GCP IAM deny policy creation

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2026-03-10
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: Gcp Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Impact (TA0040)
ATT&CK Technique	Account Access Removal (T1531)
Severity	Low

Description

An identity created a GCP IAM deny policy.

Attacker's Goals

Interrupt availability of cloud resources by inhibiting access to accounts utilized by legitimate users.

Investigative actions

Examine the details of the created deny policy.
Review the recent activity of the identity.

Variations

Unusual GCP IAM deny policy creation

Synopsis

ATT&CK Tactic	Impact (TA0040)
ATT&CK Technique	Account Access Removal (T1531)
Severity	Medium

Description

An identity created a GCP IAM deny policy.

Attacker's Goals

Interrupt availability of cloud resources by inhibiting access to accounts utilized by legitimate users.

Investigative actions

Examine the details of the created deny policy.
Review the recent activity of the identity.