forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
initial_access_gcp_iam_custom_role_creation.toml
71 lines (61 loc) · 2.15 KB
/
initial_access_gcp_iam_custom_role_creation.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
[metadata]
creation_date = "2020/09/21"
integration = ["gcp"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are
user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will
not be updated automatically and could lead to privilege creep if not carefully scrutinized.
"""
false_positives = [
"""
Custom role creations may be done by a system or network administrator. Verify whether the user email, resource
name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
index = ["filebeat-*", "logs-gcp*"]
language = "kuery"
license = "Elastic License v2"
name = "GCP IAM Custom Role Creation"
note = """## Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"]
risk_score = 47
rule_id = "aa8007f0-d1df-49ef-8520-407857594827"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: GCP",
"Data Source: Google Cloud Platform",
"Use Case: Identity and Access Audit",
"Tactic: Initial Access",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"