Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP IAM - New Authentication Token for Service Account

GCP IAM - New Authentication Token for Service Account

Back
Id80e4db30-5636-4fbd-8816-24c3ded8d243
RulenameGCP IAM - New Authentication Token for Service Account
DescriptionDetects when new authentication token is created for service account.
SeverityMedium
TacticsLateralMovement
TechniquesT1550
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml
Version1.0.1
Arm template80e4db30-5636-4fbd-8816-24c3ded8d243.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'
| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
| where result =~ 'true'
| extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
| project-away result
| extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])

tactics:
- LateralMovement
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml
status: Available
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
id: 80e4db30-5636-4fbd-8816-24c3ded8d243
triggerOperator: gt
queryPeriod: 1h
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'
  | extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
  | where result =~ 'true'
  | extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
  | project-away result
  | extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])  
version: 1.0.1
name: GCP IAM - New Authentication Token for Service Account
queryFrequency: 1h
triggerThreshold: 0
severity: Medium
description: |
    'Detects when new authentication token is created for service account.'
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: service_account
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
relevantTechniques:
- T1550
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80e4db30-5636-4fbd-8816-24c3ded8d243')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80e4db30-5636-4fbd-8816-24c3ded8d243')]",
      "properties": {
        "alertRuleTemplateName": "80e4db30-5636-4fbd-8816-24c3ded8d243",
        "customDetails": null,
        "description": "'Detects when new authentication token is created for service account.'\n",
        "displayName": "GCP IAM - New Authentication Token for Service Account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "service_account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml",
        "query": "GCP_IAM\n| where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'\n| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']\n| where result =~ 'true'\n| extend service_account = extract(@'serviceAccounts\\/(.*?)@', 1, PayloadResponseName)\n| project-away result\n| extend AccountName = tostring(split(service_account, \"@\")[0]), AccountUPNSuffix = tostring(split(service_account, \"@\")[1])\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1550"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}