Cross-Cloud Suspicious user activity observed in GCP Envourment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

'This detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectiv

Attribute	Value
Type	Analytic Rule
Solution	Multi Cloud Attack Coverage Essentials - Resource Abuse
ID	58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7
Severity	Medium
Kind	Scheduled
Tactics	InitialAccess, Execution, Persistence, PrivilegeEscalation, CredentialAccess, Discovery
Techniques	T1566, T1059, T1078, T1046, T1547, T1548, T1069, T1552
Required Connectors	GCPAuditLogsDefinition, AzureActiveDirectoryIdentityProtection, MicrosoftThreatProtection, MicrosoftDefenderAdvancedThreatProtection, MicrosoftCloudAppSecurity
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
GCPAuditLogs	✓	✓	?
SecurityAlert	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Multi Cloud Attack Coverage Essentials - Resource Abuse