Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP IAM

GCP IAM
GCP IAM icon

Coralogix Extension For GCP IAM Includes:

Alerts - 13

Stay on top of GCP IAM key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A Custom Role was Deleted

This alert gets triggered when a custom role is deleted. Impact Deleting a custom role allows an attacker to eliminate specific permissions assigned to associated users. This action can adversely affect business operations, disrupt access levels, and potentially halt integrations and data flow to the corresponding destination platform if service accounts are included in these roles. Mitigation Confirm the action with the user executing it, ensuring there is a valid business requirement; otherwise, get the new role configured with the same configurations and review the impact of users and other activity. Additionally, consider limiting such permissions to project leads, owners, and administrators exclusively. MITRE Tactic: TA0003 MITRE Technique: T1098

A Custom Role was Created or Modified

This alert gets triggered when a custom role is created or modified. Impact Attackers can exploit custom roles to establish a gateway to diverse GCP services, potentially resulting in privilege escalation and unauthorized access. This manipulation of custom roles may also prompt users to engage in unusual service usage and activities. Mitigation Verify the action by confirming with the user executing it, revert any unauthorized changes, and investigate if necessary. Confirm that roles and permissions are appropriately scoped. Ensure that users linked to the role possess the accurate permissions assigned to that role. Additionally, incorporate an approval process into the playbook to validate and address such approvals at the initial entry level. MITRE Tactic: TA0003 MITRE Technique: T1098

A Service Account Key was Deleted

This alert gets triggered when a key is deleted from a service account. Impact A deleted key can revoke access to the project and account and should be validated. This may impact the operations in case of any authentication or automation configured using the same key. Mitigation Validate the action with the validation from the user and if not, get the new key configured and update the same key in all the configured places. MITRE Tactic: TA0003 MITRE Technique: T1098

A Service Account was Created

This alert gets triggered when a new service account has been created. Monitor Google Cloud admin activity audit logs to determine when a service account is created. Impact This event may trigger due to an Account Compromised OR Privilege Escalation event. An attacker may have created a new service account for further attacks and damage the environment. Mitigation Please contact the user who created the service account and ensure there is a valid approval and access configured according to the business requirements. If high-level privilege has been granted, immediately reach out to the account owner and get the account reconfigured as per the business need. MITRE Tactic: TA0001 MITRE Technique: T1078

No logs from GCP IAM

This rule detects if there are no logs in the last 4 hours for GCP IAM in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

A User was Added to a Role

This alert gets triggered when a user is added to an IAM role. Impact A change in a user's role affects the user's ability to access the services within the project. An attacker can manipulate user roles to give himself more privileges or revoke access to other users. Mitigation Examine and confirm the action, ensuring that the user linked to the role possesses the accurate permissions assigned. If not, eliminate the user, review the modifications, and mandate that such actions only take place following the appropriate approvals from authorized individuals with valid tickets/emails. MITRE Tactic: TA0003 MITRE Technique: T1098

A Service Account was Deleted

This alert gets triggered when a service account is deleted by a user. Impact Service accounts, especially privileged ones, often hold admin-level access to numerous systems, making them enticing targets. Low Visibility and Password Neglect: Service accounts are hard to detect, and their passwords are rarely changed, making them a prime vector for attackers. Mitigation Reach out to the user and validate the activity, ensuring business approval for significant changes. If the deletion aligns with the approved business process, no further action is necessary. However, if not approved, contact the owner and ask to configure the new account with the same configurations and assess the impact of such events. Additionally, confine critical changes to be carried out by project owners and tech leads exclusively. MITRE Tactic: TA0040 MITRE Technique: T1489

A Service Account Key was Created

This alert gets triggered when a key has been created for a service account. This alert lets you monitor Google Cloud Admin activity audit logs to detect the creation of a service account key. Impact Service accounts, especially privileged ones, often hold admin-level access to numerous systems, making them enticing targets. Low Visibility and Password Neglect: Service accounts are hard to detect, and their passwords are rarely changed, making them a prime vector for attackers. Mitigation Contact the user who created the service account key to ensure they're managing the key securely. Don't embed service account keys in program binaries. Use insights and metrics to identify unused service account keys. Rotate service account keys to reduce security risk caused by leaked keys. Use expiry times to let keys expire automatically. MITRE Tactic : TA0043 MITRE Technique : T1589

Flow Alert - Possible Critical Data Theft Attempt

This alert gets triggered when a user gets IAM permissions and further performs some critical events like- log entry modifications, lateral movement, or checking the level of access granted to self or other accounts. Impact This alert comprises several concurrent events: IAM permissions granted followed by immediate execution of critical actions. This pattern suggests a potential compromise of an account, privilege escalation, lateral movement, or data exfiltration. Typically, such critical actions are not executed immediately after permissions are granted. Mitigation Verify the user's identity and their assigned permissions. Contact the user to discuss the reasons behind the observed events. If the activity seems suspicious, consider blocking the user account temporarily, validating the permissions, removing any unnecessary access, reverting changes if needed, and maintaining ongoing monitoring to prevent any further unusual activity. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - IAM Policy Modified

This alert gets triggered when a user directly modifies IAM policies. This way they can grant themselves or other users unauthorized access to sensitive resources. Impact IAM permissions define which users have access to specific services. Making changes or adding users without valid justification can raise the risk of unauthorized access, service interruptions, data breaches, and other security issues. Users can execute critical tasks depending on their assigned permission levels. Mitigation Restrict the ability to add or remove users to engineering administrators only. Additionally, regularly review logs to identify users and their assigned permissions. If unauthorized access is detected, contact the responsible user or administrator for approval; otherwise, revoke access and review audit logs for any suspicious activity. MITRE Tactic: TA0004 MITRE Technique: T1098

Building Block - Log Entry Modified

This alert gets triggered when a user modifies/manipulates log entries, potentially obscuring their tracks or creating false logs to mislead defenders. Impact A log entry records a particular event or transaction within a computer system or captures its current state. Altering log entries suggests an attempt to insert false or misleading information into the logs, potentially to obscure critical events and misdirect analysts during review. This tactic could aid attackers in concealing important details and steering investigations toward unrelated logs. Mitigation Typically, such actions are not performed with good intentions. Therefore, it's advisable to restrict or block these permissions if they are unnecessary for all users. Subsequently, review the logs to identify the user responsible and which log entries were altered. Reach out to the user if any suspicious activity is detected; if warranted, temporarily block the user account pending investigation. Once the root cause analysis (RCA) is completed or as part of a test to evaluate defense controls, restore the user's access and continue monitoring the system. MITRE Tactic: TA0008 MITRE Technique: T1564

Building Block - Access Control Check Performed

This alert gets triggered when a user checks whether a specific user or service account has permission to perform a particular action on a resource. Impact This is a significant event if conducted by an unknown user, as it involves repeatedly checking the level of permissions assigned to a user through multiple 'check access' attempts. If additional permissions are discovered, an attacker could exploit these privileges to manipulate production services, potentially leading to actions such as editing, deleting, privilege escalation, copying, or shutdown. Mitigation Review the user and targeted account involved in the repeated 'check access' event. Contact the user to inquire about the reason for performing multiple 'check access' attempts on the individual account. If the activity appears to be a legitimate test to verify permissions, close the case. However, if it involves an unrelated user engaging in this behavior, issue a warning or, if necessary, temporarily block the user's permissions and inform the appropriate manager about these unusual events. MITRE Tactic: TA0007 MITRE Technique: T1087

Building Block - IAM Policies Retrieved

This alert gets triggered when a user retrieves IAM policies for resources across different projects. Impact IAM permissions specify which users are assigned to which services. In scenarios where a user attempts to access IAM, it can lead to unusual activities such as editing, deleting, data exfiltration, or stopping/shutting down services. Monitoring and preventing such events is crucial to mitigate ongoing risks posed by the user. Mitigation Identify the user attempting to access IAM permissions and dedicated resources. Reach out to the user to verify if there is a valid justification or approval for the requested access. If necessary permissions are not confirmed, advise the user to submit a ticket for approval and access. As a precaution, consider temporarily blocking the account pending completion of the investigation. MITRE Tactic: TA0004 MITRE Technique: T1098

Integration

Learn more about Coralogix's out-of-the-box integration with GCP IAM in our documentation.

Read More
Schedule Demo