Secops detection rules on Spanner and Bigtable

Forum|Forum|10 months ago
January 20, 2025
2 replies
13 views

+1

sgambhir
New Member

I have noticed that there are no detection rules available for Spanner and Bigtable in the Secops community rules and curated detections,. I would like to explore opportunity to enhance threat visibility around Bigtable and Spanner. Do any one have any recommendations or suggestions for crating detection rules that would help improve monitoring and security of these services.

I am particularly interested in ideas or best practices to address potential risks and ensure robust threat detection. I would greatly appreciate any input or feedback from your experience or perspective.

+6

rajukg11
Staff
Forum|Forum|10 months ago
January 21, 2025

I am not familiar with the logs from BigTable and Spanner. But what I have in mind is that if you are using Security Command Center (SCC) it may already be receiving these logs and there could be alerts generated from SCC. If so, those will be ingested into Chronicle. In that scenario you can write rules similar to this:

$alert.metadata.product_name = "Security Command Center"
$alert.metadata.product_event_type = "Exfiltration: BigQuery Data Extraction"

Like

S

+1

sgambhir
Author
New Member
Forum|Forum|10 months ago
January 21, 2025

I am not familiar with the logs from BigTable and Spanner. But what I have in mind is that if you are using Security Command Center (SCC) it may already be receiving these logs and there could be alerts generated from SCC. If so, those will be ingested into Chronicle. In that scenario you can write rules similar to this:

$alert.metadata.product_name = "Security Command Center"
$alert.metadata.product_event_type = "Exfiltration: BigQuery Data Extraction"

Hello @rajukg11 , the finding you mentioned is around Bigquery. We don't see any rules around bigtable and spanner from SCC..

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded