<  Back to rules search

GCP unauthorized user activity





Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Detect when unauthorized activity by a user is detected in GCP.


Monitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to 7 within the log attribute @data.protoPayload.status.code. The status code 7 indicates the user account did not have permission to make the API call.

Triage and response

  1. Investigate the user:{{@usr.id}} that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.
  2. If unauthorized, revoke access of compromised user account and rotate credentials.


22 June 2022 - Updated query, rule case and triage.