Add GCP rule: IAM Policy Changed - Privilege Escalation

[developutm]

• A detailed explanation of the changes: Adds detection for changes to IAM policies at the project or resource level in GCP, including granting high-privilege roles (Owner, Editor, IAM Admin) to users or service accounts.
• The reasoning behind these changes: Attackers commonly use IAM policy modifications to escalate privileges and establish persistence (Privilege Escalation - T1098).
• Reference: N/A

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

[github-actions]

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

✅ architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Addition of a new detection rule in YAML format; no architectural impact or code changes detected.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Typo in user-facing documentation and potential logic error in log filtering.

• medium rules/cloud/google/gcp_iam_policy_changed.yml:28 — Typo: 'oneof' is likely intended to be a function call or keyword, but the logic is restrictive. If 'log.protoPayloadServiceName' is expected to be a string, ensure the field path is correct. Additionally, 'oneof' is not a standard SQL/filter syntax for many SIEMs; verify if this is a custom DSL.
• medium rules/cloud/google/gcp_iam_policy_changed.yml:28 — Logic error: The filter checks for 'activity' in 'log.logName'. GCP audit logs typically use 'cloudaudit.googleapis.com%2Factivity' or similar paths. 'activity' as a substring might be too broad or incorrect depending on the log sink configuration.

✅ security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: New detection rule added for GCP IAM policy changes; no vulnerabilities or information disclosure identified.

No findings.

[utmstackprapprover]

Changes requested — see approver comments above.

[utmstackprapprover]

Changes requested — see approver comments above.