Google Cloud exposed service account key

Classification:

attack

Goal

Detect when Google Cloud disables a key for being exposed.

This rule monitors Cloud Audit Logs and detects when the principal gcp-compromised-key-response@system.gserviceaccount.com disabled a key. If Google Cloud detects an exposed key, it automatically disables the key.

An abuse event is created in the Abuse Event logs.
Investigate any other actions carried out by the compromised identity {{@data.protoPayload.request.name}} using the Cloud SIEM investigator.