detection.wiki

Detection rules › Panther

GCP Privileged Operation

Severity
informational
Log types
GCP.AuditLog
Tags
attack.privilege_escalation, attack.t1548, gcp, iam, tagbinding
Source
github.com/panther-labs/panther-analysis

Detects privileged operations in GCP that could be part of a privilege escalation attempt, especially when following tag binding creation.

Rule body yaml

AnalysisType: rule
RuleID: GCP.Privileged.Operation
Description: >
  Detects privileged operations in GCP that could be part of a privilege
  escalation attempt, especially when following tag binding creation.
DisplayName: GCP Privileged Operation
Enabled: true
Filename: gcp_privileged_operation.py
LogTypes:
  - GCP.AuditLog
CreateAlert: false
Runbook: |
  Check if the user has legitimate business need for this privileged operation.
  If unauthorized, revoke any recently created tag bindings and review IAM policies.
Severity: Info
Tags:
  - attack.privilege_escalation
  - attack.t1548
  - gcp
  - iam
  - tagbinding
Tests:
  - Name: Privileged Operation
    ExpectedResult: true
    Log:
      {
        "protoPayload": {
          "methodName": "compute.instances.setIamPolicy",
          "authenticationInfo": {
            "principalEmail": "test@example.com"
          },
          "resourceName": "projects/test-project"
        },
        "resource": {
          "labels": {
            "project_id": "test-project"
          }
        },
        "timestamp": "2024-01-01T00:00:00Z"
      }

  - Name: Normal Operation
    ExpectedResult: false
    Log:
      {
        "protoPayload": {
          "methodName": "compute.instances.list",
          "authenticationInfo": {
            "principalEmail": "test@example.com"
          },
          "resourceName": "projects/test-project"
        },
        "resource": {
          "labels": {
            "project_id": "test-project"
          }
        },
        "timestamp": "2024-01-01T00:00:00Z"
      }

Detection logic

Condition

protoPayload.methodName ends_with "setIamPolicy" or protoPayload.methodName ends_with "setIamPermissions" or protoPayload.methodName in ["iam.serviceAccounts.getAccessToken", "orgpolicy.policy.set", "storage.hmacKeys.create", "serviceusage.apiKeys.create", "serviceusage.apiKeys.list"]

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
protoPayload.methodNameends_with
  • setIamPermissions
  • setIamPolicy
protoPayload.methodNamein
  • iam.serviceAccounts.getAccessToken
  • orgpolicy.policy.set
  • serviceusage.apiKeys.create
  • serviceusage.apiKeys.list
  • storage.hmacKeys.create

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
projectresource.labels.project_id
principalprotoPayload.authenticationInfo.principalEmail
caller_ipprotoPayload.requestMetadata.callerIP
methodNameprotoPayload.methodName
resourceNameprotoPayload.resourceName
serviceNameprotoPayload.serviceName