Google Cloud Service Account Impersonation activity using access token generation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect Google Cloud service account impersonation activity through the use of access tokens.

Strategy

Monitor Google Cloud Admin Activity audit logs for event @evt.name:GenerateAccessToken:

  • Successful Attempts: @data.protoPayload.authorizationInfo.granted:true
  • Failed Attempts: @evt.outcome:PERMISSION_DENIED

Triage & Response

  1. Investigate if the user {{@usr.id}} from IP address:{{@network.client.ip}} intended to perform this activity.
  2. If unauthorized:
    • Revoke access of compromised user and service account.
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard.
    • Investigate other activities performed by the IP {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard.
PREVIEWING: rtrieu/product-analytics-ui-changes