Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP IAM - New Service Account Key

GCP IAM - New Service Account Key

Back
Idfc135860-8773-4ead-b5be-9789af1ff8ff
RulenameGCP IAM - New Service Account Key
DescriptionDetects new service account key creation.
SeverityLow
TacticsLateralMovement
TechniquesT1550
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency24h
Query period24h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewServiceAccountKey.yaml
Version1.0.1
Arm templatefc135860-8773-4ead-b5be-9789af1ff8ff.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.admin.v1.CreateServiceAccountKey'
| extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
| where result =~ 'true'
| extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
| project-away result
  | extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])

query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.admin.v1.CreateServiceAccountKey'
  | extend result = parse_json(todynamic(PayloadAuthorizationinfo))[0]['granted']
  | where result =~ 'true'
  | extend service_account = extract(@'serviceAccounts\/(.*?)@', 1, PayloadResponseName)
  | project-away result
    | extend AccountName = tostring(split(service_account, "@")[0]), AccountUPNSuffix = tostring(split(service_account, "@")[1])  
description: |
    'Detects new service account key creation.'
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 24h
queryFrequency: 24h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: service_account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
name: GCP IAM - New Service Account Key
status: Available
id: fc135860-8773-4ead-b5be-9789af1ff8ff
tactics:
- LateralMovement
kind: Scheduled
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewServiceAccountKey.yaml
version: 1.0.1
severity: Low
relevantTechniques:
- T1550