GCP Service Account Disabled
Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of
11account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
12make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
13through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's
14business operations.
15"""
16false_positives = [
17 """
18 Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be
19 added to this rule to filter expected behavior.
20 """,
21]
22index = ["filebeat-*", "logs-gcp*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "GCP Service Account Disabled"
26note = """## Setup
27
28The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://cloud.google.com/iam/docs/service-accounts"]
30risk_score = 47
31rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61"
32severity = "medium"
33tags = [
34 "Domain: Cloud",
35 "Data Source: GCP",
36 "Data Source: Google Cloud Platform",
37 "Use Case: Identity and Access Audit",
38 "Tactic: Impact",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1531"
52name = "Account Access Removal"
53reference = "https://attack.mitre.org/techniques/T1531/"
54
55
56[rule.threat.tactic]
57id = "TA0040"
58name = "Impact"
59reference = "https://attack.mitre.org/tactics/TA0040/"
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP IAM Role Deletion
- GCP Service Account Deletion
- GCP IAM Custom Role Creation
- GCP IAM Service Account Key Deletion
- GCP Service Account Creation