GCP Access Policy Deleted

 1title: GCP Access Policy Deleted
 2id: 32438676-1dba-4ac7-bf69-b86cba995e05
 3status: experimental
 4description: |
 5    Detects when an access policy that is applied to a GCP cloud resource is deleted.
 6    An adversary would be able to remove access policies to gain access to a GCP cloud resource.    
 7references:
 8    - https://cloud.google.com/access-context-manager/docs/audit-logging
 9    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
10    - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
11author: Bryan Lim
12date: 2024/01/12
13tags:
14    - attack.persistence
15    - attack.privilege_escalation
16    - attack.t1098
17logsource:
18    product: gcp
19    service: gcp.audit
20detection:
21    selection:
22        data.protoPayload.authorizationInfo.permission:
23            - 'accesscontextmanager.accessPolicies.delete'
24            - 'accesscontextmanager.accessPolicies.accessLevels.delete'
25            - 'accesscontextmanager.accessPolicies.accessZones.delete'
26            - 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
27        data.protoPayload.authorizationInfo.granted: 'true'
28        data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
29    condition: selection
30falsepositives:
31    - Legitimate administrative activities
32level: medium

References

• Access Context Manager audit logging information  |  Google Cloud

  

  This document describes the audit logs created by Access Context Manager as part of Cloud Audit Logs. Overview Google Cloud services write audit logs to help you answer the questions, "Who did what...

  
  Read More

• Understanding audit logs  |  Cloud Logging  |  Google Cloud

  

  This page describes Cloud Audit Logs log entries in detail: their structure, how to read them, and how to interpret them. Cloud Audit Logs provides the following audit logs for each Google Cloud pr...

  
  Read More

• AuditLog  |  Cloud Logging  |  Google Cloud

  

  serviceName string The name of the API service performing the operation. For example, "compute.googleapis.com". methodName string The name of the service method or operation. For API calls, this sh...

  
  Read More

Related rules

• Google Workspace Application Access Level Modified
• Creation Of Non-Existent System DLL
• Potential DLL Sideloading Of Non-Existent DLLs From System Folders
• Uncommon Extension Shim Database Installation Via Sdbinst.EXE
• PSEXEC Remote Execution File Artefact