GCP IAM Custom Role Creation

calendar Jun 22, 2023 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Identity and Access Audit Tactic: Initial Access  ·
Share on: linkedin copy

Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are
13user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will
14not be updated automatically and could lead to privilege creep if not carefully scrutinized.
15"""
16false_positives = [
17    """
18    Custom role creations may be done by a system or network administrator. Verify whether the user email, resource
19    name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts
20    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21    """,
22]
23index = ["filebeat-*", "logs-gcp*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "GCP IAM Custom Role Creation"
27note = """## Setup
28
29The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"]
31risk_score = 47
32rule_id = "aa8007f0-d1df-49ef-8520-407857594827"
33severity = "medium"
34tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Initial Access"]
35timestamp_override = "event.ingested"
36type = "query"
37
38query = '''
39event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1078"
47name = "Valid Accounts"
48reference = "https://attack.mitre.org/techniques/T1078/"
49
50
51[rule.threat.tactic]
52id = "TA0001"
53name = "Initial Access"
54reference = "https://attack.mitre.org/tactics/TA0001/"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1078"
59name = "Valid Accounts"
60reference = "https://attack.mitre.org/techniques/T1078/"
61
62
63[rule.threat.tactic]
64id = "TA0003"
65name = "Persistence"
66reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top