Detection rules › Panther
GCP Inbound SSO Profile Created
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098.003 Account Manipulation: Additional Cloud Roles, T1136.003 Create Account: Cloud Account |
| Privilege Escalation | T1098.003 Account Manipulation: Additional Cloud Roles |
Rule body yaml
AnalysisType: rule
Filename: gcp_inbound_sso_profile_created_or_updated.py
RuleID: "GCP.Inbound.SSO.Profile.Created"
DisplayName: "GCP Inbound SSO Profile Created"
Enabled: true
LogTypes:
- GCP.AuditLog
Tags:
- Account Manipulation
- Additional Cloud Roles
- GCP
- Privilege Escalation
Reports:
MITRE ATT&CK:
- TA0003:T1136.003
- TA0003:T1098.003
- TA0004:T1098.003
Severity: High
DedupPeriodMinutes: 60
Threshold: 1
Runbook: >
Ensure that the SSO profile creation or modification was expected. Adversaries may use this to persist or allow additional access or escalate their privilege.
Reference: https://medium.com/google-cloud/detection-of-inbound-sso-persistence-techniques-in-gcp-c56f7b2a588b
Tests:
- Name: InboundSsoProfileDeleted-False
ExpectedResult: false
Log:
insertId: chtsf1e7iek8
logName: organizations/325169835352/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
"@type": type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: user@example.com
metadata:
"@type": type.googleapis.com/ccc_hosted_reporting.ActivityProto
activityId:
timeUsec: "1700250882598435"
uniqQualifier: "6879748717081533837"
event:
- eventId: dd0c44e2
eventName: INBOUND_SSO_PROFILE_DELETED
eventType: INBOUND_SSO_SETTINGS
parameter:
- label: LABEL_OPTIONAL
name: INBOUND_SSO_PROFILE_NAME
type: TYPE_STRING
value: inboundSamlSsoProfiles/01lmf7wd3jt9atc
methodName: google.admin.AdminService.inboundSsoProfileDeleted
requestMetadata:
destinationAttributes: {}
requestAttributes: {}
resourceName: organizations/123456789012/inboundSsoSettings
serviceName: admin.googleapis.com
receiveTimestamp: "2023-11-17T19:54:43.367407397Z"
resource:
labels:
method: google.admin.AdminService.inboundSsoProfileDeleted
service: admin.googleapis.com
type: audited_resource
severity: NOTICE
timestamp: "2023-11-17T19:54:42.598435Z"
- Name: InboundSsoProfileUpdated-True
ExpectedResult: true
Log:
insertId: crpr6bdcjfg
logName: organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
"@type": type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: user@@example.com
metadata:
"@type": type.googleapis.com/ccc_hosted_reporting.ActivityProto
activityId:
timeUsec: "1700250956956215"
uniqQualifier: "2009471038637356014"
event:
- eventId: bdbc47ad
eventName: INBOUND_SSO_PROFILE_UPDATED
eventType: INBOUND_SSO_SETTINGS
parameter:
- label: LABEL_OPTIONAL
name: INBOUND_SSO_PROFILE_CHANGES
type: TYPE_STRING
value: "Display Name : { oldValue: Test Profile, newValue: Test Profile Update}"
- label: LABEL_OPTIONAL
name: INBOUND_SSO_PROFILE_NAME
type: TYPE_STRING
value: inboundSamlSsoProfiles/03vsz0843d02br4
methodName: google.admin.AdminService.inboundSsoProfileUpdated
requestMetadata:
destinationAttributes: {}
requestAttributes: {}
resourceName: organizations/123456789012/inboundSsoSettings
serviceName: admin.googleapis.com
receiveTimestamp: "2023-11-17T19:55:57.417198068Z"
resource:
labels:
method: google.admin.AdminService.inboundSsoProfileUpdated
service: admin.googleapis.com
type: audited_resource
severity: NOTICE
timestamp: "2023-11-17T19:55:56.956215Z"
- Name: InboundSsoProfileCreated-True
ExpectedResult: true
Log:
insertId: -rqtp5gefopij
logName: organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
"@type": type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: user@example.com
metadata:
"@type": type.googleapis.com/ccc_hosted_reporting.ActivityProto
activityId:
timeUsec: "1700250924521362"
uniqQualifier: "6051731645161637785"
event:
- eventId: 637d2b33
eventName: INBOUND_SSO_PROFILE_CREATED
eventType: INBOUND_SSO_SETTINGS
parameter:
- label: LABEL_OPTIONAL
name: INBOUND_SSO_PROFILE_NAME
type: TYPE_STRING
value: inboundSamlSsoProfiles/03vsz0843d02br4
methodName: google.admin.AdminService.inboundSsoProfileCreated
requestMetadata:
destinationAttributes: {}
requestAttributes: {}
resourceName: organizations/123456789012/inboundSsoSettings
serviceName: admin.googleapis.com
receiveTimestamp: "2023-11-17T19:55:25.012649522Z"
resource:
labels:
method: google.admin.AdminService.inboundSsoProfileCreated
service: admin.googleapis.com
type: audited_resource
severity: NOTICE
timestamp: "2023-11-17T19:55:24.521362Z"
Detection logic
Condition
protoPayload.methodName in ["google.admin.AdminService.inboundSsoProfileCreated", "google.admin.AdminService.inboundSsoProfileUpdated"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
protoPayload.methodName | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
resourceName | protoPayload.resourceName |
serviceName | protoPayload.serviceName |
principalEmail | protoPayload.authenticationInfo.principalEmail |
eventName | protoPayload.metadata.event.eventName |