Access attempt blocked by Identity-Aware Proxy (IAP), indicating an initial access or vulnerability exploit attempt.
Category: Login & Access Patterns
Use Cases: Detect, Audit
Data Sources: HTTP(S) Load Balancer Logs
| BigQuery | Chronicle |
|---|---|
| SQL | Contribute rule |
Send HTTPS request to backend application sitting behind external HTTPS load balancer with IAP enabled
| Name | Description | Type | Default Value |
|---|---|---|---|
| lb-ipv4 | IP address of external HTTPS load balancer with IAP enabled | String | None |
curl -k https://#{lb-ipv4}
{
"insertId": "19sfqf2fzis4js",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
"statusDetails": "handled_by_identity_aware_proxy"
},
"httpRequest": {
"requestMethod": "GET",
"requestUrl": "https://203.0.113.255/",
"requestSize": "215",
"status": 302,
"responseSize": "1535",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"remoteIp": "192.158.1.38",
"latency": "0.081634s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"zone": "global",
"url_map_name": "my-application-lb-map",
"forwarding_rule_name": "my-application-lb-fwd-rule",
"project_id": "1234",
"target_proxy_name": "my-application-lb-proxy",
"backend_service_name": "my-application-backend-service"
}
},
"timestamp": "2022-02-23T18:44:41.710562Z",
"severity": "INFO",
"logName": "projects/1234/logs/requests",
"trace": "projects/1234/traces/0e35fd7b9244372d06e8173260a49fac",
"receiveTimestamp": "2022-02-23T18:44:42.513059093Z",
"spanId": "f047ce7fb74a9b8d"
}