diff --git a/CHANGELOG.md b/CHANGELOG.md index a926fef..29ca4c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## v0.3.0 [2025-03-03] + +_Enhancements_ + +- Added `title`, `description`, and `folder = "Project"` tag to `Activity Dashboard` queries for improved organization and clarity. ([#7](https://github.com/turbot/tailpipe-mod-gcp-audit-log-detections/pull/7)) +- Added `folder = ""` tag to `service common tag locals` for better query categorization. ([#7](https://github.com/turbot/tailpipe-mod-gcp-audit-log-detections/pull/7)) +- Standardized all queries to use `service common tags`, ensuring consistency across detection queries. ([#7](https://github.com/turbot/tailpipe-mod-gcp-audit-log-detections/pull/7)) + ## v0.3.0 [2025-02-14] _Enhancements_ diff --git a/dashboards/activity_dashboard.pp b/dashboards/activity_dashboard.pp index c2848ea..1dd8e66 100644 --- a/dashboards/activity_dashboard.pp +++ b/dashboards/activity_dashboard.pp @@ -68,7 +68,8 @@ # ----------------------------- query "activity_dashboard_total_logs" { - title = "Log Count" + title = "Log Count" + description = "Count the total log entries." sql = <<-EOQ select @@ -76,10 +77,15 @@ from gcp_audit_log; EOQ + + tags = { + folder = "Project" + } } query "activity_dashboard_logs_by_project" { - title = "Logs by Project" + title = "Logs by Project" + description = "Count the total log entries grouped by project." sql = <<-EOQ select @@ -95,29 +101,39 @@ count(*) desc limit 10; EOQ + + tags = { + folder = "Project" + } } query "activity_dashboard_logs_by_type" { - title = "Logs by Type" + title = "Logs by Type" + description = "Count the total log entries grouped by type." sql = <<-EOQ select - split_part(log_name, '%2F', 2) as "Type", + split_part(replace(log_name, '%2F', '/'),'/', 5) as "Type", count(*) as "Logs" from gcp_audit_log where - split_part(log_name, '%2F', 2) is not null + split_part(replace(log_name, '%2F', '/'),'/', 5) is not null group by - split_part(log_name, '%2F', 2) + split_part(replace(log_name, '%2F', '/'),'/', 5) order by count(*) desc limit 10; EOQ + + tags = { + folder = "Project" + } } query "activity_dashboard_logs_by_service" { - title = "Logs by Service" + title = "Top 10 Services" + description = "List the top 10 services by frequency." sql = <<-EOQ select @@ -133,10 +149,15 @@ count(*) desc limit 10; EOQ + + tags = { + folder = "Project" + } } query "activity_dashboard_logs_by_event" { - title = "Top 10 Events" + title = "Top 10 Events" + description = "List the 10 most frequently called events." sql = <<-EOQ select @@ -152,10 +173,15 @@ count(*) desc limit 10; EOQ + + tags = { + folder = "Project" + } } query "activity_dashboard_logs_by_actor" { - title = "Top 10 Actors" + title = "Top 10 Actors" + description = "List the 10 most active actors." sql = <<-EOQ select @@ -171,10 +197,15 @@ count(*) desc limit 10; EOQ + + tags = { + folder = "Project" + } } query "activity_dashboard_logs_by_source_ip" { - title = "Top 10 Source IPs" + title = "Top 10 Source IPs (Excluding GCP Internal)" + description = "List the 10 most active source IPs, excluding events from GCP internal." sql = <<-EOQ select @@ -191,4 +222,8 @@ count(*) desc limit 10; EOQ + + tags = { + folder = "Project" + } } diff --git a/detections/access_context_manager.pp b/detections/access_context_manager.pp index 1752891..a89d240 100644 --- a/detections/access_context_manager.pp +++ b/detections/access_context_manager.pp @@ -1,5 +1,6 @@ locals { access_context_manager_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Access Context Manager" service = "GCP/AccessContextManager" }) @@ -27,7 +28,9 @@ query = query.access_context_manager_policy_deleted display_columns = local.detection_display_columns - tags = local.access_context_manager_common_tags + tags = merge(local.access_context_manager_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "access_context_manager_access_level_deleted" { @@ -38,7 +41,9 @@ query = query.access_context_manager_access_level_deleted display_columns = local.detection_display_columns - tags = local.access_context_manager_common_tags + tags = merge(local.access_context_manager_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } query "access_context_manager_policy_deleted" { @@ -53,6 +58,8 @@ order by timestamp desc; EOQ + + tags = local.access_context_manager_common_tags } query "access_context_manager_access_level_deleted" { @@ -67,4 +74,6 @@ order by timestamp desc; EOQ + + tags = local.access_context_manager_common_tags } \ No newline at end of file diff --git a/detections/apigee.pp b/detections/apigee.pp index 93b16e6..ef8c880 100644 --- a/detections/apigee.pp +++ b/detections/apigee.pp @@ -1,5 +1,6 @@ locals { apigee_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Apigee" service = "GCP/Apigee" }) } @@ -25,7 +26,9 @@ query = query.apigee_security_action_disabled display_columns = local.detection_display_columns - tags = local.apigee_common_tags + tags = merge(local.apigee_common_tags, { + mitre_attack_ids = "TA0005:T1562.001" + }) } query "apigee_security_action_disabled" { @@ -40,4 +43,6 @@ order by timestamp desc; EOQ + + tags = local.apigee_common_tags } \ No newline at end of file diff --git a/detections/app_engine.pp b/detections/app_engine.pp index 15fc300..9a15707 100644 --- a/detections/app_engine.pp +++ b/detections/app_engine.pp @@ -1,5 +1,6 @@ locals { app_engine_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "App Engine" service = "GCP/AppEngine" }) } @@ -27,7 +28,9 @@ query = query.app_engine_firewall_ingress_rule_created display_columns = local.detection_display_columns - tags = local.app_engine_common_tags + tags = merge(local.app_engine_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "app_engine_firewall_ingress_rule_updated" { @@ -38,7 +41,9 @@ query = query.app_engine_firewall_ingress_rule_updated display_columns = local.detection_display_columns - tags = local.app_engine_common_tags + tags = merge(local.app_engine_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "app_engine_firewall_ingress_rule_deleted" { @@ -49,7 +54,9 @@ query = query.app_engine_firewall_ingress_rule_deleted display_columns = local.detection_display_columns - tags = local.app_engine_common_tags + tags = merge(local.app_engine_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } query "app_engine_firewall_ingress_rule_created" { @@ -64,6 +71,8 @@ order by timestamp desc; EOQ + + tags = local.app_engine_common_tags } query "app_engine_firewall_ingress_rule_updated" { @@ -78,6 +87,8 @@ order by timestamp desc; EOQ + + tags = local.app_engine_common_tags } query "app_engine_firewall_ingress_rule_deleted" { @@ -92,4 +103,6 @@ order by timestamp desc; EOQ + + tags = local.app_engine_common_tags } \ No newline at end of file diff --git a/detections/artifact_registry.pp b/detections/artifact_registry.pp index 9bb72ef..766dc14 100644 --- a/detections/artifact_registry.pp +++ b/detections/artifact_registry.pp @@ -1,5 +1,6 @@ locals { artifact_registry_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Artifact Registry" service = "GCP/ArtifactRegistry" }) } @@ -26,7 +27,9 @@ query = query.artifact_registry_repository_deleted display_columns = local.detection_display_columns - tags = local.artifact_registry_common_tags + tags = merge(local.artifact_registry_common_tags, { + mitre_attack_ids = "TA0005:T1578.003" + }) } detection "artifact_registry_package_deleted" { @@ -36,7 +39,9 @@ severity = "low" query = query.artifact_registry_package_deleted - tags = local.artifact_registry_common_tags + tags = merge(local.app_engine_common_tags, { + mitre_attack_ids = "TA0005:T1578.003" + }) } query "artifact_registry_package_deleted" { @@ -51,6 +56,8 @@ order by timestamp desc; EOQ + + tags = local.artifact_registry_common_tags } query "artifact_registry_repository_deleted" { @@ -65,4 +72,6 @@ order by timestamp desc; EOQ + + tags = local.artifact_registry_common_tags } \ No newline at end of file diff --git a/detections/cloud_run.pp b/detections/cloud_run.pp index b0f8832..c94c411 100644 --- a/detections/cloud_run.pp +++ b/detections/cloud_run.pp @@ -1,5 +1,6 @@ locals { cloud_run_function_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Cloud Run Function" service = "GCP/CloudRunFunction" }) } @@ -25,7 +26,9 @@ query = query.cloud_run_function_deleted display_columns = local.detection_display_columns - tags = local.cloud_run_function_common_tags + tags = merge(local.cloud_run_function_common_tags, { + mitre_attack_ids = "TA0005:T1578.004" + }) } query "cloud_run_function_deleted" { @@ -40,4 +43,6 @@ order by timestamp desc; EOQ + + tags = local.cloud_run_function_common_tags } \ No newline at end of file diff --git a/detections/compute.pp b/detections/compute.pp index 6cf41f5..1cf78cb 100644 --- a/detections/compute.pp +++ b/detections/compute.pp @@ -1,5 +1,6 @@ locals { compute_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Compute" service = "GCP/Compute" }) @@ -32,7 +33,9 @@ query = query.compute_vpn_tunnel_deleted display_columns = local.detection_display_columns - tags = local.compute_common_tags + tags = merge(local.compute_common_tags, { + mitre_attack_ids = " TA0005:T1578.003" + }) } detection "compute_firewall_rule_deleted" { @@ -43,7 +46,9 @@ query = query.compute_firewall_rule_deleted display_columns = local.detection_display_columns - tags = local.compute_common_tags + tags = merge(local.compute_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "compute_image_iam_policy_set" { @@ -54,7 +59,9 @@ query = query.compute_image_iam_policy_set display_columns = local.detection_display_columns - tags = local.compute_common_tags + tags = merge(local.compute_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "compute_disk_iam_policy_set" { @@ -65,7 +72,9 @@ query = query.compute_disk_iam_policy_set display_columns = local.detection_display_columns - tags = local.compute_common_tags + tags = merge(local.compute_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "compute_snapshot_iam_policy_set" { @@ -76,7 +85,9 @@ query = query.compute_snapshot_iam_policy_set display_columns = local.detection_display_columns - tags = local.compute_common_tags + tags = merge(local.compute_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "compute_instance_with_public_network_interface" { @@ -87,7 +98,9 @@ query = query.compute_instance_with_public_network_interface display_columns = local.detection_display_columns - tags = local.compute_common_tags + tags = merge(local.compute_common_tags, { + mitre_attack_ids = "TA0001:T1133" + }) } detection "compute_subnetwork_flow_logs_disabled" { @@ -98,7 +111,9 @@ query = query.compute_subnetwork_flow_logs_disabled display_columns = local.detection_display_columns - tags = local.compute_common_tags + tags = merge(local.compute_common_tags, { + mitre_attack_ids = "TA0005:T1562.001" + }) } query "compute_firewall_rule_deleted" { @@ -113,6 +128,8 @@ order by timestamp desc; EOQ + + tags = local.compute_common_tags } query "compute_vpn_tunnel_deleted" { @@ -127,6 +144,8 @@ order by timestamp desc; EOQ + + tags = local.compute_common_tags } query "compute_image_iam_policy_set" { @@ -141,6 +160,8 @@ order by timestamp desc; EOQ + + tags = local.compute_common_tags } query "compute_disk_iam_policy_set" { @@ -155,6 +176,8 @@ order by timestamp desc; EOQ + + tags = local.compute_common_tags } query "compute_snapshot_iam_policy_set" { @@ -169,6 +192,8 @@ order by timestamp desc; EOQ + + tags = local.compute_common_tags } query "compute_instance_with_public_network_interface" { @@ -205,6 +230,8 @@ order by timestamp desc; EOQ + + tags = local.compute_common_tags } query "compute_subnetwork_flow_logs_disabled" { @@ -220,4 +247,6 @@ order by timestamp desc; EOQ + + tags = local.compute_common_tags } \ No newline at end of file diff --git a/detections/dlp.pp b/detections/dlp.pp index c425ae9..8566a46 100644 --- a/detections/dlp.pp +++ b/detections/dlp.pp @@ -1,5 +1,6 @@ locals { dlp_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "DLP" service = "GCP/DLP" }) } @@ -25,7 +26,9 @@ query = query.dlp_reidentify_content display_columns = local.detection_display_columns - tags = local.dlp_common_tags + tags = merge(local.dlp_common_tags, { + mitre_attack_ids = "TA0005:T1140" + }) } query "dlp_reidentify_content" { @@ -40,4 +43,6 @@ order by timestamp desc; EOQ + + tags = local.dlp_common_tags } \ No newline at end of file diff --git a/detections/dns.pp b/detections/dns.pp index 4edb9ae..d57a070 100644 --- a/detections/dns.pp +++ b/detections/dns.pp @@ -1,5 +1,6 @@ locals { dns_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "DNS" service = "GCP/DNS" }) @@ -29,7 +30,9 @@ query = query.dns_managed_zone_deleted display_columns = local.detection_display_columns - tags = local.dns_common_tags + tags = merge(local.dns_common_tags, { + mitre_attack_ids = "TA0040:T1565.001" + }) } detection "dns_managed_zone_updated" { @@ -40,7 +43,9 @@ query = query.dns_managed_zone_updated display_columns = local.detection_display_columns - tags = local.dns_common_tags + tags = merge(local.dns_common_tags, { + mitre_attack_ids = "TA0040:T1565.001" + }) } detection "dns_record_set_updated" { @@ -51,7 +56,9 @@ query = query.dns_record_set_updated display_columns = local.detection_display_columns - tags = local.dns_common_tags + tags = merge(local.dns_common_tags, { + mitre_attack_ids = "TA0040:T1565.001" + }) } detection "dns_record_set_deleted" { @@ -62,7 +69,9 @@ query = query.dns_record_set_deleted display_columns = local.detection_display_columns - tags = local.dns_common_tags + tags = merge(local.dns_common_tags, { + mitre_attack_ids = "TA0040:T1565.001" + }) } query "dns_managed_zone_deleted" { @@ -78,6 +87,8 @@ order by timestamp desc; EOQ + + tags = local.dns_common_tags } query "dns_managed_zone_updated" { @@ -92,6 +103,8 @@ order by timestamp desc; EOQ + + tags = local.dns_common_tags } query "dns_record_set_updated" { @@ -106,6 +119,8 @@ order by timestamp desc; EOQ + + tags = local.dns_common_tags } query "dns_record_set_deleted" { @@ -120,4 +135,6 @@ order by timestamp desc; EOQ + + tags = local.dns_common_tags } \ No newline at end of file diff --git a/detections/iam.pp b/detections/iam.pp index 8458ac4..32be6ee 100644 --- a/detections/iam.pp +++ b/detections/iam.pp @@ -1,5 +1,6 @@ locals { iam_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "IAM" service = "GCP/IAM" }) } @@ -47,7 +48,7 @@ display_columns = local.detection_display_columns tags = merge(local.iam_common_tags, { - mitre_attack_ids = "TA0001:T1078,TA0003:T1098,TA0003:T1136" + mitre_attack_ids = "TA0001:T1078.004,TA0003:T1098,TA0003:T1136" }) } @@ -60,7 +61,7 @@ display_columns = local.detection_display_columns tags = merge(local.iam_common_tags, { - mitre_attack_ids = "TA0001:T1078,TA0003:T1098" + mitre_attack_ids = "TA0001:T1078.004,TA0003:T1098" }) } @@ -72,7 +73,9 @@ query = query.iam_service_account_disabled display_columns = local.detection_display_columns - tags = local.iam_common_tags + tags = merge(local.iam_common_tags, { + mitre_attack_ids = "TA0040:T1490" + }) } detection "iam_service_account_token_creator_role_assigned" { @@ -83,7 +86,9 @@ query = query.iam_service_account_token_creator_role_assigned display_columns = local.detection_display_columns - tags = local.iam_common_tags + tags = merge(local.iam_common_tags, { + mitre_attack_ids = "TA0003:T1136,TA0005:T1548" + }) } detection "iam_organization_policy_updated" { @@ -94,7 +99,9 @@ query = query.iam_organization_policy_updated display_columns = local.detection_display_columns - tags = local.iam_common_tags + tags = merge(local.iam_common_tags, { + mitre_attack_ids = "TA0005:T1562" + }) } detection "iam_service_account_access_token_generated" { @@ -105,7 +112,9 @@ query = query.iam_service_account_access_token_generated display_columns = local.detection_display_columns - tags = local.iam_common_tags + tags = merge(local.iam_common_tags, { + mitre_attack_ids = "TA0005:T1550, TA0002:T1651" + }) } detection "iam_service_account_key_deleted" { @@ -127,7 +136,9 @@ query = query.iam_owner_role_policy_set display_columns = local.detection_display_columns - tags = local.resourcemanager_common_tags + tags = merge(local.resourcemanager_common_tags, { + mitre_attack_ids = "TA0003:T1098" + }) } query "iam_service_account_created" { @@ -142,6 +153,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_service_account_key_created" { @@ -156,6 +169,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_service_account_deleted" { @@ -170,6 +185,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_service_account_disabled" { @@ -184,6 +201,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_service_account_token_creator_role_assigned" { @@ -207,6 +226,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_organization_policy_updated" { @@ -221,6 +242,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_service_account_access_token_generated" { @@ -236,6 +259,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_service_account_key_deleted" { @@ -250,6 +275,8 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } query "iam_owner_role_policy_set" { @@ -273,4 +300,7 @@ order by timestamp desc; EOQ + + tags = local.iam_common_tags } + diff --git a/detections/logging.pp b/detections/logging.pp index 72bc9b5..031f13b 100644 --- a/detections/logging.pp +++ b/detections/logging.pp @@ -1,5 +1,6 @@ locals { logging_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Logging" service = "GCP/Logging" }) } @@ -26,7 +27,9 @@ query = query.logging_sink_deleted display_columns = local.detection_display_columns - tags = local.logging_common_tags + tags = merge(local.logging_common_tags, { + mitre_attack_ids = "TA0005:T1562" + }) } detection "logging_bucket_deleted" { @@ -37,7 +40,9 @@ query = query.logging_bucket_deleted display_columns = local.detection_display_columns - tags = local.logging_common_tags + tags = merge(local.logging_common_tags, { + mitre_attack_ids = "TA0040:T1485" + }) } query "logging_sink_deleted" { @@ -52,6 +57,8 @@ order by timestamp desc; EOQ + + tags = local.logging_common_tags } query "logging_bucket_deleted" { @@ -66,4 +73,6 @@ order by timestamp desc; EOQ + + tags = local.logging_common_tags } \ No newline at end of file diff --git a/detections/monitoring.pp b/detections/monitoring.pp index 258e915..4a8d430 100644 --- a/detections/monitoring.pp +++ b/detections/monitoring.pp @@ -1,8 +1,8 @@ locals { monitoring_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Monitoring" service = "GCP/Monitoring" }) - } benchmark "monitoring_detections" { @@ -25,7 +25,9 @@ query = query.monitoring_metric_descriptor_deleted display_columns = local.detection_display_columns - tags = local.monitoring_common_tags + tags = merge(local.monitoring_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "monitoring_alert_policy_deleted" { @@ -36,7 +38,9 @@ query = query.monitoring_alert_policy_deleted display_columns = local.detection_display_columns - tags = local.monitoring_common_tags + tags = merge(local.monitoring_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } query "monitoring_metric_descriptor_deleted" { @@ -51,6 +55,8 @@ order by timestamp desc; EOQ + + tags = local.monitoring_common_tags } query "monitoring_alert_policy_deleted" { @@ -65,4 +71,6 @@ order by timestamp desc; EOQ + + tags = local.monitoring_common_tags } \ No newline at end of file diff --git a/detections/resource_manager.pp b/detections/resource_manager.pp index 3e51118..0661951 100644 --- a/detections/resource_manager.pp +++ b/detections/resource_manager.pp @@ -1,5 +1,6 @@ locals { resourcemanager_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Resource Manager" service = "GCP/ResourceManager" }) @@ -24,7 +25,10 @@ query = query.resource_manager_iam_policy_set display_columns = local.detection_display_columns - tags = local.resourcemanager_common_tags + + tags = merge(local.resourcemanager_common_tags, { + mitre_attack_ids = "TA0005:T1211" + }) } query "resource_manager_iam_policy_set" { @@ -39,4 +43,6 @@ order by timestamp desc; EOQ + + tags = local.resourcemanager_common_tags } diff --git a/detections/security_command_center.pp b/detections/security_command_center.pp index b523d59..7d8e4fc 100644 --- a/detections/security_command_center.pp +++ b/detections/security_command_center.pp @@ -1,5 +1,6 @@ locals { security_command_center_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Security Command Center" service = "GCP/SecurityCommandCenter" }) } @@ -25,7 +26,9 @@ query = query.security_command_center_notification_config_deleted display_columns = local.detection_display_columns - tags = local.security_command_center_common_tags + tags = merge(local.security_command_center_common_tags, { + mitre_attack_ids = "TA0005:T1211" + }) } query "security_command_center_notification_config_deleted" { @@ -40,4 +43,6 @@ order by timestamp desc; EOQ + + tags = local.security_command_center_common_tags } diff --git a/detections/sql.pp b/detections/sql.pp index 2c7fcab..63632ad 100644 --- a/detections/sql.pp +++ b/detections/sql.pp @@ -1,5 +1,6 @@ locals { sql_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "SQL" service = "GCP/SQL" }) @@ -27,7 +28,9 @@ query = query.sql_ssl_certificate_deleted display_columns = local.detection_display_columns - tags = local.sql_common_tags + tags = merge(local.sql_common_tags, { + mitre_attack_ids = "TA0003:T1098" + }) } detection "sql_user_deleted" { @@ -38,7 +41,9 @@ query = query.sql_user_deleted display_columns = local.detection_display_columns - tags = local.sql_common_tags + tags = merge(local.sql_common_tags, { + mitre_attack_ids = "TA0003:T1098" + }) } query "sql_ssl_certificate_deleted" { @@ -53,6 +58,8 @@ order by timestamp desc; EOQ + + tags = local.sql_common_tags } query "sql_user_deleted" { @@ -67,4 +74,6 @@ order by timestamp desc; EOQ + + tags = local.sql_common_tags } \ No newline at end of file diff --git a/detections/storage.pp b/detections/storage.pp index cf80b1a..582af52 100644 --- a/detections/storage.pp +++ b/detections/storage.pp @@ -1,5 +1,6 @@ locals { storage_common_tags = merge(local.gcp_audit_log_detections_common_tags, { + folder = "Storage" service = "GCP/Storage" }) } @@ -26,7 +27,9 @@ query = query.storage_bucket_iam_permission_set display_columns = local.detection_display_columns - tags = local.storage_common_tags + tags = merge(local.storage_common_tags, { + mitre_attack_ids = "TA0005:T1578.005" + }) } detection "storage_bucket_iam_permission_granted_public_access" { @@ -37,7 +40,9 @@ query = query.storage_bucket_iam_permission_granted_public_access display_columns = local.detection_display_columns - tags = local.storage_common_tags + tags = merge(local.storage_common_tags, { + mitre_attack_ids = "TA0001:T1190" + }) } query "storage_bucket_iam_permission_set" { @@ -52,6 +57,8 @@ order by timestamp desc; EOQ + + tags = local.storage_common_tags } query "storage_bucket_iam_permission_granted_public_access" { @@ -75,4 +82,6 @@ order by timestamp desc; EOQ + + tags = local.storage_common_tags } \ No newline at end of file diff --git a/locals.pp b/locals.pp index 0c18594..a046011 100644 --- a/locals.pp +++ b/locals.pp @@ -25,10 +25,10 @@ exclude operation, resource EOQ + # TODO: Do we need to check operation? + # and (operation_src is null or operation_src.last = true) detection_sql_where_conditions = <<-EOQ and severity != 'Error' - -- TODO: Do we need to check operation? - -- and (operation_src is null or operation_src.last = true) EOQ // Keep same order as SQL statement for easier readability