This repository provides a community-driven collection of security analytics queries and rules for Google Cloud. It aims to assist detection engineers, threat hunters, and data governance analysts by offering a baseline of pre-built queries for auditing cloud usage and detecting threats across various Google Cloud log sources.

How It Works

The project offers analytics in two primary formats: YARA-L rules for Google Security Operations and SQL queries for BigQuery and Log Analytics. These are categorized by security use case, including Login & Access Patterns, IAM/Keys/Secrets Admin Activity, Cloud Provisioning, Workload Usage, Data Usage, and Network Activity. The goal is to provide readily usable, foundational analytics that can be integrated into existing security workflows and tools.

Quick Start & Requirements

• BigQuery: Utilize the Dataform repository within the project to automate the deployment of CSA queries for optimized performance and cost.
• Google Security Operations: The cicd folder contains scripts for testing and deploying YARA-L rules via CI/CD pipelines (GitHub Actions, Google Cloud Build, Azure DevOps).
• Prerequisites: Access to Google Cloud logs (Cloud Audit logs, VPC Flow logs, DNS logs, etc.) and a compatible analytics tool (BigQuery, Google Security Operations, or third-party SIEM).

Highlighted Details

• Comprehensive coverage of security use cases mapped to MITRE ATT&CK® techniques.
• Includes YARA-L rules for Google Security Operations and SQL queries for BigQuery.
• Dataform integration for automated deployment and management of BigQuery analytics.
• CI/CD scripts for managing and deploying YARA-L rules to Google Security Operations.

Maintenance & Community

This is a community-supported project, not an officially supported Google product. Contributions and issues are managed via GitHub.

Licensing & Compatibility

Licensed under the Apache License, Version 2.0. This license is permissive and generally compatible with commercial use and closed-source linking.

Limitations & Caveats

The project explicitly states it is not a comprehensive set of threat detections but rather a collection of community-contributed samples to get users started with detective controls.