YARA-L detection rules as code and testing/deploying updates you and your team make in an automated fashion. Whether you use GitHub Actions, Google Cloud Build or Azure DevOps, you can use the corresponding scripts to automatically test and deploy new or modified rules into your Chronicle instance. See underlying README for more details.

Support

This is not an officially supported Google product. Queries, rules and other assets in Community Security Analytics (CSA) are community-supported. Please don't hesitate to open a GitHub issue if you have any question or a feature request.

Contributions are also welcome via Github pull requests if you have fixes or enhancements to source code or docs. Please refer to our Contributing guidelines.

Copyright & License

Copyright 2022 Google LLC

Queries, rules and other assets under Community Security Analytics (CSA) are licensed under the Apache license, v2.0. Details can be found in LICENSE file.