GCP add-iam-policy-binding
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
GCP Events
GCP Security Events
Section titled “GCP Security Events”Google Cloud Platform (GCP) specific security events, detections, and incident response procedures. These events are typically sourced from Cloud Audit Logs, Cloud Logging, Security Command Center, and other GCP native logging services.
Common GCP Attack Patterns
Section titled “Common GCP Attack Patterns”- Identity and Access Management: Unauthorized IAM policy changes or service account abuse
- Compute Engine Compromise: Unauthorized instance access or configuration changes
- Cloud Storage Exposure: Bucket misconfigurations or unauthorized data access
- Cloud Functions Abuse: Serverless function exploitation for persistence
- BigQuery Data Exfiltration: Unauthorized data queries or exports
GCP-Specific Log Sources
Section titled “GCP-Specific Log Sources”- Cloud Audit Logs: Administrative activity and data access logs
- Cloud Logging: Application and system logs aggregation
- Security Command Center: Security findings and asset inventory
- VPC Flow Logs: Network traffic analysis
- Cloud Monitoring: Infrastructure and application metrics
Events Related to GCP
Section titled “Events Related to GCP”GCP bigquery.jobs.insert
Creates and submits a BigQuery job (query, load, export, or copy) that accesses or transforms data in BigQuery datasets.
GCP cloudsql.instances.export
Exports data from a Cloud SQL instance to a Cloud Storage bucket.
GCP compute.disks.setIamPolicy
Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.
GCP compute.firewalls.delete
Deletes a firewall rule from a GCP VPC network.
GCP compute.firewalls.patch
Modifies an existing firewall rule in a GCP VPC network.
GCP compute.instances.addAccessConfig
Adds an external IP access configuration to an instance, exposing an internal resource to the internet.
GCP Compute.instances.setMetadata
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
GCP compute.instances.setServiceAccount
Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.
GCP compute.projects.setCommonInstanceMetadata
Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.
GCP CreateRole
Creates a custom IAM role in GCP with a specified set of granular permissions.
GCP EnableServiceAccount
Re-enables a previously disabled GCP service account, restoring its ability to authenticate and make API calls.
GCP generateAccessToken
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation. This is the admin activity audit log format; see also iam.serviceAccounts.getAccessToken for the data access format.
GCP google.cloud.securitycenter.v1.SecurityCenter.SetMute
Mutes Security Command Center findings, suppressing security alerts from visibility.
GCP google.iam.admin.v1.CreateServiceAccountKey
Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication. This is the admin activity audit log format; see also iam.serviceAccountKeys.create for the data access format.
GCP google.iam.admin.v1.DeleteServiceAccount
Deletes a service account, disrupting workloads and applications that depend on it for authentication.
GCP google.iam.admin.v1.DeleteServiceAccountKey
Deletes a service account key, potentially removing evidence of attacker-created credentials.
GCP google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
GCP google.iam.admin.v1.UploadServiceAccountKey
Uploads an external key to a service account, enabling persistent access that survives credential rotation.
GCP google.logging.v2.ConfigServiceV2.DeleteLog
Deletes log entries from Cloud Logging, destroying forensic evidence of attacker activity.
GCP google.logging.v2.ConfigServiceV2.UpdateExclusion
Modifies a logging exclusion filter to silently drop specific log entries, hiding ongoing attacker activity.
GCP google.ssh-serialport.v1.connect
Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.
GCP iam.roles.update
Updates an existing custom IAM role, modifying its set of permitted permissions.
GCP iam.serviceAccountKeys.create
Creates a new key for a GCP service account, generating credentials for external services to authenticate as the account. This is the data access audit log format; see also google.iam.admin.v1.CreateServiceAccountKey for the admin activity format.
GCP iam.serviceAccountKeys.implicitDelegation
Records a token exchange where a service account implicitly delegates its authority to another identity.
GCP iam.serviceAccounts.actAs
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
GCP iam.serviceAccounts.getAccessToken
Generates an OAuth2 access token for a service account via the IAM Credentials API, enabling service account impersonation. This is the data access audit log format; see also generateAccessToken for the admin activity format.
GCP iam.serviceAccounts.signJwt
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
GCP logging.projects.exclusions.create
Creates a log exclusion rule in Cloud Logging that prevents matching log entries from being ingested.
GCP logging.sinks.delete
Deletes a Cloud Logging sink that was routing log entries to a destination such as Cloud Storage or BigQuery.
GCP logging.sinks.update
Modifies a Cloud Logging sink's configuration, such as its destination or log filter criteria.
GCP secretmanager.secrets.delete
Permanently deletes a secret and all of its versions from GCP Secret Manager.
GCP SecretManagerService.AccessSecretVersion
Retrieves the plaintext value of a specific secret version from GCP Secret Manager.
GCP SecretManagerService.DestroySecretVersion
Permanently destroys a specific version of a secret in GCP Secret Manager, making its data irrecoverable.
GCP Securitycenter.settings.update
Updates the settings or configuration of Google Security Command Center for the organization or project.
GCP Securitycenter.sources.delete
Deletes a finding source from Google Security Command Center.
GCP storage.buckets.delete
Permanently deletes a GCP Cloud Storage bucket; the bucket must be empty before deletion.
GCP storage.hmacKeys.create
Creates HMAC keys for S3-compatible access to Cloud Storage, providing a persistent access mechanism often missed by defenders.
GCP storage.objects.delete
Deletes objects from Cloud Storage, used in data destruction or anti-forensics operations.
GCP storage.setIamPermissions
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.
GCP users.importSshPublicKey
Imports an SSH public key into a user's GCP OS Login profile, enabling SSH access to Compute Engine instances.
GCP users.sshPublicKeys.patch
Updates an existing SSH public key in a user's GCP OS Login profile.