Last reviewed:
Sigma rule outputs from CloudSigma rendered into SecOps queries against the GCP Audit Logs schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.
| Technique | Rule | Severity | Log source |
|---|---|---|---|
| T1021 | Remote Services on GCP Audit Logs | medium | GCP Audit Logs |
| T1040 | Network Sniffing on GCP Audit Logs | medium | GCP Audit Logs |
| T1046 | Network Service Discovery on GCP Audit Logs | medium | GCP Audit Logs |
| T1059 | Command and Scripting Interpreter on GCP Audit Logs | medium | GCP Audit Logs |
| T1078 | Valid Accounts on GCP Audit Logs | medium | GCP Audit Logs |
| T1078.004 | Valid Accounts: Cloud Accounts on GCP Audit Logs | medium | GCP Audit Logs |
| T1087 | Account Discovery on GCP Audit Logs | medium | GCP Audit Logs |
| T1087.004 | Account Discovery: Cloud Account on GCP Audit Logs | medium | GCP Audit Logs |
| T1098 | Account Manipulation on GCP Audit Logs | medium | GCP Audit Logs |
| T1098.001 | Account Manipulation: Additional Cloud Credentials on GCP Audit Logs | medium | GCP Audit Logs |
| T1098.003 | Account Manipulation: Additional Cloud Roles on GCP Audit Logs | medium | GCP Audit Logs |
| T1110 | Brute Force on GCP Audit Logs | medium | GCP Audit Logs |
| T1110.001 | Brute Force: Password Guessing on GCP Audit Logs | medium | GCP Audit Logs |
| T1119 | Automated Collection on GCP Audit Logs | medium | GCP Audit Logs |
| T1136.003 | Create Account: Cloud Account on GCP Audit Logs | medium | GCP Audit Logs |
| T1190 | Exploit Public-Facing Application on GCP Audit Logs | medium | GCP Audit Logs |
| T1204.003 | User Execution: Malicious Image on GCP Audit Logs | medium | GCP Audit Logs |
| T1213 | Data from Information Repositories on GCP Audit Logs | medium | GCP Audit Logs |
| T1485 | Data Destruction on GCP Audit Logs | medium | GCP Audit Logs |
| T1486 | Data Encrypted for Impact on GCP Audit Logs | medium | GCP Audit Logs |
| T1491 | Defacement on GCP Audit Logs | medium | GCP Audit Logs |
| T1491.002 | Defacement: External Defacement on GCP Audit Logs | medium | GCP Audit Logs |
| T1496 | Resource Hijacking on GCP Audit Logs | medium | GCP Audit Logs |
| T1498 | Network Denial of Service on GCP Audit Logs | medium | GCP Audit Logs |
| T1498.001 | Network Denial of Service: Direct Network Flood on GCP Audit Logs | medium | GCP Audit Logs |
| T1498.002 | Network Denial of Service: Reflection Amplification on GCP Audit Logs | medium | GCP Audit Logs |
| T1499 | Endpoint Denial of Service on GCP Audit Logs | medium | GCP Audit Logs |
| T1525 | Implant Internal Image on GCP Audit Logs | medium | GCP Audit Logs |
| T1526 | Cloud Service Discovery on GCP Audit Logs | medium | GCP Audit Logs |
| T1528 | Steal Application Access Token on GCP Audit Logs | medium | GCP Audit Logs |
| T1530 | Data from Cloud Storage Object on GCP Audit Logs | medium | GCP Audit Logs |
| T1548 | Abuse Elevation Control Mechanism on GCP Audit Logs | medium | GCP Audit Logs |
| T1552 | Unsecured Credentials on GCP Audit Logs | medium | GCP Audit Logs |
| T1552.001 | Unsecured Credentials: Credentials In Files on GCP Audit Logs | medium | GCP Audit Logs |
| T1552.005 | Unsecured Credentials: Cloud Instance Metadata API on GCP Audit Logs | medium | GCP Audit Logs |
| T1556 | Modify Authentication Process on GCP Audit Logs | medium | GCP Audit Logs |
| T1580 | Cloud Infrastructure Discovery on GCP Audit Logs | medium | GCP Audit Logs |
| T1685 | Disable or Modify Tools on GCP Audit Logs | medium | GCP Audit Logs |
| T1686.001 | Disable or Modify System Firewall: Cloud Firewall on GCP Audit Logs | medium | GCP Audit Logs |
GCP Packet Mirroring Configuration for Network Sniffing, generated by CloudSigma and validated against the SecOps dialect.
title: GCP Packet Mirroring Configuration for Network Sniffing
id: c4780e01-ca09-4bdf-83b3-1b1f2063542a
status: test
description: >
Detects the creation or modification of packet mirroring policies in GCP.
Adversaries may configure packet mirroring to capture network traffic containing
credentials or sensitive data within the cloud environment.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1040/
- https://cloud.google.com/vpc/docs/packet-mirroring
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: gcp
service: gcp.audit
detection:
selection:
protoPayload.methodName:
- compute.packetMirrorings.insert
- compute.packetMirrorings.patch
condition: selection
falsepositives:
- Network administrators configuring packet mirroring for security monitoring
- Legitimate traffic inspection for compliance or debugging purposes
level: high