GCP Service Account Creation

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of
11account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
12make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
13through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security
14risk. An adversary may create a new service account to use during their operations in order to avoid using a standard
15user account and attempt to evade detection.
16"""
17false_positives = [
18    """
19    Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be
20    added to this rule to filter expected behavior.
21    """,
22]
23index = ["filebeat-*", "logs-gcp*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "GCP Service Account Creation"
27note = """## Triage and analysis
28
29> **Disclaimer**:
30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
31
32### Investigating GCP Service Account Creation
33
34In GCP, service accounts enable applications and VMs to interact with APIs securely. While essential for automation, they can be exploited if improperly managed. Adversaries might create service accounts to gain persistent access without detection. The detection rule monitors audit logs for successful service account creations, flagging potential unauthorized activities for further investigation.
35
36### Possible investigation steps
37
38- Review the audit logs for the specific event.action:google.iam.admin.v*.CreateServiceAccount to identify the time and source of the service account creation.
39- Check the identity of the user or service that initiated the service account creation to determine if it aligns with expected administrative activities.
40- Investigate the permissions and roles assigned to the newly created service account to assess if they are excessive or unusual for its intended purpose.
41- Correlate the service account creation event with other recent activities in the environment to identify any suspicious patterns or anomalies.
42- Verify if the service account is being used by any unauthorized applications or VMs by reviewing recent API calls and access logs associated with the account.
43
44### False positive analysis
45
46- Routine service account creation by automated deployment tools or scripts can trigger false positives. Identify and document these tools, then create exceptions in the monitoring system to exclude these known activities.
47- Service accounts created by trusted internal teams for legitimate projects may also be flagged. Establish a process for these teams to notify security personnel of planned service account creations, allowing for pre-approval and exclusion from alerts.
48- Scheduled maintenance or updates that involve creating temporary service accounts can result in false positives. Coordinate with IT operations to understand their schedules and adjust monitoring rules to accommodate these activities.
49- Third-party integrations that require service accounts might be mistakenly flagged. Maintain an inventory of authorized third-party services and their associated service accounts to quickly verify and exclude these from alerts.
50
51### Response and remediation
52
53- Immediately disable the newly created service account to prevent any unauthorized access or actions.
54- Review the IAM policy and permissions associated with the service account to ensure no excessive privileges were granted.
55- Conduct a thorough audit of recent activities performed by the service account to identify any suspicious or unauthorized actions.
56- Notify the security team and relevant stakeholders about the potential security incident for further investigation and coordination.
57- Implement additional monitoring and alerting for service account creations to detect similar activities in the future.
58- If malicious activity is confirmed, follow incident response procedures to contain and remediate any impact, including revoking access and conducting a security review of affected resources.
59- Document the incident and response actions taken to improve future detection and response capabilities.
60
61## Setup
62
63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = ["https://cloud.google.com/iam/docs/service-accounts"]
65risk_score = 21
66rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623"
67severity = "low"
68tags = [
69    "Domain: Cloud",
70    "Data Source: GCP",
71    "Data Source: Google Cloud Platform",
72    "Use Case: Identity and Access Audit",
73    "Tactic: Persistence",
74    "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1136"
88name = "Create Account"
89reference = "https://attack.mitre.org/techniques/T1136/"
90
91
92[rule.threat.tactic]
93id = "TA0003"
94name = "Persistence"
95reference = "https://attack.mitre.org/tactics/TA0003/"