As organizations increase their cloud footprints, it becomes more and more important to implement access control monitoring for as many resources as possible. In previous playbooks, we have shown examples of AWS and Azure account monitoring, but the series would not be complete without also supporting Google Cloud Platform (GCP). Just like AWS and Azure, GCP is one of those systems where an organization may start off just using one or two components, but over time that usage tends to expand across a wider variety of services and use cases. This makes it particularly important for the security team to monitor how usage is changing over time and to set up alerting mechanisms that will notify the team when an unexpected access occurs.
In today’s new Splunk SOAR (formerly known as Splunk Phantom) Community Playbook, we will show how a Splunk Enterprise search can trigger automated enrichment, an analyst prompt, and rapid response actions to prevent damage caused by malicious account access. This use case relies on GCP audit logs ingested into Splunk using Cloud Logging. Once these logs are streamed to Splunk Enterprise, the security team can start to detect usage of service accounts that does not fit into expected patterns. This could be an API method that should not be executed from a certain account, an instance created in a new region that should not be used, or any other behavior that can be defined based on metadata in the GCP audit log. As expected usage changes over time, one or more searches can be updated to reduce the false positive rate or continue to enforce the principle of least privilege across user accounts and services. By leveraging Splunk SOAR to automatically monitor new accounts and detect malicious conduct within cloud platforms like GCP, you can add another line of defense to prevent threat actors from exfiltrating sensitive information.