GCP Service Account Deletion

calendar Jun 22, 2023 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Identity and Access Audit Tactic: Impact  ·
Share on: linkedin copy

Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of
13account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
14make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
15through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business
16operations.
17"""
18false_positives = [
19    """
20    Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be
21    added to this rule to filter expected behavior.
22    """,
23]
24index = ["filebeat-*", "logs-gcp*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "GCP Service Account Deletion"
28note = """## Setup
29
30The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = ["https://cloud.google.com/iam/docs/service-accounts"]
32risk_score = 47
33rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13"
34severity = "medium"
35tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1531"
48name = "Account Access Removal"
49reference = "https://attack.mitre.org/techniques/T1531/"
50
51
52[rule.threat.tactic]
53id = "TA0040"
54name = "Impact"
55reference = "https://attack.mitre.org/tactics/TA0040/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top