LoFP / service account modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Google Cloud Service Account Modified

source: sigma
technicques:

Description

Identifies when a service account is modified in Google Cloud.

Detection logic

condition: selection
selection:
  gcp.audit.method_name|endswith:
  - .serviceAccounts.patch
  - .serviceAccounts.create
  - .serviceAccounts.update
  - .serviceAccounts.enable
  - .serviceAccounts.undelete