June 9, 2023

Google Cloud recently released Community Security Analytics , a set of open-sourced queries and rules for security analytics designed to help detect common cloud-based threats.

Enabling a helping hand to detection engineers, threat hunters and data governance analysts, CSA are pre-built queries and rules to analyze Google Cloud logs, including Cloud Audit logs, VPC Flow log and DNS logs, using cloud-native and third-party tools.


The new release simplifies the adoption of a continuous detection and continuous response (CD/CR) workflow for security operations teams.

CSA queries are mapped to the MITRE ATT&CK framework of tactics, techniques and procedures to help you evaluate their applicability in your environment and include them in your threat model coverage. These queries can be run using either cloud-native or third-party analytics tools.

The initial CSA release offers detections in the form of YARA-L rules for Chronicle, and SQL queries for BigQuery, with more formats to follow based on community feedback.

The rules are currently distributed in six categories, covering over 40 use cases that reflect the most critical questions organizations should ask to their logs: login and access patterns, IAM, cloud provisioning activity, cloud workload usage, data usage and network activity.


To provide coverage against most common threats in the cloud, CSA is an open source project that wants to make security analytics crowdsourced and no longer developed independently by each organization.

The project is a collaboration between Google, MITRE for Threat-Informed Defense and Google customers. The cloud provider recently published an article that covers the new resources and initiatives for autonomic security operations.

Leave a Reply

%d bloggers like this: