Splunk Tech Talks
Deep-dives for technical practitioners.

Playbook: GCP Unusual Service Account Usage

Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition,  Playbook: GCP Unusual Service Account Usage 

As organizations increase their cloud footprints, it becomes more and more important to implement access control monitoring for as many resources as possible. In previous playbooks, we have shown examples of AWS and Azure account monitoring, but the series would not be complete without also supporting Google Cloud Platform (GCP).

Just like AWS and Azure, GCP is one of those systems where an organization may start off just using one or two components, but over time that usage tends to expand across a wider variety of services and use cases. This makes it particularly important for the security team to monitor how usage is changing over time and to set up alerting mechanisms that will notify the team when an unexpected access occurs.

In today’s new Splunk SOAR (formerly known as Splunk Phantom) Community Playbook, we will show how a Splunk Enterprise search can trigger automated enrichment, an analyst prompt, and rapid response actions to prevent damage caused by malicious account access. This use case relies on GCP audit logs ingested into Splunk using Cloud Logging. Once these logs are streamed to Splunk Enterprise, the security team can start to detect usage of service accounts that does not fit into expected patterns. This could be an API method that should not be executed from a certain account, an instance created in a new region that should not be used, or any other behavior that can be defined based on metadata in the GCP audit log.

As expected usage changes over time, one or more searches can be updated to reduce the false positive rate or continue to enforce the principle of least privilege across user accounts and services. By leveraging Splunk SOAR to automatically monitor new accounts and detect malicious conduct within cloud platforms like GCP, you can add another line of defense to prevent threat actors from exfiltrating sensitive information. 

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...