IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« GCP Firewall Rule Modification GCP IAM Role Deletion »

› › ›

GCP IAM Custom Role Creation

edit

GCP IAM Custom Role Creation

edit

Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.

Rule type: query

Rule indices:

filebeat-*
logs-gcp*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://cloud.google.com/iam/docs/understanding-custom-roles

Tags:

Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Initial Access

Version: 104

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

« GCP Firewall Rule Modification GCP IAM Role Deletion »