<  Back to rules search

GCP service account accessing anomalous number of GCP APIs

gcp

Classification:

attack

Tactic:

Technique:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a GCP service account is compromised.

Strategy

Inspect the GCP Admin Activity Logs (@data.logName:*%2Factivity) and filter for only GCP Service Accounts (@usr.id:*.iam.gserviceaccount.com). Count the unique number of GCP API calls (@evt.name) which are being made for each service account (@usr.id). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline.

To read more about GCP Audit Logs, you can read our blog post here.

Triage and response

Investigate the logs and determine whether or not the GCP Service Account is compromised.