Google Cloud unauthorized user activity

gcp

Classification:

compliance

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when unauthorized activity by a user is detected in Google Cloud.

Strategy

Monitor Google Cloud logs and detect when a user account makes an API request and the request returns the status code equal to 7 within the log attribute @data.protoPayload.status.code. The status code 7 indicates the user account did not have permission to make the API call.

Triage and response

  1. Investigate the user:{{@usr.id}} that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.
  2. If unauthorized, revoke access of compromised user account and rotate credentials.

Changelog

22 June 2022 - Updated query, rule case and triage.