Google App Engine service account used outside of Google Cloud

Goal

Detect when a Google App Engine default service account is used outside of Google Cloud.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a Google App Engine default service account is used from outside a Google Cloud environment. The usage of a Google Cloud default service account, such as the App Engine service account, from outside the Google Cloud environment, could serve as an indicator that the credentials of the service account have been compromised.

Triage and response

  1. Determine if the actions {{@evt.name}} taken by the App Engine default service account {{@usr.id}} are legitimate by looking at past activity and the type of API calls occurring.
  2. If the action is legitimate, consider including the IP address or ASN in a suppression list. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. Otherwise, use the Cloud SIEM - IP Investigation dashboard to see if the IP address: {{@network.client.ip}} has taken other actions.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.