Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GCP IAM - High privileged role added to service account

Back
Id86112c4b-2535-4178-aa0e-ed9e32e3f054
RulenameGCP IAM - High privileged role added to service account
DescriptionDetects when high privileged role was added to service account.
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
Version1.0.0
Arm template86112c4b-2535-4178-aa0e-ed9e32e3f054.json
Deploy To Azure
let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
GCP_IAM
| where PayloadMethodname =~ 'SetIamPolicy'
| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
| where action =~ 'ADD'
| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
| where role in~ (privileged_roles)
| project-away action
| extend timestamp = TimeGenerated, AccountCustomEntity = PayloadAuthenticationinfoPrincipalemail, IPCustomEntity = SrcIpAddr
id: 86112c4b-2535-4178-aa0e-ed9e32e3f054
name: GCP IAM - High privileged role added to service account
triggerOperator: gt
status: Available
query: |
  let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);
  GCP_IAM
  | where PayloadMethodname =~ 'SetIamPolicy'
  | extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']
  | where action =~ 'ADD'
  | extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']
  | where role in~ (privileged_roles)
  | project-away action
  | extend timestamp = TimeGenerated, AccountCustomEntity = PayloadAuthenticationinfoPrincipalemail, IPCustomEntity = SrcIpAddr  
queryPeriod: 15m
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
severity: High
queryFrequency: 15m
relevantTechniques:
- T1078
version: 1.0.0
kind: Scheduled
tactics:
- PrivilegeEscalation
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
description: |
    'Detects when high privileged role was added to service account.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86112c4b-2535-4178-aa0e-ed9e32e3f054')]",
      "properties": {
        "alertRuleTemplateName": "86112c4b-2535-4178-aa0e-ed9e32e3f054",
        "customDetails": null,
        "description": "'Detects when high privileged role was added to service account.'\n",
        "displayName": "GCP IAM - High privileged role added to service account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMHighPrivilegedRoleAdded.yaml",
        "query": "let privileged_roles = dynamic(['roles/iam.securityAdmin', 'roles/secretmanager.admin', 'roles/secretmanager.secretAccessor', 'roles/apigateway.admin', 'roles/logging.admin', 'roles/iam.organizationRoleAdmin', 'roles/iam.roleAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountCreator', 'roles/iam.serviceAccountKeyAdmin']);\nGCP_IAM\n| where PayloadMethodname =~ 'SetIamPolicy'\n| extend action = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['action']\n| where action =~ 'ADD'\n| extend role = parse_json(todynamic(PayloadServicedataPolicydeltaBindingdeltas))[0]['role']\n| where role in~ (privileged_roles)\n| project-away action\n| extend timestamp = TimeGenerated, AccountCustomEntity = PayloadAuthenticationinfoPrincipalemail, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}