IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« GCP Virtual Private Cloud Route Creation GCP IAM Service Account Key Deletion »

› ›

GCP IAM Custom Role Creation

edit

GCP IAM Custom Role Creation

edit

Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.

Rule type: query

Rule indices:

filebeat-*
logs-gcp*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://cloud.google.com/iam/docs/understanding-custom-roles

Tags:

Elastic
Cloud
GCP
Continuous Monitoring
SecOps
Identity and Access

Version: 6

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Config

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

« GCP Virtual Private Cloud Route Creation GCP IAM Service Account Key Deletion »