Undocumented Chronicle (Google SecOps) Service Admin Permissions #35
Replies: 1 comment 3 replies
-
|
Hey @spawar-apex, Apologies for the late response and thanks for opening the discussion. I think it'd be good to start tracking these permissions and mark them explicitly as undocumented. I'll start to add this into the dataset and represent it appropriately on gcp.permissions.cloud. If you discover further undocumented permissions (either in the Cheers, |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @iann0036 . Appreciate your message. It would be definitely great if we track down the undocumented permission on |
Beta Was this translation helpful? Give feedback.
-
|
Hey @spawar-apex, I've updated gcp.permissions.cloud to include the undocumented tag on these actions, per https://gcp.permissions.cloud/iam/chroniclesm I'll look into the possibility of a dedicated page or filter system to show off undocumented actions a little more clearly, but this at least brings it in line with the other providers. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @iann0036 |
Beta Was this translation helpful? Give feedback.
-
Hi All,
THIS IS THE CLASSIC EXAMPLE OF UNDOCUMENTED PERMISSIONSRecently, We were working on migrating our SSO provider. We have created Workforce federation in GCP with required SAML provider so that We can use the SAML provider config in Google SecOps Management console to update SSO provider.
We have already created a custom role (clone of Chronicle Service Admin with least permissions) to allow user to update Google SecOps SSO Configuration. Even though we were using clone predefined role , we were getting an error that permission denied to update it.
Upon checking the Cloud Logs, Found that we were able to see the error message as follows:
Permission 'chroniclesm.frontendPaths.update' denied on resource '//chronicleservicemanager.googleapis.com/projects/30557765205/locations/us/instances/dfdfdg08-aad4-4335-9a6e-bdgbdgbd5b6b/frontendPaths/pvbvxbf' (or it may not exist)If you notice the error message carefully, Google Says that IAM permission
chroniclesm.frontendPaths.updatemissing. But If you look predefined roles or IAM documentation, no where in chronicle documentation, google has mentioned about this permission that need to be assigned in order to update the Google SecOps Single Sign-on COnfiguration.This permissions is not that privileged that allows any actor to perform any bad activity but this clearly indicated that in an cloud era, you'll be missed on permissions that cloud provider dont document about. We only came to know about this IAM permissions via cloud logging.
After Adding the permission in the existing IAM role, we were able to update Google SecOps SSO settings.
Have you came across this issue? Please let me know your thoughts on this.
Thanks,
Swapnil Pawar
Beta Was this translation helpful? Give feedback.
All reactions