Google Cloud Service Account Modified
Identifies when a service account is modified in Google Cloud.
Sigma rule (View on GitHub)
1title: Google Cloud Service Account Modified
2id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
3status: test
4description: Identifies when a service account is modified in Google Cloud.
5references:
6 - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
7author: Austin Songer @austinsonger
8date: 2021-08-14
9modified: 2022-10-09
10tags:
11 - attack.impact
12logsource:
13 product: gcp
14 service: gcp.audit
15detection:
16 selection:
17 gcp.audit.method_name|endswith:
18 - .serviceAccounts.patch
19 - .serviceAccounts.create
20 - .serviceAccounts.update
21 - .serviceAccounts.enable
22 - .serviceAccounts.undelete
23 condition: selection
24falsepositives:
25 - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26 - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
27level: medium
References
-
REST Resource: projects.serviceAccounts Stay organized with collections Save and categorize content based on your preferences. Resource: ServiceAccount An IAM service account. A service account is ...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted