LoFP / service account being modified may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

Sample rules

Google Cloud Service Account Modified

source: sigma
technicques:

Description

Identifies when a service account is modified in Google Cloud.

Detection logic

condition: selection
selection:
  gcp.audit.method_name|endswith:
  - .serviceAccounts.patch
  - .serviceAccounts.create
  - .serviceAccounts.update
  - .serviceAccounts.enable
  - .serviceAccounts.undelete