payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects

t1078
gcp account
splunk

Techniques

T1078

Sample rules

GCP Detect gcploit framework

source: splunk
technicques:
- T1078

Description

This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.

Detection logic

`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s 
| table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent 
| `gcp_detect_gcploit_framework_filter`