From 9d1493865fa096a8a6bff50693e3216c0e361312 Mon Sep 17 00:00:00 2001 From: David Iglesias Lopez Date: Wed, 17 Jun 2020 13:11:31 +0200 Subject: [PATCH 1/3] Add new rules for INFO --- rules/0690-gcp_rules.xml | 96 +++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 41 deletions(-) diff --git a/rules/0690-gcp_rules.xml b/rules/0690-gcp_rules.xml index dc7b76744..9f9bc625a 100644 --- a/rules/0690-gcp_rules.xml +++ b/rules/0690-gcp_rules.xml @@ -38,231 +38,245 @@ ID: 65000 - 65499 no_full_log - + + 65002 + ^INFO + GCP info event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) + no_full_log + + + 65002 ^WARNING$ GCP warning event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65002 ^NOTICE$ GCP notice event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65002 ^ERROR$ GCP error with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65002 ^CRITICAL$ GCP critical event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65002 ^ALERT$ GCP alert event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65002 ^EMERGENCY$ GCP emergency event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + + 65003 + ^INFO$ + GCP info event from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) + no_full_log + + + 65003 ^WARNING$ GCP warning event from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65003 ^NOTICE$ GCP notice event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65003 ^ERROR$ GCP error from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65003 ^CRITICAL$ GCP critical event from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65003 ^ALERT$ GCP alert event from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65003 ^EMERGENCY$ GCP emergency event from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log - + 65002,65003 ^ERROR$ GCP error with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^NXDOMAIN$ Unable to resolve domain name with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^SERVFAIL$ Unable to process query due to a problem with the name server with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^FORMERR$ Unable to interpret query with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^NOTIMP$ Unsupported requested query with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^REFUSED$ Refuse to perform the specified operation for policy reasons with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^YXDOMAIN$ Specified name already created, when it ought not to exist with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^YXRRSET$ The specified RR Set already exists with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^NXRRSET$ The specified RR Set does not exist, and should with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^NOTAUTH$ Server not authoritative for zone with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^NOTZONE$ Name not contained in zone with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^DSOTYPENI$ DSO-TYPE not implemented with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADVERS$ Bad OPT version with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADSIG$ TSIG Signature Failure with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADKEY$ Key not recognized with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADTIME$ Signature out of time window with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADMODE$ Bad TKEY Mode with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADNAME$ Duplicate key name with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADALG$ Algorithm not supported with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADTRUNC$ Bad Truncation with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) no_full_log - + 65002,65003 ^BADCOOKIE$ Bad/missing Server Cookie with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location), severity $(gcp.severity) @@ -270,56 +284,56 @@ ID: 65000 - 65499 - + 65000 ^DEFAULT$ A GCP event with no severity information happened on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) no_full_log - + 65000 ^INFO$ GCP information event on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) no_full_log - + 65000 ^WARNING$ GCP warning event on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) no_full_log - + 65000 ^NOTICE$ GCP notice event on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) no_full_log - + 65000 ^ERROR$ GCP error event on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) no_full_log - + 65000 ^CRITICAL$ GCP critical event on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) no_full_log - + 65000 ^ALERT$ GCP alert event on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) no_full_log - + 65000 ^EMERGENCY$ GCP emergency event on project $(gcp.resource.labels.project_id), monitored resource type: $(gcp.resource.type) From c06f244c5bb510ba446b73e33d61bfafd57911a8 Mon Sep 17 00:00:00 2001 From: David Iglesias Lopez Date: Wed, 17 Jun 2020 13:16:36 +0200 Subject: [PATCH 2/3] Fix 65004 --- rules/0690-gcp_rules.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/0690-gcp_rules.xml b/rules/0690-gcp_rules.xml index 9f9bc625a..ed5789fda 100644 --- a/rules/0690-gcp_rules.xml +++ b/rules/0690-gcp_rules.xml @@ -40,7 +40,7 @@ ID: 65000 - 65499 65002 - ^INFO + ^INFO$ GCP info event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log From 7dc9bf83626b78a0c82a97b23fdbc8d701bbb95b Mon Sep 17 00:00:00 2001 From: David Iglesias Lopez Date: Wed, 17 Jun 2020 13:21:20 +0200 Subject: [PATCH 3/3] Fix rule 65013 description --- rules/0690-gcp_rules.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/0690-gcp_rules.xml b/rules/0690-gcp_rules.xml index ed5789fda..06654c5b2 100644 --- a/rules/0690-gcp_rules.xml +++ b/rules/0690-gcp_rules.xml @@ -104,14 +104,14 @@ ID: 65000 - 65499 65003 ^NOTICE$ - GCP notice event with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) + GCP notice event from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log 65003 ^ERROR$ - GCP error from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) + GCP error event from VM $(gcp.jsonPayload.vmInstanceName) with source IP $(gcp.jsonPayload.sourceIP) from $(gcp.resource.labels.location) with response code $(gcp.jsonPayload.responseCode) no_full_log