GCP Service Account Disabled

Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of
11account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
12make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
13through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's
14business operations.
15"""
16false_positives = [
17    """
18    Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be
19    added to this rule to filter expected behavior.
20    """,
21]
22index = ["filebeat-*", "logs-gcp*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "GCP Service Account Disabled"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating GCP Service Account Disabled
32
33In Google Cloud Platform, service accounts are crucial for applications and VMs to perform authorized actions without user intervention. Adversaries may disable these accounts to disrupt services, impacting business operations. The detection rule identifies successful disablement actions in audit logs, signaling potential malicious activity by correlating specific event actions and outcomes, thus enabling timely investigation and response.
34
35### Possible investigation steps
36
37- Review the audit logs for the specific event.action:google.iam.admin.v*.DisableServiceAccount to identify the exact time and source of the disablement action.
38- Identify the user or service account that performed the disablement by examining the actor information in the audit logs.
39- Check for any recent changes or unusual activities associated with the disabled service account, such as modifications to permissions or roles.
40- Investigate any related events or actions in the audit logs around the same timeframe to identify potential patterns or additional suspicious activities.
41- Assess the impact of the disabled service account on business operations by determining which applications or services were using the account.
42- Contact relevant stakeholders or application owners to verify if the disablement was authorized or if it was an unexpected action.
43
44### False positive analysis
45
46- Routine maintenance activities by administrators may involve disabling service accounts temporarily. To manage this, create exceptions for known maintenance periods or specific administrator actions.
47- Automated scripts or tools used for testing or deployment might disable service accounts as part of their process. Identify these scripts and exclude their actions from triggering alerts by using specific identifiers or tags.
48- Organizational policy changes or restructuring might lead to intentional service account disablement. Document these changes and update the detection rule to recognize these legitimate actions.
49- Service accounts associated with deprecated or retired applications may be disabled as part of cleanup efforts. Maintain an updated list of such applications and exclude related disablement actions from alerts.
50
51### Response and remediation
52
53- Immediately isolate the affected service account by revoking its permissions to prevent further unauthorized actions.
54- Review the audit logs to identify any other suspicious activities associated with the disabled service account and assess the potential impact on business operations.
55- Re-enable the service account if it is determined to be legitimate and necessary for business functions, ensuring that it is secured with appropriate permissions and monitoring.
56- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
57- Implement additional monitoring and alerting for similar disablement actions on service accounts to detect and respond to future incidents promptly.
58- Conduct a root cause analysis to understand how the service account was disabled and address any security gaps or misconfigurations that allowed the incident to occur.
59- Consider implementing additional security measures such as multi-factor authentication and least privilege access to enhance the protection of service accounts.
60
61## Setup
62
63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = ["https://cloud.google.com/iam/docs/service-accounts"]
65risk_score = 47
66rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61"
67severity = "medium"
68tags = [
69    "Domain: Cloud",
70    "Data Source: GCP",
71    "Data Source: Google Cloud Platform",
72    "Use Case: Identity and Access Audit",
73    "Tactic: Impact",
74    "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1531"
88name = "Account Access Removal"
89reference = "https://attack.mitre.org/techniques/T1531/"
90
91
92[rule.threat.tactic]
93id = "TA0040"
94name = "Impact"
95reference = "https://attack.mitre.org/tactics/TA0040/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In Google Cloud Platform, service accounts are crucial for applications and VMs to perform authorized actions without user intervention. Adversaries may disable these accounts to disrupt services, impacting business operations. The detection rule identifies successful disablement actions in audit logs, signaling potential malicious activity by correlating specific event actions and outcomes, thus enabling timely investigation and response.

  • Review the audit logs for the specific event.action:google.iam.admin.v*.DisableServiceAccount to identify the exact time and source of the disablement action.
  • Identify the user or service account that performed the disablement by examining the actor information in the audit logs.
  • Check for any recent changes or unusual activities associated with the disabled service account, such as modifications to permissions or roles.
  • Investigate any related events or actions in the audit logs around the same timeframe to identify potential patterns or additional suspicious activities.
  • Assess the impact of the disabled service account on business operations by determining which applications or services were using the account.
  • Contact relevant stakeholders or application owners to verify if the disablement was authorized or if it was an unexpected action.
  • Routine maintenance activities by administrators may involve disabling service accounts temporarily. To manage this, create exceptions for known maintenance periods or specific administrator actions.
  • Automated scripts or tools used for testing or deployment might disable service accounts as part of their process. Identify these scripts and exclude their actions from triggering alerts by using specific identifiers or tags.
  • Organizational policy changes or restructuring might lead to intentional service account disablement. Document these changes and update the detection rule to recognize these legitimate actions.
  • Service accounts associated with deprecated or retired applications may be disabled as part of cleanup efforts. Maintain an updated list of such applications and exclude related disablement actions from alerts.
  • Immediately isolate the affected service account by revoking its permissions to prevent further unauthorized actions.
  • Review the audit logs to identify any other suspicious activities associated with the disabled service account and assess the potential impact on business operations.
  • Re-enable the service account if it is determined to be legitimate and necessary for business functions, ensuring that it is secured with appropriate permissions and monitoring.
  • Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
  • Implement additional monitoring and alerting for similar disablement actions on service accounts to detect and respond to future incidents promptly.
  • Conduct a root cause analysis to understand how the service account was disabled and address any security gaps or misconfigurations that allowed the incident to occur.
  • Consider implementing additional security measures such as multi-factor authentication and least privilege access to enhance the protection of service accounts.

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top