GCP add-iam-policy-binding
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
Tag: GCP
GCP
All events with tag GCP.
GCP bigquery.jobs.insert
Creates and submits a BigQuery job (query, load, export, or copy) that accesses or transforms data in BigQuery datasets.
GCP cloudsql.instances.export
Exports data from a Cloud SQL instance to a Cloud Storage bucket.
GCP compute.disks.setIamPolicy
Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.
GCP compute.firewalls.delete
Deletes a firewall rule from a GCP VPC network.
GCP compute.firewalls.patch
Modifies an existing firewall rule in a GCP VPC network.
GCP compute.instances.addAccessConfig
Adds an external IP access configuration to an instance, exposing an internal resource to the internet.
GCP Compute.instances.setMetadata
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
GCP compute.instances.setServiceAccount
Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.
GCP compute.projects.setCommonInstanceMetadata
Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.
GCP CreateRole
Creates a custom IAM role in GCP with a specified set of granular permissions.
GCP EnableServiceAccount
Re-enables a previously disabled GCP service account, restoring its ability to authenticate and make API calls.
GCP generateAccessToken
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation. This is the admin activity audit log format; see also iam.serviceAccounts.getAccessToken for the data access format.
GCP google.cloud.securitycenter.v1.SecurityCenter.SetMute
Mutes Security Command Center findings, suppressing security alerts from visibility.
GCP google.iam.admin.v1.CreateServiceAccountKey
Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication. This is the admin activity audit log format; see also iam.serviceAccountKeys.create for the data access format.
GCP google.iam.admin.v1.DeleteServiceAccount
Deletes a service account, disrupting workloads and applications that depend on it for authentication.
GCP google.iam.admin.v1.DeleteServiceAccountKey
Deletes a service account key, potentially removing evidence of attacker-created credentials.
GCP google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
GCP google.iam.admin.v1.UploadServiceAccountKey
Uploads an external key to a service account, enabling persistent access that survives credential rotation.
GCP google.logging.v2.ConfigServiceV2.DeleteLog
Deletes log entries from Cloud Logging, destroying forensic evidence of attacker activity.
GCP google.logging.v2.ConfigServiceV2.UpdateExclusion
Modifies a logging exclusion filter to silently drop specific log entries, hiding ongoing attacker activity.
GCP google.ssh-serialport.v1.connect
Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.
GCP iam.roles.update
Updates an existing custom IAM role, modifying its set of permitted permissions.
GCP iam.serviceAccountKeys.create
Creates a new key for a GCP service account, generating credentials for external services to authenticate as the account. This is the data access audit log format; see also google.iam.admin.v1.CreateServiceAccountKey for the admin activity format.
GCP iam.serviceAccountKeys.implicitDelegation
Records a token exchange where a service account implicitly delegates its authority to another identity.
GCP iam.serviceAccounts.actAs
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
GCP iam.serviceAccounts.getAccessToken
Generates an OAuth2 access token for a service account via the IAM Credentials API, enabling service account impersonation. This is the data access audit log format; see also generateAccessToken for the admin activity format.
GCP iam.serviceAccounts.signJwt
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
GCP logging.projects.exclusions.create
Creates a log exclusion rule in Cloud Logging that prevents matching log entries from being ingested.
GCP logging.sinks.delete
Deletes a Cloud Logging sink that was routing log entries to a destination such as Cloud Storage or BigQuery.
GCP logging.sinks.update
Modifies a Cloud Logging sink's configuration, such as its destination or log filter criteria.
GCP secretmanager.secrets.delete
Permanently deletes a secret and all of its versions from GCP Secret Manager.
GCP SecretManagerService.AccessSecretVersion
Retrieves the plaintext value of a specific secret version from GCP Secret Manager.
GCP SecretManagerService.DestroySecretVersion
Permanently destroys a specific version of a secret in GCP Secret Manager, making its data irrecoverable.
GCP Securitycenter.settings.update
Updates the settings or configuration of Google Security Command Center for the organization or project.
GCP Securitycenter.sources.delete
Deletes a finding source from Google Security Command Center.
GCP storage.buckets.delete
Permanently deletes a GCP Cloud Storage bucket; the bucket must be empty before deletion.
GCP storage.hmacKeys.create
Creates HMAC keys for S3-compatible access to Cloud Storage, providing a persistent access mechanism often missed by defenders.
GCP storage.objects.delete
Deletes objects from Cloud Storage, used in data destruction or anti-forensics operations.
GCP storage.setIamPermissions
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.
GCP users.importSshPublicKey
Imports an SSH public key into a user's GCP OS Login profile, enabling SSH access to Compute Engine instances.
GCP users.sshPublicKeys.patch
Updates an existing SSH public key in a user's GCP OS Login profile.