Community Security Analytics (CSA) is a set of open-sourced queries and rules designed by Google for self-service security analytics that are designed to help detect common cloud-based threats.
Security Operations teams can use CSA to analyze Google Cloud logs to audit recent behavior and help detect threats to workloads.
The queries are mapped to the MITRE ATT&CK framework of tactics, techniques and procedures to check whether the tools will be effective in one’s environment. The queries can be used to run either cloud-native of third-party analytics tools.
The initial release features detections in the form of YARA-L rules for Chronicle, and SQL queries for BigQuery, with more formats to follow.
CSA can also be used to investigate high-fidelity security findings from Security Command Center (SCC) which can then be correlated with logs for decision-making.
“CSA is not meant to be a comprehensive, managed set of threat detections, but a collection of community-contributed sample analytics to give examples of essential detective controls, based on cloud techniques,” Roy Arsan, solutions architect and Iman Ghanizada wrote in a blog post.
“By capturing our collective knowledge of cloud threats in this central repository, we’re aiming to drive towards a future where security analytics are no longer developed ad-hoc per organization, but rather – crowdsourced and minimally modified to provide the coverage against the threats our customers face in the cloud.”