Google Cloud BigQuery - query results saved to new table
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.
Goal
Detect when an attempt to export Google Cloud BigQuery results to a new table occurs.
Strategy
This rule monitors Google Cloud Audit Logs to determine when an attempt to export Google Cloud BigQuery results to a new table has occurred. An attacker who has already gained initial access may try to exfiltrate data by saving BigQuery results to a new table outside of the compromised organization.
Notes:
- This rule triggers with a
Low
severity when this activity originates from an anonymizing proxy.
Triage and response
- Reach out to the user or owner of the service account to determine if this action is legitimate.
- If the action is legitimate, consider including the IP address or ASN in a suppression list. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
- Otherwise, use the Cloud SIEM - IP Investigation dashboard to see if the IP address: {{@network.client.ip}} has taken other actions.
- If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.
Changelog
- 31 Jaunuary 2023 - Updated strategy in markdown and rule title.