# 1.20 - Access attempts violating IAP (i.e. BeyondCorp) access controls
Access attempt blocked by Identity-Aware Proxy (IAP), indicating an initial access or vulnerability exploit attempt.


**Category:** Login & Access Patterns
</br>
**Use Cases:** Detect, Audit
</br>
**Data Sources:** HTTP(S) LB Logs
</br>



## Queries or Rules
BigQuery | Chronicle | Log Analytics
--- | --- | ---
[SQL](../../backends/bigquery/sql/1_20_access_attempts_blocked_by_IAP.sql) | [YARA-L](../../backends/chronicle/yaral/1_20_access_attempts_blocked_by_IAP.yaral) | [SQL](../../backends/log_analytics/sql/1_20_access_attempts_blocked_by_IAP.sql)

## Event Generation

Send HTTPS request to backend application sitting behind external HTTPS load balancer with IAP enabled





### Test Prerequisites
1. [Set up external HTTPS load balancer with IAP enabled](https://cloud.google.com/iap/docs/load-balancer-howto)
1. [Enable logging on HTTPS load balancer](https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring#logging)


### Test Input
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| lb-ipv4 | IP address of external HTTPS load balancer with IAP enabled | String | None|

### Test Commands
```
curl -k https://#{lb-ipv4}
```



## Sample Event


### google.cloud.loadbalancing.type.LoadBalancerLogEntry-handledbyIAP
```
{
  "insertId": "19sfqf2fzis4js",
  "jsonPayload": {
    "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
    "statusDetails": "handled_by_identity_aware_proxy"
  },
  "httpRequest": {
    "requestMethod": "GET",
    "requestUrl": "https://203.0.113.255/",
    "requestSize": "215",
    "status": 302,
    "responseSize": "1535",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
    "remoteIp": "192.158.1.38",
    "latency": "0.081634s"
  },
  "resource": {
    "type": "http_load_balancer",
    "labels": {
      "zone": "global",
      "url_map_name": "my-application-lb-map",
      "forwarding_rule_name": "my-application-lb-fwd-rule",
      "project_id": "1234",
      "target_proxy_name": "my-application-lb-proxy",
      "backend_service_name": "my-application-backend-service"
    }
  },
  "timestamp": "2022-02-23T18:44:41.710562Z",
  "severity": "INFO",
  "logName": "projects/1234/logs/requests",
  "trace": "projects/1234/traces/0e35fd7b9244372d06e8173260a49fac",
  "receiveTimestamp": "2022-02-23T18:44:42.513059093Z",
  "spanId": "f047ce7fb74a9b8d"
}
```



### References
- https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring#what_is_logged