Set up the gcp integration.
Detect when a new service account key is created. An attacker could use this key as a backdoor to your account.
This rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key.
On this Page