diff --git a/rules/gcp/credential_access_gcp_key_created_for_service_account.toml b/rules/gcp/credential_access_gcp_key_created_for_service_account.toml new file mode 100644 index 000000000..ec2fd5791 --- /dev/null +++ b/rules/gcp/credential_access_gcp_key_created_for_service_account.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2020/09/21" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/09/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a +special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use +service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud +Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a +security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions +assigned to that account and evade detection. +""" +false_positives = [ + """ + Service account keys may be created by system administrators. Verify that the configuration change was expected. + Exceptions can be added to this rule to filter expected behavior. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "GCP Service Account Key Creation" +note = "The GCP Filebeat module must be enabled to use this rule." +references = [ + "https://cloud.google.com/iam/docs/service-accounts", + "https://cloud.google.com/iam/docs/creating-managing-service-account-keys", +] +risk_score = 21 +rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1" +severity = "low" +tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +type = "query" + +query = ''' +event.module:googlecloud and event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"