Last reviewed:
Sigma rule outputs from CloudSigma rendered into SecOps queries against the GCP Audit Logs schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.
| Technique | Rule | Severity | Log source |
|---|---|---|---|
| T1040 | Network Sniffing on GCP Audit Logs | medium | GCP Audit Logs |
| T1059 | Command and Scripting Interpreter on GCP Audit Logs | medium | GCP Audit Logs |
| T1078 | Valid Accounts on GCP Audit Logs | medium | GCP Audit Logs |
| T1078.004 | Valid Accounts: Cloud Accounts on GCP Audit Logs | medium | GCP Audit Logs |
| T1087 | Account Discovery on GCP Audit Logs | medium | GCP Audit Logs |
| T1087.004 | Account Discovery: Cloud Account on GCP Audit Logs | medium | GCP Audit Logs |
| T1098 | Account Manipulation on GCP Audit Logs | medium | GCP Audit Logs |
| T1098.001 | Account Manipulation: Additional Cloud Credentials on GCP Audit Logs | medium | GCP Audit Logs |
| T1110 | Brute Force on GCP Audit Logs | medium | GCP Audit Logs |
| T1190 | Exploit Public-Facing Application on GCP Audit Logs | medium | GCP Audit Logs |
| T1213 | Data from Information Repositories on GCP Audit Logs | medium | GCP Audit Logs |
| T1485 | Data Destruction on GCP Audit Logs | medium | GCP Audit Logs |
| T1486 | Data Encrypted for Impact on GCP Audit Logs | medium | GCP Audit Logs |
| T1491 | Defacement on GCP Audit Logs | medium | GCP Audit Logs |
| T1496 | Resource Hijacking on GCP Audit Logs | medium | GCP Audit Logs |
| T1498 | Network Denial of Service on GCP Audit Logs | medium | GCP Audit Logs |
| T1525 | Implant Internal Image on GCP Audit Logs | medium | GCP Audit Logs |
| T1526 | Cloud Service Discovery on GCP Audit Logs | medium | GCP Audit Logs |
| T1528 | Steal Application Access Token on GCP Audit Logs | medium | GCP Audit Logs |
| T1530 | Data from Cloud Storage Object on GCP Audit Logs | medium | GCP Audit Logs |
| T1548 | Abuse Elevation Control Mechanism on GCP Audit Logs | medium | GCP Audit Logs |
| T1552.001 | Unsecured Credentials: Credentials In Files on GCP Audit Logs | medium | GCP Audit Logs |
| T1556 | Modify Authentication Process on GCP Audit Logs | medium | GCP Audit Logs |
| T1580 | Cloud Infrastructure Discovery on GCP Audit Logs | medium | GCP Audit Logs |
| T1685 | Disable or Modify Tools on GCP Audit Logs | medium | GCP Audit Logs |
| T1686.001 | Disable or Modify System Firewall: Cloud Firewall on GCP Audit Logs | medium | GCP Audit Logs |
GCP Packet Mirroring Configuration for Network Sniffing, generated by CloudSigma and validated against the SecOps dialect.
title: GCP Packet Mirroring Configuration for Network Sniffing
id: c4780e01-ca09-4bdf-83b3-1b1f2063542a
status: test
description: >
Detects the creation or modification of packet mirroring policies in GCP.
Adversaries may configure packet mirroring to capture network traffic containing
credentials or sensitive data within the cloud environment.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1040/
- https://cloud.google.com/vpc/docs/packet-mirroring
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: gcp
service: gcp.audit
detection:
selection:
protoPayload.methodName:
- compute.packetMirrorings.insert
- compute.packetMirrorings.patch
condition: selection
falsepositives:
- Network administrators configuring packet mirroring for security monitoring
- Legitimate traffic inspection for compliance or debugging purposes
level: high