Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
'Detects when a principal (user or service account) is exempted from GCP data access audit logging. This is a critical security event as it reduces visibility into privileged operations and may indicate an attempt to hide malicious activity. Adversaries may exempt their accounts from audit logging to evade detection while performing reconnaissance, privilege escalation, or data exfiltration. This rule monitors SetIamPolicy operations that add audit log exemptions for ADMIN_READ, DATA_READ, or DA
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Google Cloud Platform Audit Logs |
| ID | b7da45ce-fcc8-43c7-a37c-c08454579d26 |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | DefenseEvasion, PrivilegeEscalation |
| Techniques | T1562.008, T1078.004 |
| Required Connectors | GCPAuditLogsDefinition |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
GCPAuditLogs |
GCPResourceType == "project"MethodName == "SetIamPolicy"ServiceName == "cloudresourcemanager.googleapis.com" |
✓ | ✓ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Analytic Rules · Back to Google Cloud Platform Audit Logs