Skip to main content

I have noticed that there are no detection rules available for Spanner and Bigtable in the Secops community rules and curated detections,. I would like to explore opportunity to enhance threat visibility around Bigtable and Spanner. Do any one have any recommendations or suggestions for crating detection rules that would help improve monitoring and security of these services.

I am particularly interested in ideas or best practices to address potential risks and ensure robust threat detection. I would greatly appreciate any input or feedback from your experience or perspective.

I am not familiar with the logs from BigTable and Spanner.  But what I have in mind is that if you are using Security Command Center (SCC) it may already be receiving these logs and there could be alerts generated from SCC.  If so, those will be ingested into Chronicle.  In that scenario you can write rules similar to this:


$alert.metadata.product_name = "Security Command Center"
$alert.metadata.product_event_type = "Exfiltration: BigQuery Data Extraction"


 

I am not familiar with the logs from BigTable and Spanner.  But what I have in mind is that if you are using Security Command Center (SCC) it may already be receiving these logs and there could be alerts generated from SCC.  If so, those will be ingested into Chronicle.  In that scenario you can write rules similar to this:


$alert.metadata.product_name = "Security Command Center"
$alert.metadata.product_event_type = "Exfiltration: BigQuery Data Extraction"


 


Hello @rajukg11 , the finding you mentioned is around Bigquery. We don't see any rules around bigtable and spanner from SCC..

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.