GCP Service Account Creation

calendar Jun 22, 2023 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Identity and Access Audit Tactic: Persistence  ·
Share on: linkedin copy

Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of
13account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
14make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
15through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security
16risk. An adversary may create a new service account to use during their operations in order to avoid using a standard
17user account and attempt to evade detection.
18"""
19false_positives = [
20    """
21    Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be
22    added to this rule to filter expected behavior.
23    """,
24]
25index = ["filebeat-*", "logs-gcp*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "GCP Service Account Creation"
29note = """## Setup
30
31The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
32references = ["https://cloud.google.com/iam/docs/service-accounts"]
33risk_score = 21
34rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623"
35severity = "low"
36tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1136"
49name = "Create Account"
50reference = "https://attack.mitre.org/techniques/T1136/"
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top