GCP Access Policy Deleted

 1title: GCP Access Policy Deleted
 2id: 32438676-1dba-4ac7-bf69-b86cba995e05
 3status: experimental
 4description: |
 5    Detects when an access policy that is applied to a GCP cloud resource is deleted.
 6    An adversary would be able to remove access policies to gain access to a GCP cloud resource.    
 7references:
 8    - https://cloud.google.com/access-context-manager/docs/audit-logging
 9    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
10    - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
11author: Bryan Lim
12date: 2024-01-12
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.t1098
17logsource:
18    product: gcp
19    service: gcp.audit
20detection:
21    selection:
22        data.protoPayload.authorizationInfo.permission:
23            - 'accesscontextmanager.accessPolicies.delete'
24            - 'accesscontextmanager.accessPolicies.accessLevels.delete'
25            - 'accesscontextmanager.accessPolicies.accessZones.delete'
26            - 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
27        data.protoPayload.authorizationInfo.granted: 'true'
28        data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
29    condition: selection
30falsepositives:
31    - Legitimate administrative activities
32level: medium

References

• Access Context Manager audit logging information  |  Google Cloud

  

  This document describes audit logging for Access Context Manager. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. For ...

  
  Read More

• Understanding audit logs  |  Cloud Logging  |  Google Cloud

  

  This page describes Cloud Audit Logs log entries in detail: their structure, how to read them, and how to interpret them. Cloud Audit Logs provides the following audit logs for each Google Cloud pr...

  
  Read More

• AuditLog  |  Cloud Logging  |  Google Cloud

  

  serviceName string The name of the API service performing the operation. For example, "compute.googleapis.com". methodName string The name of the service method or operation. For API calls, this sh...

  
  Read More

Related rules

• Bitbucket Global Permission Changed
• User Added to Local Administrator Group
• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group
• A New Trust Was Created To A Domain