GCP IAM Custom Role Creation

calendar May 22, 2024 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Identity and Access Audit Tactic: Initial Access  ·
Share on: linkedin copy

Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are
11user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will
12not be updated automatically and could lead to privilege creep if not carefully scrutinized.
13"""
14false_positives = [
15    """
16    Custom role creations may be done by a system or network administrator. Verify whether the user email, resource
17    name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts
18    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19    """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP IAM Custom Role Creation"
25note = """## Setup
26
27The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"]
29risk_score = 47
30rule_id = "aa8007f0-d1df-49ef-8520-407857594827"
31severity = "medium"
32tags = [
33    "Domain: Cloud",
34    "Data Source: GCP",
35    "Data Source: Google Cloud Platform",
36    "Use Case: Identity and Access Audit",
37    "Tactic: Initial Access",
38]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1078"
51name = "Valid Accounts"
52reference = "https://attack.mitre.org/techniques/T1078/"
53
54
55[rule.threat.tactic]
56id = "TA0001"
57name = "Initial Access"
58reference = "https://attack.mitre.org/tactics/TA0001/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1078"
63name = "Valid Accounts"
64reference = "https://attack.mitre.org/techniques/T1078/"
65
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top