Google App Engine service account used outside of Google Cloud
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a Google App Engine default service account is used outside of Google Cloud.
Strategy
This rule monitors Google Cloud Audit Logs to determine when a Google App Engine default service account is used from outside a Google Cloud environment. The usage of a Google Cloud default service account, such as the App Engine service account, from outside the Google Cloud environment, could serve as an indicator that the credentials of the service account have been compromised.
Triage and response
- Determine if the actions
{{@evt.name}}
taken by the App Engine default service account {{@usr.id}}
are legitimate by looking at past activity and the type of API calls occurring. - If the action is legitimate, consider including the IP address or ASN in a suppression list. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
- Otherwise, use the Cloud SIEM - IP Investigation dashboard to see if the IP address:
{{@network.client.ip}}
has taken other actions. - If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.