Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GCP IAM - High privileged role added to service account

Back
Id86112c4b-2535-4178-aa0e-ed9e32e3f054
RulenameGCP IAM - High privileged role added to service account
DescriptionDetects when high privileged role was added to service account.
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
Version1.0.1
Arm template86112c4b-2535-4178-aa0e-ed9e32e3f054.json
Deploy To Azure
let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
GCP_IAM
| where PayloadMethodname =~ 'SetIamPolicy'
| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
| where action =~ 'ADD'
| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
| where role in~ (privileged_roles)
| project-away action
| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])
id: 86112c4b-2535-4178-aa0e-ed9e32e3f054
relevantTechniques:
- T1078
status: Available
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
triggerThreshold: 0
queryPeriod: 15m
entityMappings:
- fieldMappings:
  - columnName: PayloadAuthenticationinfoPrincipalemail
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
description: |
    'Detects when high privileged role was added to service account.'
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
severity: High
version: 1.0.1
tactics:
- PrivilegeEscalation
kind: Scheduled
name: GCP IAM - High privileged role added to service account
triggerOperator: gt
query: |
  let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
  GCP_IAM
  | where PayloadMethodname =~ 'SetIamPolicy'
  | extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
  | where action =~ 'ADD'
  | extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
  | where role in~ (privileged_roles)
  | project-away action
  | extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "properties": {
        "alertRuleTemplateName": "86112c4b-2535-4178-aa0e-ed9e32e3f054",
        "customDetails": null,
        "description": "'Detects when high privileged role was added to service account.'\n",
        "displayName": "GCP IAM - High privileged role added to service account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "PayloadAuthenticationinfoPrincipalemail",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml",
        "query": "let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);\nGCP_IAM\n| where PayloadMethodname =~ 'SetIamPolicy'\n| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']\n| where action =~ 'ADD'\n| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']\n| where role in~ (privileged_roles)\n| project-away action\n| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[1])\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}