Analyses/

prod-gcp-audit · sample

Demo data
GCP
complete
Anomalous Fields · 6ranked by relevance
97
#1CriticalFirst seen
protoPayload.methodNameSetIamPolicy

SetIamPolicy was called 847 times in this window vs. a baseline of 3–4/day. A single service account granted Owner access to 12 production projects between 02:00–03:15 UTC. This pattern is consistent with privilege escalation following initial account compromise.

91
#2CriticalFirst seen
httpRequest.remoteIp185.220.101.47

Source IP is a known Tor exit node (Proofpoint threat intel dataset). First appearance in 90-day log history. All 23 API calls from this IP succeeded, notably no PERMISSION_DENIED responses, suggesting valid credentials.

76
#3High
protoPayload.status.codePERMISSION_DENIED

PERMISSION_DENIED errors spiked to 340 in 15 minutes, 98× the daily average of 3.5. This pattern (dense access failures followed by successful escalation) is consistent with automated credential or permission scanning before a pivot.

72
#4High
protoPayload.authenticationInfo.principalEmailpipeline-sa@acme-prod.iam.gserviceaccount.com

This service account has a 90-day history of read-only storage operations (GetObject, ListBucket). Executing SetIamPolicy and CreateServiceAccountKey is completely outside its behavioral baseline. The account is likely compromised.

68
#5High
protoPayload.methodNamegoogle.iam.admin.v1.CreateServiceAccountKey

A long-lived service account key was created for pipeline-sa. SA keys are a common persistence mechanism. Once created, an attacker retains access even after password rotation. This was created minutes after the first SetIamPolicy calls.

44
#6Medium
resource.labels.project_idacme-prod-dr-backup

The disaster-recovery backup project received 34 API calls in this window, unusually high for a project that typically sees 0–2 calls/day. Combined with the escalation activity in the main project, this may indicate lateral movement.

14,832 logs·Last 24 hours·6 anomaliesDec 14, 3:15 AMacme-prod-339201
AI Summary

This analysis reveals a coordinated privilege escalation sequence. A service account (pipeline-sa) with historically read-only behavior executed 847 SetIamPolicy calls, 211× its baseline, and successfully granted Owner access to 12 production projects. The activity originated from a Tor exit node with no prior history in 90 days of logs. The simultaneous PERMISSION_DENIED spike suggests a scanning phase before the privilege escalation. Immediate investigation and credential rotation recommended.

Flare Intelligence

Ask Flare about these findings. It has full context from the analysis.