Google Compute Engine image created

gcp

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Compute Engine image is created.

Strategy

Monitor Google Cloud Audit Logs to determine when the following method is invoked from an external IP adddress:

  • v*.compute.images.insert

Triage and response

  1. Investigate the user ({{@usr.id}}) and IP address ({{@network.client.ip}}) where the image creation activity originated from and determine whether they are authorised to perform this activity.
  2. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. Otherwise, use the Cloud SIEM - User Investigation dashboard to see if the user {{@usr.id}} has taken other actions.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and an investigation.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.