Service accounts or service account keys created by non-approved identity e.g. manually by a user vs an automated workflow with a service account
Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Audit Logs - Admin Activity
| BigQuery | Log Analytics | Google SecOps |
|---|---|---|
| SQL | SQL | Contribute rule |
No event generation steps provided. Contribute emulation test to this use case.
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
},
"authenticationInfo": {
"principalEmail": "[email protected]",
"principalSubject": "user:[email protected]"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"callerSuppliedUserAgent": "<redacted>",
"requestAttributes": {
"time": "2022-05-03T01:46:26.299551086Z",
"auth": {
}
},
"destinationAttributes": {
}
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.CreateServiceAccount",
"authorizationInfo": [
{
"resource": "projects/1234",
"permission": "iam.serviceAccounts.create",
"granted": true,
"resourceAttributes": {
}
}
],
"resourceName": "projects/1234",
"request": {
"account_id": "sa-200",
"@type": "type.googleapis.com/google.iam.admin.v1.CreateServiceAccountRequest",
"name": "projects/1234",
"service_account": {
}
},
"response": {
"unique_id": "1234567890123456789",
"name": "projects/1234/serviceAccounts/[email protected]",
"project_id": "1234",
"etag": "MDEwMjE5MjA=",
"email": "[email protected]",
"@type": "type.googleapis.com/google.iam.admin.v1.ServiceAccount",
"oauth2_client_id": "1234567890123456789"
}
},
"insertId": "2ihezydi73o",
"resource": {
"type": "service_account",
"labels": {
"email_id": "[email protected]",
"project_id": "1234",
"unique_id": "1234567890123456789"
}
},
"timestamp": "2022-05-03T01:46:26.287102061Z",
"severity": "NOTICE",
"logName": "projects/1234/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2022-05-03T01:46:27.807874121Z"
}