GCP Service Account Deletion
Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of
11account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
12make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
13through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business
14operations.
15"""
16false_positives = [
17 """
18 Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be
19 added to this rule to filter expected behavior.
20 """,
21]
22index = ["filebeat-*", "logs-gcp*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "GCP Service Account Deletion"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating GCP Service Account Deletion
32
33In Google Cloud Platform, service accounts are crucial for enabling applications and VMs to perform authorized actions without user intervention. Adversaries may exploit this by deleting service accounts to disrupt operations or remove access. The detection rule monitors audit logs for successful service account deletions, flagging potential malicious activity to ensure timely investigation and response.
34
35### Possible investigation steps
36
37- Review the audit logs for the specific event.action:google.iam.admin.v*.DeleteServiceAccount to identify the exact time and source of the deletion.
38- Identify the user or service account that initiated the deletion by examining the actor information in the audit logs.
39- Check the event.dataset:gcp.audit logs for any preceding or subsequent actions by the same user or service account to determine if there is a pattern of suspicious activity.
40- Investigate the context of the deleted service account, including its permissions and the resources it had access to, to assess the potential impact of its deletion.
41- Contact the relevant team or individual responsible for the service account to verify if the deletion was authorized and intentional.
42- If unauthorized, review access controls and consider implementing additional security measures to prevent future unauthorized deletions.
43
44### False positive analysis
45
46- Routine maintenance or updates may involve the deletion and recreation of service accounts. To manage this, create exceptions for known maintenance activities by excluding specific service account names or associated project IDs during these periods.
47- Automated scripts or deployment tools might delete and recreate service accounts as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by filtering based on the user or service account executing the script.
48- Organizational policy changes or restructuring can lead to legitimate service account deletions. Coordinate with the IT or security team to document these changes and adjust the detection rule to exclude these known events.
49- Test environments often involve frequent creation and deletion of service accounts. Exclude test project IDs or environments from the detection rule to prevent unnecessary alerts.
50
51### Response and remediation
52
53- Immediately revoke any permissions associated with the deleted service account to prevent unauthorized access or actions by adversaries exploiting the deletion.
54- Restore the deleted service account if possible, using GCP's undelete feature, to minimize disruption to business operations and restore normal functionality.
55- Review and audit recent IAM activity logs to identify any unauthorized or suspicious actions that may have preceded or followed the service account deletion.
56- Notify the security team and relevant stakeholders about the incident to ensure awareness and facilitate coordinated response efforts.
57- Implement additional monitoring on critical service accounts to detect and alert on any further unauthorized deletion attempts.
58- Conduct a root cause analysis to determine how the service account deletion was initiated and address any security gaps or misconfigurations that allowed it.
59- Enhance access controls and consider implementing multi-factor authentication for actions involving service account management to prevent similar incidents in the future.
60
61## Setup
62
63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = ["https://cloud.google.com/iam/docs/service-accounts"]
65risk_score = 47
66rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13"
67severity = "medium"
68tags = [
69 "Domain: Cloud",
70 "Data Source: GCP",
71 "Data Source: Google Cloud Platform",
72 "Use Case: Identity and Access Audit",
73 "Tactic: Impact",
74 "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1531"
88name = "Account Access Removal"
89reference = "https://attack.mitre.org/techniques/T1531/"
90
91
92[rule.threat.tactic]
93id = "TA0040"
94name = "Impact"
95reference = "https://attack.mitre.org/tactics/TA0040/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Service Account Deletion
In Google Cloud Platform, service accounts are crucial for enabling applications and VMs to perform authorized actions without user intervention. Adversaries may exploit this by deleting service accounts to disrupt operations or remove access. The detection rule monitors audit logs for successful service account deletions, flagging potential malicious activity to ensure timely investigation and response.
Possible investigation steps
- Review the audit logs for the specific event.action:google.iam.admin.v*.DeleteServiceAccount to identify the exact time and source of the deletion.
- Identify the user or service account that initiated the deletion by examining the actor information in the audit logs.
- Check the event.dataset:gcp.audit logs for any preceding or subsequent actions by the same user or service account to determine if there is a pattern of suspicious activity.
- Investigate the context of the deleted service account, including its permissions and the resources it had access to, to assess the potential impact of its deletion.
- Contact the relevant team or individual responsible for the service account to verify if the deletion was authorized and intentional.
- If unauthorized, review access controls and consider implementing additional security measures to prevent future unauthorized deletions.
False positive analysis
- Routine maintenance or updates may involve the deletion and recreation of service accounts. To manage this, create exceptions for known maintenance activities by excluding specific service account names or associated project IDs during these periods.
- Automated scripts or deployment tools might delete and recreate service accounts as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by filtering based on the user or service account executing the script.
- Organizational policy changes or restructuring can lead to legitimate service account deletions. Coordinate with the IT or security team to document these changes and adjust the detection rule to exclude these known events.
- Test environments often involve frequent creation and deletion of service accounts. Exclude test project IDs or environments from the detection rule to prevent unnecessary alerts.
Response and remediation
- Immediately revoke any permissions associated with the deleted service account to prevent unauthorized access or actions by adversaries exploiting the deletion.
- Restore the deleted service account if possible, using GCP's undelete feature, to minimize disruption to business operations and restore normal functionality.
- Review and audit recent IAM activity logs to identify any unauthorized or suspicious actions that may have preceded or followed the service account deletion.
- Notify the security team and relevant stakeholders about the incident to ensure awareness and facilitate coordinated response efforts.
- Implement additional monitoring on critical service accounts to detect and alert on any further unauthorized deletion attempts.
- Conduct a root cause analysis to determine how the service account deletion was initiated and address any security gaps or misconfigurations that allowed it.
- Enhance access controls and consider implementing multi-factor authentication for actions involving service account management to prevent similar incidents in the future.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP IAM Role Deletion
- GCP Service Account Disabled
- GCP IAM Custom Role Creation
- GCP IAM Service Account Key Deletion
- GCP Service Account Creation