Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
'Detects bulk deletion of Google Cloud VM snapshots within a short time period, which may indicate data destruction or defense evasion activities. VM snapshots are critical for backup and disaster recovery. Bulk deletion of snapshots can prevent recovery from incidents and may indicate malicious activity such as ransomware, data destruction, or an attempt to cover tracks after a security breach. Adversaries may delete snapshots to maximize damage, prevent forensic investigation, or hinder recove
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Google Cloud Platform Audit Logs |
| ID | dfdffdc7-929f-4c7e-8f48-30e5ffddb067 |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | Impact, DefenseEvasion |
| Techniques | T1485, T1490, T1562.001 |
| Required Connectors | GCPAuditLogsDefinition |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
GCPAuditLogs |
GCPResourceType == "gce_snapshot"MethodName has "compute.snapshots.delete"ServiceName == "compute.googleapis.com"Severity == "NOTICE" |
✓ | ✓ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Analytic Rules · Back to Google Cloud Platform Audit Logs