Threat Hunting Primer - Section 4: GCP Primer -Threat Hunting w/ Google SecOps Integration
GCP Cloud Threat Hunting
Google Cloud Platform (GCP) offers high-fidelity logging and native security tools through services like Security Command Center (SCC) and Google Security Operations (formerly Chronicle). These tools, coupled with threat data from VPC Flow Logs and IAM audit trails, provide a powerful foundation for threat hunting.
Key Security and Observability Tools
| Service | Description | Threat Hunting Use Cases |
|---|---|---|
| Cloud Audit Logs | Captures administrative and API activities | Detect unauthorized policy changes, privilege escalations |
| VPC Flow Logs | Monitors network traffic to/from instances | Identify beaconing, lateral movement, data exfiltration |
| Security Command Center (SCC) | Unified view of misconfigurations, vulnerabilities, and threats | Monitor for public buckets, overly permissive IAM, exposed APIs |
| Google Security Operations (SecOps) | SIEM and threat intelligence platform | Correlate indicators across time and assets |
| Cloud Functions | Serverless event-driven functions | Execute detection logic at scale, integrate alerting pipelines |
MITRE ATT&CK Mapping (GCP)
| Tactic | Technique | GCP Source | Detection Strategy |
|---|---|---|---|
| Privilege Escalation | T1078 - Valid Accounts | Cloud Audit Logs | Detect 'setIamPolicy' on high-priv roles (e.g., Owner) |
| Defense Evasion | T1070 - Indicator Removal | Cloud Logging | Disabled logging or missing events |
| Command & Control | T1071 - Application Layer Protocol | VPC Flow Logs | Traffic to uncommon domains or rare geos |
Example: Detect GCP IAM Policy Escalation
resource.type="gce_instance"
logName="projects/your-project/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="SetIamPolicy"
protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"
Elastic AI Integration (GCP)
Elastic Agent can subscribe to Pub/Sub topics that export logs from:
- Cloud Audit Logs
- VPC Flow Logs
- SCC Findings
These logs are transformed into ECS format and ingested into Kibana dashboards or automated detection pipelines.
Suggested GCP Hunting Indicators
| Behavior | Service | Query Example |
|---|---|---|
| Excessive privilege grants | Audit Logs | methodName="SetIamPolicy" role="roles/owner" |
| Unusual outbound DNS | VPC Flow Logs | dest.port=53 AND dest.domain NOT IN known_domains |
| Public GCS bucket creation | Cloud Audit Logs | storage.setIamPolicy with 'allUsers' |
Serverless Threat Detection with Cloud Functions
Use GCP Cloud Functions to automate alerts and remediation.
def detect_policy_change(event, context):
if "SetIamPolicy" in event['protoPayload']['methodName']:
if "roles/owner" in event['protoPayload']['serviceData']
['policyDelta']['bindingDeltas'][0]['role']:
alert("Privilege escalation detected in GCP")