GCP Access Policy Deleted

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

Sigma rule (View on GitHub)

 1title: GCP Access Policy Deleted
 2id: 32438676-1dba-4ac7-bf69-b86cba995e05
 3status: test
 4description: |
 5    Detects when an access policy that is applied to a GCP cloud resource is deleted.
 6    An adversary would be able to remove access policies to gain access to a GCP cloud resource.    
 7references:
 8    - https://cloud.google.com/access-context-manager/docs/audit-logging
 9    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
10    - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
11author: Bryan Lim
12date: 2024-01-12
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.t1098
17logsource:
18    product: gcp
19    service: gcp.audit
20detection:
21    selection:
22        data.protoPayload.authorizationInfo.permission:
23            - 'accesscontextmanager.accessPolicies.delete'
24            - 'accesscontextmanager.accessPolicies.accessLevels.delete'
25            - 'accesscontextmanager.accessPolicies.accessZones.delete'
26            - 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
27        data.protoPayload.authorizationInfo.granted: 'true'
28        data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
29    condition: selection
30falsepositives:
31    - Legitimate administrative activities
32level: medium

References

Related rules

to-top