GCP IAM - High privileged role added to service account

Back


Id	86112c4b-2535-4178-aa0e-ed9e32e3f054
Rulename	GCP IAM - High privileged role added to service account
Description	Detects when high privileged role was added to service account.
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1078
Required data connectors	GCPIAMDataConnector
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
Version	1.0.0
Arm template	86112c4b-2535-4178-aa0e-ed9e32e3f054.json

KQL

let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
GCP_IAM
| where PayloadMethodname =~ 'SetIamPolicy'
| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
| where action =~ 'ADD'
| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
| where role in~ (privileged_roles)
| project-away action
| extend timestamp = TimeGenerated, AccountCustomEntity = PayloadAuthenticationinfoPrincipalemail, IPCustomEntity = SrcIpAddr

YAML

queryFrequency: 15m
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
    'Detects when high privileged role was added to service account.'
status: Available
relevantTechniques:
- T1078
name: GCP IAM - High privileged role added to service account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
severity: High
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
query: |
  let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
  GCP_IAM
  | where PayloadMethodname =~ 'SetIamPolicy'
  | extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
  | where action =~ 'ADD'
  | extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
  | where role in~ (privileged_roles)
  | project-away action
  | extend timestamp = TimeGenerated, AccountCustomEntity = PayloadAuthenticationinfoPrincipalemail, IPCustomEntity = SrcIpAddr  
id: 86112c4b-2535-4178-aa0e-ed9e32e3f054
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
kind: Scheduled
queryPeriod: 15m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "GCP IAM - High privileged role added to service account",
        "description": "'Detects when high privileged role was added to service account.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);\nGCP_IAM\n| where PayloadMethodname =~ 'SetIamPolicy'\n| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']\n| where action =~ 'ADD'\n| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']\n| where role in~ (privileged_roles)\n| project-away action\n| extend timestamp = TimeGenerated, AccountCustomEntity = PayloadAuthenticationinfoPrincipalemail, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "86112c4b-2535-4178-aa0e-ed9e32e3f054",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}