Skip to main content

Cloud Response - GCP

This Playbook is part of the GCP Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook provides response actions to GCP. The following are available for execution automatically/manually:

  • Resource remediation:
    • Delete the instance
    • Stop the instance
  • Identity remediation:
    • Disable the user
    • Delete the user
  • Access key remediation:
    • Disable the access key
    • Delete the access key
  • Block indicators


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block IP - Generic v3


This playbook does not use any integrations.


  • Set


  • gcp-iam-service-account-disable
  • gcp-iam-service-account-key-disable
  • gsuite-user-delete
  • gcp-compute-stop-instance
  • gcp-iam-service-account-delete
  • gcp-iam-service-account-key-delete
  • gcp-compute-delete-instance

Playbook Inputs#

NameDescriptionDefault ValueRequired
accessKeyRemediationTypeChoose the remediation type for the user's access key.
Disable - For disabling the user's access key.
Delete - For deleting user's access key.
userRemediationTypeChoose the remediation type for the user involved.
Delete - For deleting the user.
Disable - For disabling the user.
resourceRemediationTypeChoose the remediation type for the instances created.
Stop - For stopping the instances.
Delete - For deleting the instances.
autoResourceRemediationWhether to execute the resource remediation flow automatically.FalseOptional
autoUserRemediationWhether to execute the user remediation flow automatically.FalseOptional
autoAccessKeyRemediationWhether to execute the access key remediation flow automatically.FalseOptional
autoBlockIndicatorsWhether to block the indicators automatically.FalseOptional
resourceNameThe resource name to take action on.Optional
resourceZoneThe resource's zone.Optional
usernameThe username to take action on.Optional
accessKeyNameThe access key name in the following format:
sourceIPThe source IP address of the attacker.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cloud Response - GCP