Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP IAM - High privileged role added to service account

GCP IAM - High privileged role added to service account

Back
Id86112c4b-2535-4178-aa0e-ed9e32e3f054
RulenameGCP IAM - High privileged role added to service account
DescriptionDetects when high privileged role was added to service account.
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
Version1.0.1
Arm template86112c4b-2535-4178-aa0e-ed9e32e3f054.json
Deploy To Azure
let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
GCP_IAM
| where PayloadMethodname =~ 'SetIamPolicy'
| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
| where action =~ 'ADD'
| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
| where role in~ (privileged_roles)
| project-away action
| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])

relevantTechniques:
- T1078
entityMappings:
- fieldMappings:
  - columnName: PayloadAuthenticationinfoPrincipalemail
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
triggerThreshold: 0
description: |
    'Detects when high privileged role was added to service account.'
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
id: 86112c4b-2535-4178-aa0e-ed9e32e3f054
queryFrequency: 15m
query: |
  let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
  GCP_IAM
  | where PayloadMethodname =~ 'SetIamPolicy'
  | extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
  | where action =~ 'ADD'
  | extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
  | where role in~ (privileged_roles)
  | project-away action
  | extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])  
severity: High
status: Available
queryPeriod: 15m
name: GCP IAM - High privileged role added to service account
tactics:
- PrivilegeEscalation
kind: Scheduled