LoFP
/
gcp account
Title
Tags
accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization
t1078
gcp account
splunk
gcp oauth token abuse detection will only work if there are access policies in place along with audit logs.
t1078
gcp account
splunk
high risk permissions are part of any gcp environment, however it is important to track resource and accounts usage, this search may produce false positives.
t1078
gcp account
splunk
payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects
t1078
gcp account
splunk