GCP IAM - New Service Account Key

Back


Id	fc135860-8773-4ead-b5be-9789af1ff8ff
Rulename	GCP IAM - New Service Account Key
Description	Detects new service account key creation.
Severity	Low
Tactics	LateralMovement
Techniques	T1550
Required data connectors	GCPIAMDataConnector
Kind	Scheduled
Query frequency	24h
Query period	24h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewServiceAccountKey.yaml
Version	1.0.1
Arm template	fc135860-8773-4ead-b5be-9789af1ff8ff.json

KQL

GCP_IAM
| where PayloadMethodname =~ 'google.iam.admin.v1.CreateServiceAccountKey'
| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
| where result =~ 'true'
| extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
| project-away result
  | extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])

YAML

relevantTechniques:
- T1550
name: GCP IAM - New Service Account Key
requiredDataConnectors:
- dataTypes:
  - GCP_IAM
  connectorId: GCPIAMDataConnector
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: service_account
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
triggerThreshold: 0
id: fc135860-8773-4ead-b5be-9789af1ff8ff
tactics:
- LateralMovement
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewServiceAccountKey.yaml
queryPeriod: 24h
kind: Scheduled
queryFrequency: 24h
severity: Low
status: Available
description: |
    'Detects new service account key creation.'
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.admin.v1.CreateServiceAccountKey'
  | extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
  | where result =~ 'true'
  | extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
  | project-away result
    | extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc135860-8773-4ead-b5be-9789af1ff8ff')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc135860-8773-4ead-b5be-9789af1ff8ff')]",
      "properties": {
        "alertRuleTemplateName": "fc135860-8773-4ead-b5be-9789af1ff8ff",
        "customDetails": null,
        "description": "'Detects new service account key creation.'\n",
        "displayName": "GCP IAM - New Service Account Key",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "service_account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewServiceAccountKey.yaml",
        "query": "GCP_IAM\n| where PayloadMethodname =~ 'google.iam.admin.v1.CreateServiceAccountKey'\n| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']\n| where result =~ 'true'\n| extend service_account = extract(@'serviceAccounts\\/(.*?)@', 1, PayloadResponseName)\n| project-away result\n  | extend AccountName = tostring(split(service_account, \"@\")[0]), AccountUPNSuffix = tostring(split(service_account, \"@\")[1])\n",
        "queryFrequency": "PT24H",
        "queryPeriod": "PT24H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1550"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}