Skip to content

feat: additional gcp rules #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: additional gcp rules #2

wants to merge 2 commits into from

Conversation

murtaza-u
Copy link

Summary of the Pull Request

Added additional GCP rules

Changelog

new: additional GCP detection rules

  • IAM Custom Role Created
  • IAM Custom Role Deleted
  • IAM Member assigned role of type admin or owner
  • Service Account Access Key Created
  • Service Account Access Key Deleted
  • Storage Bucket IAM Permissions Modified
  • Logging Bucket Deleted

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@murtaza-u
feat: additional gcp rules
8378ada 
Rules to detect:

- IAM Custom Role Created
- IAM Custom Role Deleted
- IAM Member assigned role of type admin or owner
- Service Account Access Key Created
- Service Account Access Key Deleted
- Storage Bucket IAM Permissions Modified
- Logging Bucket Deleted
@murtaza-u murtaza-u requested a review from achrefbensaad June 10, 2025 03:29
@murtaza-u murtaza-u self-assigned this Jun 10, 2025
achrefbensaad
achrefbensaad approved these changes Jun 10, 2025
View reviewed changes
rules/cloud/gcp/ak-rules/gcp_iam_custom_role_deleted.yml
detection:
selection:
gcp.audit.protoPayload.methodName: google.iam.admin.v1.DeleteRole
gcp.audit.protoPayload.response.deleted: "true"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this required ? does it expect that the deletion is successful to match ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. The deletion can fail if the role is in use.

@achrefbensaad
Copy link

can you please add logging bucket creation & update rules (two separate rules)

@murtaza-u
Copy link
Author

can you please add logging bucket creation & update rules (two separate rules)

Will do

@murtaza-u murtaza-u requested a review from achrefbensaad June 10, 2025 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@achrefbensaad achrefbensaad Awaiting requested review from achrefbensaad

Assignees

@murtaza-u murtaza-u

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@murtaza-u @achrefbensaad