Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP IAM - New Authentication Token for Service Account

GCP IAM - New Authentication Token for Service Account

Back
Id80e4db30-5636-4fbd-8816-24c3ded8d243
RulenameGCP IAM - New Authentication Token for Service Account
DescriptionDetects when new authentication token is created for service account.
SeverityMedium
TacticsLateralMovement
TechniquesT1550
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml
Version1.0.1
Arm template80e4db30-5636-4fbd-8816-24c3ded8d243.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'
| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
| where result =~ 'true'
| extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
| project-away result
| extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])

relevantTechniques:
- T1550
name: GCP IAM - New Authentication Token for Service Account
requiredDataConnectors:
- dataTypes:
  - GCP_IAM
  connectorId: GCPIAMDataConnector
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: service_account
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
triggerThreshold: 0
id: 80e4db30-5636-4fbd-8816-24c3ded8d243
tactics:
- LateralMovement
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Detects when new authentication token is created for service account.'
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'
  | extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
  | where result =~ 'true'
  | extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
  | project-away result
  | extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80e4db30-5636-4fbd-8816-24c3ded8d243')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80e4db30-5636-4fbd-8816-24c3ded8d243')]",
      "properties": {
        "alertRuleTemplateName": "80e4db30-5636-4fbd-8816-24c3ded8d243",
        "customDetails": null,
        "description": "'Detects when new authentication token is created for service account.'\n",
        "displayName": "GCP IAM - New Authentication Token for Service Account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "service_account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml",
        "query": "GCP_IAM\n| where PayloadMethodname =~ 'google.iam.admin.v1.GenerateAccessToken'\n| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']\n| where result =~ 'true'\n| extend service_account = extract(@'serviceAccounts\\/(.*?)@', 1, PayloadResponseName)\n| project-away result\n| extend AccountName = tostring(split(service_account, \"@\")[0]), AccountUPNSuffix = tostring(split(service_account, \"@\")[1])\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1550"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}