Splunk Tech Talks
Deep-dives for technical practitioners.

Playbook: GCP Unusual Service Account Usage

melissap
Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition,  Playbook: GCP Unusual Service Account Usage 

As organizations increase their cloud footprints, it becomes more and more important to implement access control monitoring for as many resources as possible. In previous playbooks, we have shown examples of AWS and Azure account monitoring, but the series would not be complete without also supporting Google Cloud Platform (GCP).

Just like AWS and Azure, GCP is one of those systems where an organization may start off just using one or two components, but over time that usage tends to expand across a wider variety of services and use cases. This makes it particularly important for the security team to monitor how usage is changing over time and to set up alerting mechanisms that will notify the team when an unexpected access occurs.

In today’s new Splunk SOAR (formerly known as Splunk Phantom) Community Playbook, we will show how a Splunk Enterprise search can trigger automated enrichment, an analyst prompt, and rapid response actions to prevent damage caused by malicious account access. This use case relies on GCP audit logs ingested into Splunk using Cloud Logging. Once these logs are streamed to Splunk Enterprise, the security team can start to detect usage of service accounts that does not fit into expected patterns. This could be an API method that should not be executed from a certain account, an instance created in a new region that should not be used, or any other behavior that can be defined based on metadata in the GCP audit log.

As expected usage changes over time, one or more searches can be updated to reduce the false positive rate or continue to enforce the principle of least privilege across user accounts and services. By leveraging Splunk SOAR to automatically monitor new accounts and detect malicious conduct within cloud platforms like GCP, you can add another line of defense to prevent threat actors from exfiltrating sensitive information. 

Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...