Google Cloud SQL Database Modified or Deleted
Detect when a Cloud SQL DB has been modified or deleted.
Sigma rule (View on GitHub)
1title: Google Cloud SQL Database Modified or Deleted
2id: f346bbd5-2c4e-4789-a221-72de7685090d
3status: test
4description: Detect when a Cloud SQL DB has been modified or deleted.
5references:
6 - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
7author: Austin Songer @austinsonger
8date: 2021-10-15
9modified: 2022-12-25
10tags:
11 - attack.impact
12logsource:
13 product: gcp
14 service: gcp.audit
15detection:
16 selection:
17 gcp.audit.method_name:
18 - cloudsql.instances.create
19 - cloudsql.instances.delete
20 - cloudsql.users.update
21 - cloudsql.users.delete
22 condition: selection
23falsepositives:
24 - SQL Database being modified or deleted may be performed by a system administrator.
25 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26 - SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
27level: medium
References
-
Method: users.update Stay organized with collections Save and categorize content based on your preferences. Updates an existing user in a Cloud SQL instance. HTTP request PUT https://sqladmin.googl...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted