GCP Security Command Center - Detect projects with API Keys present

GoogleCloudSCC
 | where tostring(Findings.state) == "ACTIVE"
 | extend FindingCategory = tostring(Findings.category)
 | where FindingCategory == "API_KEY_EXISTS"
 | extend FindingsJson = parse_json(Findings), FindingsResourceJson = parse_json(FindingsResource)
 | extend ResourceName = tostring(FindingsJson.resourceName)
 | extend ProjectId = extract(@"projects/([^/]+)", 1, ResourceName)
 | extend ProjectName = tostring(FindingsResourceJson.displayName)
 | extend Severity = tostring(FindingsJson.severity),
          FindingName = tostring(FindingsJson.name),
          ExternalUri = tostring(FindingsJson.externalUri),
          Description = tostring(FindingsJson.description)
 // Produce one row per project with an API key finding
 | summarize TimeGenerated = max(TimeGenerated),
             FindingsCount = count(),
             ExternalUri = any(ExternalUri),
             Description = any(Description)
   by ProjectId, ProjectName, Severity, ResourceName
 | project TimeGenerated, ProjectId, ProjectName, ResourceName, FindingsCount, Severity, ExternalUri, Description

relevantTechniques:
- T1552
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - columnName: ProjectName
    identifier: Name
  - columnName: ProjectId
    identifier: AppId
version: 1.0.0
id: 395f3ced-3923-4b83-b05d-8d077fd48c1e
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
  Detects Google Cloud projects that have API Keys present using Security Command Center API_KEY_EXISTS findings.
  Projects with API Keys may expose credentials that enable unauthorized access if keys are leaked.  
requiredDataConnectors:
- connectorId: GoogleSCCDefinition
  dataTypes:
  - GoogleCloudSCC
triggerOperator: gt
name: GCP Security Command Center - Detect projects with API Keys present
tactics:
- CredentialAccess
alertDetailsOverride:
  alertDescriptionFormat: Project {{ProjectName}} ({{ProjectId}}) has {{FindingsCount}} API key finding(s). Review API keys and consider rotating or removing keys and using IAM-based authentication.
  alertDisplayNameFormat: GCP project {{ProjectName}} has API key(s) present
tags:
- CIS GCP Foundation 3.0 1.12
- NIST 800-53 R5 PL-8, SA-8
- PCI-DSS v4.0 2.2.2, 6.2.1
- ISO-27001 v2022 A.8.27
- Cloud Controls Matrix 4 DSP-07
- NIST Cybersecurity Framework 1.0 PR-IP-2
- CIS Controls 8.0 16.10
triggerThreshold: 0
queryPeriod: 1h
query: |
  GoogleCloudSCC
   | where tostring(Findings.state) == "ACTIVE"
   | extend FindingCategory = tostring(Findings.category)
   | where FindingCategory == "API_KEY_EXISTS"
   | extend FindingsJson = parse_json(Findings), FindingsResourceJson = parse_json(FindingsResource)
   | extend ResourceName = tostring(FindingsJson.resourceName)
   | extend ProjectId = extract(@"projects/([^/]+)", 1, ResourceName)
   | extend ProjectName = tostring(FindingsResourceJson.displayName)
   | extend Severity = tostring(FindingsJson.severity),
            FindingName = tostring(FindingsJson.name),
            ExternalUri = tostring(FindingsJson.externalUri),
            Description = tostring(FindingsJson.description)
   // Produce one row per project with an API key finding
   | summarize TimeGenerated = max(TimeGenerated),
               FindingsCount = count(),
               ExternalUri = any(ExternalUri),
               Description = any(Description)
     by ProjectId, ProjectName, Severity, ResourceName
   | project TimeGenerated, ProjectId, ProjectName, ResourceName, FindingsCount, Severity, ExternalUri, Description  
status: Available
customDetails:
  SampleDescription: Description
  ProjectId: ProjectId
  ProjectName: ProjectName
  SampleExternalUri: ExternalUri
  FindingsCount: FindingsCount
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPAPIKeyExists.yaml