Cross-Cloud Suspicious user activity observed in GCP Envourment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

'This detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectiv

Attribute	Value
Type	Analytic Rule
Solution	Multi Cloud Attack Coverage Essentials - Resource Abuse
ID	58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7
Severity	Medium
Kind	Scheduled
Tactics	InitialAccess, Execution, Persistence, PrivilegeEscalation, CredentialAccess, Discovery
Techniques	T1566, T1059, T1078, T1046, T1547, T1548, T1069, T1552
Required Connectors	GCPAuditLogsDefinition, AzureActiveDirectoryIdentityProtection, MicrosoftThreatProtection, MicrosoftDefenderAdvancedThreatProtection, MicrosoftCloudAppSecurity
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
GCPAuditLogs	AuthenticationInfo !has "system:" PrincipalEmail !endswith "gserviceaccount.com"	✓	✓	✓
SecurityAlert	ProductName !in "Azure Sentinel"	✓	✗	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Multi Cloud Attack Coverage Essentials - Resource Abuse