Rules: GCP Audit IAM CreateServiceAccount Observed
This signal fires for all observances of the CreateServiceAccount action in the IAM event source. Hostile actors will create service accounts to persist access. Use this signal in context of other activity to determine intent.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Persistence |
| Apply Risk to Entities | user_username, srcDevice_ip |
| Signal Name | GCP Audit IAM CreateServiceAccount Observed |
| Summary Expression | User: {{user_username}} performed action: {{action}} |
| Score/Severity | Static: 1 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0003, _mitreAttackTechnique:T1136, _mitreAttackTechnique:T1136.003 |
| Origin | Field |
|---|---|
| Normalized Schema | action |
| Normalized Schema | description |
| Normalized Schema | listMatches |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |