Hello,
Can I create a rule that will alert me every time a new user is created in gcp? how?
Thank you.
Page 1 / 1
Hi @Roni11,
Here is a YARA-L rule that utilizes Google Cloud Audit Logs and should alert you when a new user is created in the IAM section of the Google Cloud Console.
This rule should provide you with a starting point. I encourage you to test and customize this rule to fit your needs.
rule google_cloud_user_creation {
meta:
author = "Google Cloud Security"
description = "Detects when a new user account is created in the Google Cloud Console."
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Create Account: Cloud Account"
mitre_attack_url = "https://attack.mitre.org/techniques/T1136/003/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "Low"
priority = "Low"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
$gcp.metadata.event_type = "USER_CREATION"
$gcp.security_result.action = "ALLOW"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Create Account: Cloud Account"
$mitre_attack_technique_id = "T1136.003"
condition:
$gcp
}
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.