Skip to content

Latest commit

 

History

History
89 lines (65 loc) · 2.58 KB

1.20.md

File metadata and controls

89 lines (65 loc) · 2.58 KB

1.20 - Access attempts violating IAP (i.e. BeyondCorp) access controls

Access attempt blocked by Identity-Aware Proxy (IAP), indicating an initial access or vulnerability exploit attempt.

Category: Login & Access Patterns
Use Cases: Detect, Audit
Data Sources: HTTP(S) LB Logs

Queries or Rules

BigQuery Chronicle Log Analytics
SQL YARA-L SQL

Event Generation

Send HTTPS request to backend application sitting behind external HTTPS load balancer with IAP enabled

Test Prerequisites

  1. Set up external HTTPS load balancer with IAP enabled
  2. Enable logging on HTTPS load balancer

Test Input

Name Description Type Default Value
lb-ipv4 IP address of external HTTPS load balancer with IAP enabled String None

Test Commands

curl -k https://#{lb-ipv4}

Sample Event

google.cloud.loadbalancing.type.LoadBalancerLogEntry-handledbyIAP

{
  "insertId": "19sfqf2fzis4js",
  "jsonPayload": {
    "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
    "statusDetails": "handled_by_identity_aware_proxy"
  },
  "httpRequest": {
    "requestMethod": "GET",
    "requestUrl": "https://203.0.113.255/",
    "requestSize": "215",
    "status": 302,
    "responseSize": "1535",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
    "remoteIp": "192.158.1.38",
    "latency": "0.081634s"
  },
  "resource": {
    "type": "http_load_balancer",
    "labels": {
      "zone": "global",
      "url_map_name": "my-application-lb-map",
      "forwarding_rule_name": "my-application-lb-fwd-rule",
      "project_id": "1234",
      "target_proxy_name": "my-application-lb-proxy",
      "backend_service_name": "my-application-backend-service"
    }
  },
  "timestamp": "2022-02-23T18:44:41.710562Z",
  "severity": "INFO",
  "logName": "projects/1234/logs/requests",
  "trace": "projects/1234/traces/0e35fd7b9244372d06e8173260a49fac",
  "receiveTimestamp": "2022-02-23T18:44:42.513059093Z",
  "spanId": "f047ce7fb74a9b8d"
}

References