Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GCP IAM - High privileged role added to service account

Back
Id86112c4b-2535-4178-aa0e-ed9e32e3f054
RulenameGCP IAM - High privileged role added to service account
DescriptionDetects when high privileged role was added to service account.
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
Version1.0.1
Arm template86112c4b-2535-4178-aa0e-ed9e32e3f054.json
Deploy To Azure
let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
GCP_IAM
| where PayloadMethodname =~ 'SetIamPolicy'
| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
| where action =~ 'ADD'
| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
| where role in~ (privileged_roles)
| project-away action
| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])
query: |
  let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
  GCP_IAM
  | where PayloadMethodname =~ 'SetIamPolicy'
  | extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
  | where action =~ 'ADD'
  | extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
  | where role in~ (privileged_roles)
  | project-away action
  | extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])  
description: |
    'Detects when high privileged role was added to service account.'
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - GCP_IAM
  connectorId: GCPIAMDataConnector
name: GCP IAM - High privileged role added to service account
relevantTechniques:
- T1078
queryPeriod: 15m
severity: High
triggerOperator: gt
version: 1.0.1
queryFrequency: 15m
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: PayloadAuthenticationinfoPrincipalemail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
kind: Scheduled
status: Available
tactics:
- PrivilegeEscalation
id: 86112c4b-2535-4178-aa0e-ed9e32e3f054
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "properties": {
        "alertRuleTemplateName": "86112c4b-2535-4178-aa0e-ed9e32e3f054",
        "customDetails": null,
        "description": "'Detects when high privileged role was added to service account.'\n",
        "displayName": "GCP IAM - High privileged role added to service account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "PayloadAuthenticationinfoPrincipalemail",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml",
        "query": "let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);\nGCP_IAM\n| where PayloadMethodname =~ 'SetIamPolicy'\n| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']\n| where action =~ 'ADD'\n| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']\n| where role in~ (privileged_roles)\n| project-away action\n| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[1])\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}