Skip to content

Latest commit

 

History

History
124 lines (102 loc) · 3.35 KB

1.01.md

File metadata and controls

124 lines (102 loc) · 3.35 KB
Raw

1.01 - Login from a highly-privileged account

A login occured from a highly privileged account (e.g. Super Admin, Org Admin) to Google Cloud, be it from Cloud Console, Admin Console or gcloud CLI.

Category: Login & Access Patterns
Use Cases: Detect
Data Sources: Workspace Login Audit (Cloud Identity Logs)

Queries or Rules

BigQuery Chronicle Log Analytics
SQL YARA-L SQL

Event Generation

Login as admin user via gcloud CLI. Note lag time of Workspace Audit Login Logs can be up to a few hours.

Test Prerequisites

  1. Install gcloud
  2. Enable Workspace Audit Logs forwarding to Cloud Audit Logs

Test Input

Name Description Type Default Value
account user account of test admin to be used for authentication String test-admin

Test Commands

gcloud auth login #{account} --no-browser --force

Sample Event

google.login.LoginService.loginSuccess

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-admin@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.loginSuccess",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "68159791739",
        "timeUsec": "1644956823029221"
      },
      "event": [
        {
          "eventType": "login",
          "eventName": "login_success",
          "parameter": [
            {
              "type": "TYPE_STRING",
              "value": "google_password",
              "name": "login_type",
              "label": "LABEL_OPTIONAL"
            },
            {
              "type": "TYPE_STRING",
              "multiStrValue": [
                "password"
              ],
              "name": "login_challenge_method",
              "label": "LABEL_REPEATED"
            },
            {
              "label": "LABEL_OPTIONAL",
              "boolValue": false,
              "type": "TYPE_BOOL",
              "name": "is_suspicious"
            },
            {
              "label": "LABEL_OPTIONAL",
              "name": "dusi",
              "type": "TYPE_STRING",
              "value": "IPz6z56q5KOAWg"
            }
          ]
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "81t06te4dnk4",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.loginSuccess"
    }
  },
  "timestamp": "2022-02-15T20:27:03.029221Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2022-02-15T21:46:30.296228580Z"
}