Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GCP IAM - New Authentication Token for Service Account

Back
Id80e4db30-5636-4fbd-8816-24c3ded8d243
RulenameGCP IAM - New Authentication Token for Service Account
DescriptionDetects when new authentication token is created for service account.
SeverityMedium
TacticsLateralMovement
TechniquesT1550
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml
Version1.0.1
Arm template80e4db30-5636-4fbd-8816-24c3ded8d243.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'
| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
| where result =~ 'true'
| extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
| project-away result
| extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])
name: GCP IAM - New Authentication Token for Service Account
tactics:
- LateralMovement
kind: Scheduled
description: |
    'Detects when new authentication token is created for service account.'
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: service_account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml
version: 1.0.1
triggerThreshold: 0
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1550
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
severity: Medium
queryPeriod: 1h
status: Available
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'
  | extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
  | where result =~ 'true'
  | extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
  | project-away result
  | extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])  
id: 80e4db30-5636-4fbd-8816-24c3ded8d243
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80e4db30-5636-4fbd-8816-24c3ded8d243')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80e4db30-5636-4fbd-8816-24c3ded8d243')]",
      "properties": {
        "alertRuleTemplateName": "80e4db30-5636-4fbd-8816-24c3ded8d243",
        "customDetails": null,
        "description": "'Detects when new authentication token is created for service account.'\n",
        "displayName": "GCP IAM - New Authentication Token for Service Account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "service_account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml",
        "query": "GCP_IAM\n| where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'\n| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']\n| where result =~ 'true'\n| extend service_account = extract(@'serviceAccounts\\/(.*?)@', 1, PayloadResponseName)\n| project-away result\n| extend AccountName = tostring(split(service_account, \"@\")[0]), AccountUPNSuffix = tostring(split(service_account, \"@\")[1])\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1550"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}