What Changed
Two GCP IAM analytic rules were fixed to resolve query syntax errors that prevented proper detection of authentication token generation and service account key enumeration activities.
Detection Logic
GCPIAMNewAuthenticationToken.yaml (Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml:20):
- Primary data source: GCP_IAM table
- Core logic: Monitors for GenerateAccessToken method calls (now supports both short and fully-qualified method names)
- Entity types: Account, IP address
- Fixed where clause to include both GenerateAccessToken and google.iam.admin.v1.GenerateAccessToken method names
GCPIAMServiceAccountKeysEnumeration.yaml (Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMServiceAccountKeysEnumeration.yaml:22):
- Primary data source: GCP_IAM table
- Core logic: Detects excessive ListServiceAccountKeys API calls (threshold: >5 per hour per principal)
- Entity types: Account
- Fixed typo in method name from ListServiceAccountsKeys to ListServiceAccountKeys
MITRE Mapping
- T1550: Use Alternate Authentication Material
Affected Files
Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml
Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMServiceAccountKeysEnumeration.yaml
(packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.8.zip)