GCP Unauthorized User Activity
Rapport de recherche Datadog : Bilan sur l'adoption de l'informatique sans serveur Rapport : Bilan sur l'adoption de l'informatique sans serveur
<  Back to rules search

GCP Unauthorized User Activity

Classification:

compliance

Set up the gcp integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Goal

Detect when unauthorized activity by a user is detected in GCP

Strategy

Monitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to 7 within the log attribute @data.protoPayload.status.code. The status code 7 indicates the user account did not have permission to make the API call.

Triage & Response

  1. Determine the user who made the unauthorized calls.
  2. Determine if there is a misconfiguration in IAM permissions or whether an attacker has compromised the user account.