Skip to main content

Hello Team,

Greetings,

I am currently working on a detection rule that triggers when a feed is deleted. The challenge I am facing is that the event only provides the feed ID, and not the feed name.

I attempted to create a data table that populates when a feed is created, but I am unable to reference that data table field inside the rule. I also tried running a stat search; however, if I move this to a SOAR playbook, I am not sure how to handle the time correlation, since the feed could have been created at any point in time.

Could you please advise if there is a way to fetch the feed name rather than a feed_id in the same alert when a feed is deleted?

 

 

Thanks & regards,

nasef

Can you share the rule?  And also if feed id does come through - why not use that?  Seems like something that would happen very rarely.  

hello  dnehoda , thanks for the reply i have resolved the issue

Would you like to share the resolution for the community?  That would be helpful.  

"In my logs for feed deletion events, the GCP audit logs only contained the feed ID. To address this, I created an additional rule that populates a data table with both the feed ID and feed name at the time of feed creation. Later, during feed deletion events, I use this stored data to retrieve the corresponding feed name. This was necessary because my clients required both the feed name and the log type of the deleted feed. since if it was feed id they needed manually to check it again


rule secops_create_feeds {


meta:

author = " [removed by moderator] "

description = "Detect SecOps Feed created"

severity = "High"

environment = "Lab Admin"

events:

$e2.metadata.log_type = "GCP_CLOUDAUDIT"

$e2.metadata.event_type = "USER_RESOURCE_ACCESS"

$e2.metadata.product_event_type = /google.cloud.chronicle.v1alpha.FeedsService.CreateFeed/

$feedid = re.capture ($e2.target.resource.attribute.labels["res_name"], "locations/##/instances/###########/feeds/(.*)")

$e2.security_result.associations.name = $feed_names

match:

$feed_names,$feedid over 1h

outcome:

$target_resource = array_distinct($e2.target.resource.name)

$user_wif = array_distinct($e2.principal.user.userid)

$user_display_name = array_distinct($e2.principal.user.user_display_name)

$user_email_pwc = array_distinct($e2.principal.user.title)

$user_email_cloudsecurity = array_distinct($e2.principal.user.email_addresses)

$feed_name = array_distinct($e2.security_result.associations.name)

$feed_ids = array_distinct($feedid)

condition:

$e2

export:

%feed_id_vs_feed_name.write_row(

feed_id: $feedid,

feed_names: $feed_names,

//time: $event_time

)

}




rule secops_delete_feeds {


meta:

author = " [removed by moderator] & Mohamed Fazil"

description = "Detect for SecOps Feed deleted"

severity = "High"

environment = "Lab Admin"

events:

$e.metadata.log_type = "GCP_CLOUDAUDIT"

$e.metadata.event_type = "USER_RESOURCE_ACCESS"

$e.metadata.product_event_type = /google\.cloud\.chronicle\.v1alpha\.FeedsService\.DeleteFeed/

$e.security_result.action = "ALLOW"

$e.target.resource.name = $feedid

$feed_id = re.capture($e.target.resource.name , "locations/##/instances/######/feeds/(.*)")

$feed_id = %feed_id_vs_feed_name.feed_id

match:

$feedid over 1h

outcome:

$target_resource = array_distinct($e.target.resource.name)

$user_wif = array_distinct($e.principal.user.userid)

$user_display_name = array_distinct($e.principal.user.user_display_name)

$user_email_pwc = array_distinct($e.principal.user.title)

$user_email_cloudsecurity = array_distinct($e.principal.user.email_addresses)

$log_type = array_distinct($e.metadata.log_type)

$feed_ids = array_distinct($feed_id)

$feed_name = array_distinct(%feed_id_vs_feed_name.feed_names)

condition:

$e

}

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.