SIEM × Platform · SecOps · GCP Audit Logs

SecOps detections for GCP Audit Logs

Sigma rule outputs from CloudSigma rendered into SecOps queries against the GCP Audit Logs schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
20
Production rules
20
ATT&CK techniques
8
ATT&CK tactics
SecOps
Output dialect
02 Rule index
Technique Rule Severity Log source
T1040 Network Sniffing on GCP Audit Logs medium GCP Audit Logs
T1059 Command and Scripting Interpreter on GCP Audit Logs medium GCP Audit Logs
T1078 Valid Accounts on GCP Audit Logs medium GCP Audit Logs
T1078.004 Valid Accounts: Cloud Accounts on GCP Audit Logs medium GCP Audit Logs
T1098 Account Manipulation on GCP Audit Logs medium GCP Audit Logs
T1098.001 Account Manipulation: Additional Cloud Credentials on GCP Audit Logs medium GCP Audit Logs
T1110 Brute Force on GCP Audit Logs medium GCP Audit Logs
T1190 Exploit Public-Facing Application on GCP Audit Logs medium GCP Audit Logs
T1485 Data Destruction on GCP Audit Logs medium GCP Audit Logs
T1486 Data Encrypted for Impact on GCP Audit Logs medium GCP Audit Logs
T1491 Defacement on GCP Audit Logs medium GCP Audit Logs
T1496 Resource Hijacking on GCP Audit Logs medium GCP Audit Logs
T1498 Network Denial of Service on GCP Audit Logs medium GCP Audit Logs
T1525 Implant Internal Image on GCP Audit Logs medium GCP Audit Logs
T1530 Data from Cloud Storage Object on GCP Audit Logs medium GCP Audit Logs
T1552.001 Unsecured Credentials: Credentials In Files on GCP Audit Logs medium GCP Audit Logs
T1562 Impair Defenses on GCP Audit Logs medium GCP Audit Logs
T1562.001 Impair Defenses: Disable or Modify Tools on GCP Audit Logs medium GCP Audit Logs
T1562.007 Impair Defenses: Disable or Modify Cloud Firewall on GCP Audit Logs medium GCP Audit Logs
T1562.008 Impair Defenses: Disable Cloud Logs on GCP Audit Logs medium GCP Audit Logs
03 Example rule

GCP Service Account Token Creator Privilege Granted, generated by CloudSigma and validated against the SecOps dialect.

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:7f051e932656cdd1 manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma SecOps · GCP Audit Logs · 2026-04-24 
title: GCP Service Account Token Creator Privilege Granted
id: 8b4c2d5e-6f7a-4b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: >
    Detects an IAM policy change that grants the
    iam.serviceAccountTokenCreator or iam.serviceAccountUser role to
    a principal. These two roles are the keystone of GCP service-
    account impersonation: with token creator a principal can mint
    short-lived credentials for any service account they are bound
    to, which is a primary privilege-escalation path in GCP.
    Earlier versions of this rule fired on every external use of
    GenerateAccessToken — a normal CI/CD activity — and are
    replaced here with the privilege-grant signal, which is rare and
    directly actionable.
author: CloudSigma
date: 2026-04-24
references:
    - https://attack.mitre.org/techniques/T1078/004/
    - https://cloud.google.com/iam/docs/service-account-overview#impersonation
    - https://cloud.google.com/logging/docs/audit
tags:
    - attack.privilege-escalation
    - attack.t1078.004
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        protoPayload.serviceName: iam.googleapis.com
        protoPayload.methodName:
            - google.iam.admin.v1.SetIAMPolicy
            - SetIamPolicy
    selection_role:
        protoPayload.serviceData.policyDelta.bindingDeltas.role|contains:
            - roles/iam.serviceAccountTokenCreator
            - roles/iam.serviceAccountUser
            - roles/iam.serviceAccountKeyAdmin
        protoPayload.serviceData.policyDelta.bindingDeltas.action: ADD
    condition: selection and selection_role
falsepositives:
    - Workload Identity setup binding a Kubernetes service account to a Google service account during an approved migration
    - Terraform or Deployment Manager runs that grant impersonation on a newly created service account, performed from a documented automation principal
fields:
    - protoPayload.authenticationInfo.principalEmail
    - protoPayload.serviceData.policyDelta.bindingDeltas
    - protoPayload.requestMetadata.callerIp
    - resource.labels.project_id
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • SecOps documentation, https://docs.secops.com/
Last verified: 2026-04-24