Google Cloud Service Account Impersonation activity using access token generation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect Google Cloud service account impersonation activity through the use of access tokens.

Strategy

Monitor Google Cloud Admin Activity audit logs for event @evt.name:GenerateAccessToken:

  • Successful Attempts: @data.protoPayload.authorizationInfo.granted:true
  • Failed Attempts: @evt.outcome:PERMISSION_DENIED

Triage & Response

  1. Investigate if the user {{@usr.id}} from IP address:{{@network.client.ip}} intended to perform this activity.
  2. If unauthorized:
    • Revoke access of compromised user and service account.
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard.
    • Investigate other activities performed by the IP {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard.