Skip to main content

GCP - User Investigation

This Playbook is part of the GCP Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user:

  • Failed login attempt
  • Suspicious API usage by the user
  • Anomalous network traffic by the user
  • Unusual and suspicious login attempt
  • User's password leaked

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

  • GetTime
  • Set

Commands#

  • gcp-logging-log-entries-list
  • gsuite-activity-search

Playbook Inputs#


NameDescriptionDefault ValueRequired
UsernameThe username to investigate.Optional
GcpProjectNameThe GCP project name. This is a mandatory field for GCP queries.Optional
GcpTimeSearchFromThe Search Time for the `GetTime` task used by the GCP Logging search query.
This value represents the number of days to include in the search.
Default value: 1. (1 Day)
1Optional

Playbook Outputs#


PathDescriptionType
GcpAnomalousNetworkTrafficDetermines whether there are events of anomalous network traffic performed by the user in the GCP environment.unknown
GcpSuspiciousApiUsageDetermines whether there are events of suspicious API usage by the user in the GCP environment.unknown
GcpFailLogonCountThe number of failed logins by the user in the GCP environment.unknown
GsuiteFailLogonCountThe number of failed logins by the user in the G Suite environment.unknown
GsuiteUnusualLoginAllowedCountThe number of unusual logins performed by the user and allowed in the G Suite environment.unknown
GsuiteUnusualLoginBlockedCountThe number of unusual logins performed by the user and blocked in the G Suite environment.unknown
GsuiteSuspiciousLoginCountThe number of suspicious logons performed by the user in the G Suite environment.unknown
GsuiteUserPasswordLeakedDetermines whether the user's password was leaked in the G Suite environment.unknown

Playbook Image#


GCP - User Investigation