Google Cloud Platform IAM
Solution: GoogleCloudPlatformIAM
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.5 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-07-30 |
| Last Updated | 2025-12-18 |
| Solution Folder | GoogleCloudPlatformIAM |
| Marketplace | Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: 🟢 High (89%) |
The Google Cloud Platform Identity and Access Management (IAM) solution provides the capability to ingest GCP IAM logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information.
Underlying Microsoft Technologies used:
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
• Microsoft Sentinel Codeless Connector Framework
Additional Information
📖 Setup Guide: Google Cloud Platform connectors - Connect GCP logs to Microsoft Sentinel
Contents
Data Connectors
This solution provides 1 data connector(s) (plus 1 discovered⚠️):
- Google Cloud Platform IAM (via Codeless Connector Framework)
- [DEPRECATED] Google Cloud Platform IAM ⚠️ 🔶
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 2 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
GCPIAM |
Google Cloud Platform IAM (via Codeless Connector Framework) | Analytics, Hunting |
GCP_IAM_CL 🔶 |
[DEPRECATED] Google Cloud Platform IAM | Analytics, Hunting, Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 25 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Playbooks | 3 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| GCP IAM - Disable Data Access Logging | Medium | DefenseEvasion | GCPIAMGCP_IAM_CL |
| GCP IAM - Empty user agent | Medium | DefenseEvasion | GCPIAMGCP_IAM_CL |
| GCP IAM - High privileged role added to service account | High | PrivilegeEscalation | GCPIAMGCP_IAM_CL |
| GCP IAM - New Authentication Token for Service Account | Medium | LateralMovement | GCPIAMGCP_IAM_CL |
| GCP IAM - New Service Account | Low | Persistence | GCPIAMGCP_IAM_CL |
| GCP IAM - New Service Account Key | Low | LateralMovement | GCPIAMGCP_IAM_CL |
| GCP IAM - Privileges Enumeration | Low | Discovery | GCPIAMGCP_IAM_CL |
| GCP IAM - Publicly exposed storage bucket | Medium | Discovery | GCPIAMGCP_IAM_CL |
| GCP IAM - Service Account Enumeration | Low | Discovery | GCPIAMGCP_IAM_CL |
| GCP IAM - Service Account Keys Enumeration | Low | Discovery | GCPIAMGCP_IAM_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| GCP IAM - Changed roles | PrivilegeEscalation | GCPIAMGCP_IAM_CL |
| GCP IAM - Deleted service accounts | Impact | GCPIAMGCP_IAM_CL |
| GCP IAM - Disabled service accounts | Impact | GCPIAMGCP_IAM_CL |
| GCP IAM - New custom roles | PrivilegeEscalation | GCPIAMGCP_IAM_CL |
| GCP IAM - New service account keys | LateralMovement | GCPIAMGCP_IAM_CL |
| GCP IAM - New service accounts | Persistence | GCPIAMGCP_IAM_CL |
| GCP IAM - Rare IAM actions | InitialAccess | GCPIAMGCP_IAM_CL |
| GCP IAM - Rare user agent | DefenseEvasion | GCPIAMGCP_IAM_CL |
| GCP IAM - Top service accounts by failed actions | Discovery | GCPIAMGCP_IAM_CL |
| GCP IAM - Top source IP addresses with failed actions | Discovery | GCPIAMGCP_IAM_CL |
Workbooks
| Name | Tables Used |
|---|---|
| GCP_IAM | GCP_IAM_CL |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| GCP-DisableServiceAccountFromTeams | When a new sentinel incident is created, this playbook gets triggered and performs the following act... | - |
| GCP-DisableServiceAccountKey | Once a new sentinel incident is created, this playbook gets triggered and performs the following act... | - |
| GCP-EnrichServiseAccountInfo | Once a new sentinel incident is created, this playbook gets triggered and performs the following act... | - |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| GCP_IAM | - | GCPIAM (read)GCP_IAM_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | ChangeHistory |
|---|---|---|
| 3.0.7 | 28-08-2025 | Improved type handling in the parser query by explicitly converting certain fields to bool and datetime. |
| 3.0.6 | 31-07-2025 | Removed deprecated Data Connector |
| 3.0.5 | 27-06-2025 | GoogleCloudPlatformIAM CCF Data Connector moving to GA |
| 3.0.4 | 13-06-2025 | Updated Standard Table configuration in CCF Data Connector. |
| 3.0.3 | 28-05-2025 | Implementation of Standard Table functionality to CCF Data Connector. |
| 3.0.2 | 18-02-2025 | Migrated the Function app connector to CCP Data Connctor and Updated Parser. |
| 3.0.1 | 10-09-2024 | Repackaged solution to add existing Parser. |
| 3.0.0 | 04-09-2024 | Updated the python runtime version to 3.11. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊