LoFP
/
gcp
gcp rule
Title
Tags
application being removed may be performed by a system administrator.
gcp
sigma
custom role creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
gcp
elastic
exceptions can be added to this rule to filter expected behavior.
t1562
gcp
sigma
firewall rules being modified or deleted may be performed by a system administrator. verify that the firewall configuration change was expected.
t1562
gcp
sigma
firewall rules may be created by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
gcp
elastic
firewall rules may be deleted by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
gcp
elastic
firewall rules may be modified by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
gcp
elastic
google cloud kubernetes admission controller may be done by a system administrator.
t1078
t1552
t1552.007
gcp
sigma
google cloud kubernetes cronjob/job may be done by a system administrator.
gcp
sigma
google workspace admin role privileges, may be modified by system administrators.
t1098
gcp
sigma
if known behavior is causing false positives, it can be exempted from the rule.
t1053
t1053.003
t1074
t1078
t1552
t1552.007
azure
aws
gcp
sigma
legitimate administrative activities
t1082
t1098
t1497
t1497.001
t1562
t1562.001
t1562.003
gcp
macos
linux
sigma
legitimate administrative activities changing the access levels for an application
t1098
t1098.003
gcp
sigma
legitimate use case may require for users to disable mfa. filter as needed.
t1556
t1556.006
t1586
t1586.003
gcp
azure active directory
splunk
logging bucket deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
gcp
elastic
logging sink deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging sink deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
gcp
elastic
logging sink modifications may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. sink modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1537
gcp
elastic
mfa may be disabled and performed by a system administrator.
gcp
sigma
role deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1531
gcp
elastic
rolebindings and clusterrolebinding being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
gcp
sigma
rolebindings and clusterrolebinding modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
gcp
sigma
secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1552
t1552.001
azure
gcp
sigma
service account being disabled or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1531
gcp
sigma
service account being modified may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
gcp
sigma
service account disabled or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1531
gcp
sigma
service account key deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. key deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1098
gcp
elastic
service account keys may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1098
gcp
elastic
service account modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
gcp
sigma
service accounts can be created by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
t1136
gcp
elastic
service accounts may be deleted by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
t1531
gcp
elastic
service accounts may be disabled by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
t1531
gcp
elastic
sql database being modified or deleted may be performed by a system administrator.
gcp
sigma
sql database modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
gcp
sigma
storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1578
gcp
elastic
storage bucket permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1222
gcp
elastic
storage buckets being enumerated may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
gcp
sigma
storage buckets being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
gcp
sigma
storage buckets enumerated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
gcp
sigma
storage buckets may be deleted by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1485
gcp
elastic
storage buckets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
gcp
sigma
subscription creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1530
gcp
elastic
subscription deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
gcp
elastic
topic creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1530
gcp
elastic
topic deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
gcp
elastic
virtual private cloud networks may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
gcp
elastic
virtual private cloud routes may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
gcp
elastic
virtual private cloud routes may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
gcp
elastic
vpn tunnel being modified or deleted may be performed by a system administrator.
gcp
sigma
vpn tunnel modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
gcp
sigma
LoFP
/
gcp