LoFP LoFP / sql database modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Google Cloud SQL Database Modified or Deleted

Description

Detect when a Cloud SQL DB has been modified or deleted.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - cloudsql.instances.create
  - cloudsql.instances.delete
  - cloudsql.users.update
  - cloudsql.users.delete