Google App Engine service account used outside of Google Cloud

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a Google App Engine default service account is used outside of Google Cloud.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a Google App Engine default service account is used from outside a Google Cloud environment. The usage of a Google Cloud default service account, such as the App Engine service account, from outside the Google Cloud environment, could serve as an indicator that the credentials of the service account have been compromised.

Triage and response

  1. Determine if the actions {{@evt.name}} taken by the App Engine default service account {{@usr.id}} are legitimate by looking at past activity and the type of API calls occurring.
  2. If the action is legitimate, consider including the IP address or ASN in a suppression list. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. Otherwise, use the Cloud SIEM - IP Investigation dashboard to see if the IP address: {{@network.client.ip}} has taken other actions.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.

Changelog

  • 18 December 2024 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.