service accounts can be created by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.

t1136
gcp
elastic

Techniques

T1136

Sample rules

GCP Service Account Creation

source: elastic
technicques:
- T1136

Description

Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.

Detection logic

event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success