GCP - User Investigation
This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user: - Failed login attempt - Suspicious API usage by the user - Anomalous network traffic by the user - Unusual and suspicious login attempt - User's password leaked
GCP Enrichment and Remediation · 24 tasks · 3 inputs · 8 outputs
Inputs
Username— The username to investigate.GcpProjectName— The GCP project name. This is a mandatory field for GCP queries.GcpTimeSearchFrom— The Search Time for the `GetTime` task used by the GCP Logging search query. This value represents the number of days to include in the search. Default value: 1. (1 Day)
Outputs
GcpAnomalousNetworkTraffic— Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. Possible values: True/False.GcpSuspiciousApiUsage— Determines whether there are events of suspicious API usage by the user in the GCP environment. Possible values: True/False.GcpFailLogonCount— The number of failed logins by the user in the GCP environment.GsuiteFailLogonCount— The number of failed logins by the user in the G Suite environment.GsuiteUnusualLoginAllowedCount— The number of unusual logins performed by the user and allowed in the G Suite environment.GsuiteUnusualLoginBlockedCount— The number of unusual logins performed by the user and blocked in the G Suite environment.GsuiteSuspiciousLoginCount— The number of suspicious logons performed by the user in the G Suite environment.GsuiteUserPasswordLeaked— Determines whether the user's password was leaked in the G Suite environment. Possible values: True/False.
Commands used
gcp-logging-log-entries-list
gsuite-activity-search