GCP Service Account Deletion

Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of
11account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
12make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
13through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business
14operations.
15"""
16false_positives = [
17    """
18    Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be
19    added to this rule to filter expected behavior.
20    """,
21]
22index = ["filebeat-*", "logs-gcp*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "GCP Service Account Deletion"
26note = """## Setup
27
28The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://cloud.google.com/iam/docs/service-accounts"]
30risk_score = 47
31rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13"
32severity = "medium"
33tags = [
34    "Domain: Cloud",
35    "Data Source: GCP",
36    "Data Source: Google Cloud Platform",
37    "Use Case: Identity and Access Audit",
38    "Tactic: Impact",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1531"
52name = "Account Access Removal"
53reference = "https://attack.mitre.org/techniques/T1531/"
54
55
56[rule.threat.tactic]
57id = "TA0040"
58name = "Impact"
59reference = "https://attack.mitre.org/tactics/TA0040/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top