Google Cloud introduces Community Security Analytics


Google Cloud was recently released Community Safety Analysis (CSA)a set of open source security scanning queries and rules designed to help detect common cloud-based threats.

Written to help detection engineers, threat hunters, and data governance analysts, CSAs are predefined queries and rules for analyzing Google Cloud logs, including Cloud Audit logs, Flow logs VPC and DNS logs, using cloud-native and third-party tools.

According to the cloud provider, the new version simplifies the adoption of a continuous detection and continuous response (CD/CR) workflow for security operations teams. Roy Arsansolution architect and Iman Ghanizadahead of security solutions, explains:

CSA requests are mapped to the MITER ATT&CK Tactics, Techniques and Procedures (TTP) framework to help you assess their applicability in your environment and include them in your threat model coverage. These queries can be run using cloud-native or third-party analytics tools. The initial release of CSA offers detections in the form of YARA-L rules for Chronicle and SQL queries for BigQuery, with other formats to follow based on community feedback.

The rules are currently divided into six categories, covering more than 40 use cases that reflect the most critical questions organizations need to ask their logs: connection and access patterns, IAM, cloud provisioning activity, usage of cloud workload, data usage and network activity.


To provide coverage against the most common threats in the cloud, CSA is a open-source (Apache-2.0 License) project that wants to make security analytics crowdsourced and no longer developed independently by each organization. Arsan and Ghanizada point out some of the limitations:

It is important to note that the detection queries provided by CSA will be self-managed and you may need to tune to minimize alert noise (..) CSA is not meant to be a complete, managed set of threat detections , but a community-contributed collection of sample analyzes to provide examples of essential detective controls, based on cloud-based techniques. (…) and have no cost estimates or performance guarantees.

Gunnar Peterson, CISO at Forter, comments:

In “What Next”, suggest going beyond login failure and taking a step-by-step analysis of widely used identity protocols. Brute force is a good place to start, but also redirection, impersonation, tampering, etc.

The project is a collaboration between Google, MITER Engenuity Center for Threat-Informed Defense and Google customers. The cloud provider recently published an article that covers the new resources and initiatives for autonomous security operations.


About Author

Comments are closed.