gcp detect oauth token abuse

Name:gcp detect oauth token abuse
id:a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.
Data_source:

search:`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message
| `gcp_detect_oauth_token_abuse_filter`

how_to_implement:You must install splunk GCP add-on. This search works with gcp:pubsub:message logs
known_false_positives:GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.
References:
  -https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
  -https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2
drilldown_searches:
  :
tags:
  analytic_story:
    - 'GCP Cross Account Activity'
  asset_type:GCP Account
  confidence:50
  impact:50
  message:tbd
  mitre_attack_id:
    - 'T1078'
  observable:
    name:'protoPayload.status.details{}.violations{}.callerIp'
    type:'IP Address'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None