diff --git a/rules/gcp/persistence_gcp_service_account_created.toml b/rules/gcp/persistence_gcp_service_account_created.toml new file mode 100644 index 000000000..de578cb40 --- /dev/null +++ b/rules/gcp/persistence_gcp_service_account_created.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2020/09/22" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/09/22" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of +account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to +make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users +through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security +risk. An adversary may create a new service account to use during their operations in order to avoid using a standard +user account and attempt to evade detection. +""" +false_positives = [ + """ + Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be + added to this rule to filter expected behavior. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "GCP Service Account Creation" +note = "The GCP Filebeat module must be enabled to use this rule." +references = ["https://cloud.google.com/iam/docs/service-accounts"] +risk_score = 21 +rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" +severity = "low" +tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +type = "query" + +query = ''' +event.module:googlecloud and event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"