/
gcp_user_added_to_iap_protected_service.yml
178 lines (178 loc) · 7.09 KB
/
gcp_user_added_to_iap_protected_service.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
AnalysisType: rule
Description: A user has been granted access to a IAP protected service.
DisplayName: "GCP User Added to IAP Protected Service"
Enabled: true
Filename: gcp_user_added_to_iap_protected_service.py
Runbook: "Note: GCP logs all bindings everytime this event occurs, not just changes. Bindings should be reviewed to ensure no unintended users have been added. "
Reference: https://cloud.google.com/iap/docs/managing-access
Severity: Low
Tests:
- ExpectedResult: false
Log:
insertid: abcdefghijklmn
logname: projects/gcp-project1/logs/cloudaudit.googleapis.com%2Factivity
operation:
id: 1234567890123-gcp-project1:abcdefghijklmnopqrstuvwz
last: true
producer: bigquery.googleapis.com
p_any_emails:
- user@company.io
p_any_ip_addresses:
- 1.2.3.4
p_event_time: "2023-03-28 18:37:06.079"
p_log_type: GCP.AuditLog
p_parse_time: "2023-03-28 18:38:14.478"
p_row_id: 06bf03d9d5dfbadba981899e1787bf05
p_schema_version: 0
p_source_id: 964c7894-9a0d-4ddf-864f-0193438221d6
p_source_label: gcp-logsource
protoPayload:
at_sign_type: type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: user@company.io
authorizationInfo:
- granted: true
permission: bigquery.tables.delete
resource: projects/gcp-project1/datasets/test1/tables/newtable
metadata:
"@type": type.googleapis.com/google.cloud.audit.BigQueryAuditMetadata
methodName: google.cloud.bigquery.v2.JobService.InsertJob
requestMetadata:
callerIP: 1.2.3.4
callerSuppliedUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)
resourceName: projects/gcp-project1/datasets/test1/tables/newtable
serviceName: bigquery.googleapis.com
status: {}
tableDeletion:
jobName: projects/gcp-project1/jobs/bquxjob_5e4a0679_18729a639d7
reason: QUERY
receivetimestamp: "2023-03-28 18:37:06.745"
resource:
labels:
dataset_id: test1
project_id: gcp-project1
type: bigquery_dataset
severity: NOTICE
timestamp: "2023-03-28 18:37:06.079"
Name: other
- ExpectedResult: true
Log:
insertId: 46ee5sd38mw
logName: projects/gcp-project1/logs/cloudaudit.googleapis.com%2Factivity
p_any_emails:
- staging@company.io
p_any_ip_addresses:
- 1.2.3.4
p_event_time: "2023-04-25 19:20:57.024"
p_log_type: GCP.AuditLog
p_parse_time: "2023-04-25 19:22:14.743"
p_row_id: b2e9b7f5dc85a69981fac2e417b6bb03
p_schema_version: 0
p_source_id: 5b77391b-afad-46c7-8ddc-b8e21d4726b3
p_source_label: gcplogsource2
protoPayload:
at_sign_type: type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: staging@company.io
authorizationInfo:
- granted: true
permission: iap.webServices.setIamPolicy
resourceAttributes:
name: projects/123456789012/iap_web/compute/services/7312383563505470445
service: iap.googleapis.com
type: iap.googleapis.com/WebService
methodName: google.cloud.iap.v1.IdentityAwareProxyAdminService.SetIamPolicy
request:
"@type": type.googleapis.com/google.iam.v1.SetIamPolicyRequest
policy:
etag: BwX6LgT4YMw=
resource: projects/123456789012/iap_web/compute/services/7312383563505470445
requestMetadata:
callerIP: 1.2.3.4
callerSuppliedUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)
destinationAttributes: {}
requestAttributes:
auth: {}
time: "2023-04-25T19:20:57.295723118Z"
resourceName: projects/123456789012/iap_web/compute/services/7312383563505470445
response:
"@type": type.googleapis.com/google.iam.v1.Policy
etag: BwX6LgXbpsw=
serviceName: iap.googleapis.com
receiveTimestamp: "2023-04-25 19:20:58.16"
resource:
labels:
backend_service_id: ""
location: ""
project_id: gcp-project1
type: gce_backend_service
severity: NOTICE
timestamp: "2023-04-25 19:20:57.024"
Name: Other IAP Event
- ExpectedResult: true
Log:
insertId: yyultvcrhy
logName: projects/gcp-projet1/logs/cloudaudit.googleapis.com%2Factivity
p_any_emails:
- staging@company.io
p_any_ip_addresses:
- 1.2.3.4
p_event_time: "2023-04-25 19:20:42.138"
p_log_type: GCP.AuditLog
p_parse_time: "2023-04-25 19:22:14.743"
p_row_id: b2e9b7f5dc85a69981fac2e417b7bb03
p_schema_version: 0
p_source_id: 5b77391b-afad-46c7-8ddc-b8e21d4726b3
p_source_label: gcplogsource2
protoPayload:
at_sign_type: type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: staging@company.io
authorizationInfo:
- granted: true
permission: iap.webServices.setIamPolicy
resourceAttributes:
name: projects/123456789012/iap_web/compute/services/7312383563505470445
service: iap.googleapis.com
type: iap.googleapis.com/WebService
methodName: google.cloud.iap.v1.IdentityAwareProxyAdminService.SetIamPolicy
request:
"@type": type.googleapis.com/google.iam.v1.SetIamPolicyRequest
policy:
bindings:
- members:
- serviceAccount:test-account3@gcp-project1.iam.gserviceaccount.com
role: roles/viewer
etag: ACAB
resource: projects/123456789012/iap_web/compute/services/7312383563505470445
requestMetadata:
callerIP: 1.2.3.4
callerSuppliedUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)
destinationAttributes: {}
requestAttributes:
auth: {}
time: "2023-04-25T19:20:42.399215146Z"
resourceName: projects/123456789012/iap_web/compute/services/7312383563505470445
response:
"@type": type.googleapis.com/google.iam.v1.Policy
bindings:
- members:
- serviceAccount:test-account3@gcp-project1.iam.gserviceaccount.com
role: roles/viewer
etag: BwX6LgT4YMw=
serviceName: iap.googleapis.com
receiveTimestamp: "2023-04-25 19:20:43.033"
resource:
labels:
backend_service_id: ""
location: ""
project_id: gcp-project1
type: gce_backend_service
severity: NOTICE
timestamp: "2023-04-25 19:20:42.138"
Name: Add User to IAP
DedupPeriodMinutes: 60
LogTypes:
- GCP.AuditLog
RuleID: "GCP.User.Added.to.IAP.Protected.Service"
Threshold: 1