<  Back to rules search

GCP service account accessing anomalous number of GCP APIs

gcp

Classification:

attack

Tactic:

Technique:

Goal

Detect when a GCP service account is compromised.

Strategy

Inspect the GCP Admin Activity Logs (@data.logName:*%2Factivity) and filter for only GCP Service Accounts (@usr.id:*.iam.gserviceaccount.com). Count the unique number of GCP API calls (@evt.name) which are being made for each service account (@usr.id). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline.

To read more about GCP Audit Logs, you can read our blog post here.

Triage and response

Investigate the logs and determine whether or not the GCP Service Account is compromised.

Changelog

  • 17 October 2022 - Updated tags.