Detectionmediumtest

Google Cloud Service Account Modified

Identifies when a service account is modified in Google Cloud.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Sat Aug 14Updated Sun Oct 096b67c12e-5e40-47c6-b3b0-1e6b571184cccloud

Log Source

Google Cloudgcp.audit

ProductGoogle Cloud← raw: gcp

Servicegcp.audit← raw: gcp.audit

Detection Logic

detection:
    selection:
        gcp.audit.method_name|endswith:
            - .serviceAccounts.patch
            - .serviceAccounts.create
            - .serviceAccounts.update
            - .serviceAccounts.enable
            - .serviceAccounts.undelete
    condition: selection

False Positives

Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

References

Resolving title…

cloud.google.com

MITRE ATT&CK

Tactics

TA0040 · Impact

Rule Metadata

Rule ID

6b67c12e-5e40-47c6-b3b0-1e6b571184cc

Status

test

Level