forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gcp_cross_account_activity.yml
38 lines (36 loc) · 1.98 KB
/
gcp_cross_account_activity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: GCP Cross Account Activity
id: 0432039c-ef41-4b03-b157-450c25dad1e6
version: 1
date: '2020-09-01'
author: Rod Soto, Splunk
description: Track when a user assumes an IAM role in another GCP account to obtain
cross-account access to services and resources in that account. Accessing new roles
could be an indication of malicious activity.
narrative: 'Google Cloud Platform (GCP) admins manage access to GCP resources and
services across the enterprise using GCP Identity and Access Management (IAM) functionality.
IAM provides the ability to create and manage GCP users, groups, and roles-each
with their own unique set of privileges and defined access to specific resources
(such as Compute instances, the GCP Management Console, API, or the command-line
interface). Unlike conventional (human) users, IAM roles are potentially assumable
by anyone in the organization. They provide users with dynamically created temporary
security credentials that expire within a set time period.
In between the time between when the temporary credentials are issued and when they
expire is a period of opportunity, where a user could leverage the temporary credentials
to wreak havoc-spin up or remove instances, create new users, elevate privileges,
and other malicious activities-throughout the environment.
This Analytic Story includes searches that will help you monitor your GCP Audit
logs logs for evidence of suspicious cross-account activity. For example, while
accessing multiple GCP accounts and roles may be perfectly valid behavior, it may
be suspicious when an account requests privileges of an account it has not accessed
in the past. After identifying suspicious activities, you can use the provided investigative
searches to help you probe more deeply.'
references:
- https://cloud.google.com/iam/docs/understanding-service-accounts
tags:
category:
- Cloud Security
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring