Detectionmediumtest
GCP Access Policy Deleted
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Google Cloudgcp.audit
ProductGoogle Cloud← raw: gcp
Servicegcp.audit← raw: gcp.audit
Detection Logic
Detection Logic1 selector
detection:
selection:
data.protoPayload.authorizationInfo.permission:
- 'accesscontextmanager.accessPolicies.delete'
- 'accesscontextmanager.accessPolicies.accessLevels.delete'
- 'accesscontextmanager.accessPolicies.accessZones.delete'
- 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
data.protoPayload.authorizationInfo.granted: 'true'
data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
condition: selectionFalse Positives
Legitimate administrative activities
MITRE ATT&CK
Rule Metadata
Rule ID
32438676-1dba-4ac7-bf69-b86cba995e05
Status
test
Level
medium
Type
Detection
Created
Fri Jan 12
Author
Path
rules/cloud/gcp/audit/gcp_access_policy_deleted.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1098