<  Back to rules search

Access denied for GCP Service Account

gcp

Classification:

attack

Tactic:

Technique:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a GCP service account (@usr.id:*.iam.gserviceaccount.com) exhibits access denied behavior that deviates from normal.

Strategy

Inspect the GCP Service Account (@usr.id:*.iam.gserviceaccount.com) for errors (@data.protoPayload.status.code:7) caused by denied permissions (@evt.outcome). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline.

Triage and response

Investigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.