Google Cloud Service Account Impersonation activity using access token generation


Detect Google Cloud service account impersonation activity through the use of access tokens.


Monitor Google Cloud Admin Activity audit logs for event

  • Successful Attempts: @data.protoPayload.authorizationInfo.granted:true
  • Failed Attempts: @evt.outcome:PERMISSION_DENIED

Triage & Response

  1. Investigate if the user {{}} from IP address:{{@network.client.ip}} intended to perform this activity.
  2. If unauthorized:
    • Revoke access of compromised user and service account.
    • Investigate other activities performed by the user {{}} using the Cloud SIEM - User Investigation dashboard.
    • Investigate other activities performed by the IP {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard.