Open in app

Sign in

Write

Sign in

Cloud Incident Forensic Response — Part -2 GCP

Rajendraprasanth
4 min readJan 17, 2024

--

GCP Forensic

Google Cloud’s Logging service, coupled with the powerful Logs Explorer interface, provides an efficient way to manage and analyze logs from various Google Cloud resources. In this guide, we will walk through the process of extracting logs using Logs Explorer and exploring options for further analysis. Also will cover Logs for threat Hunting and Incident Response

Common attack Path in GCP

Common attack path

To identify above attack below steps are important to identify

Accessing Logs Explorer:

  1. Navigate to Logs Explorer: https://console.cloud.google.com/logs/query
  2. Ensure that the correct project is selected.

Refining Scope:

  • If needed, use “Refine Scope” on the top left to narrow down the search to a specific bucket or folder within your project.

Building Queries:

  • Construct queries to filter and refine the logs based on your specific requirements.

Executing the Search:

  1. Click “Run query” to execute the search.
  2. Review the results in the “Query results” section to ensure they meet your criteria.

Downloading Logs:

  1. Once satisfied with the results, select “Download.”
  2. Choose the number of log entries you want to export.
  3. Select your preferred format: JSON or CSV.

Export Options:

  1. Determine the export destination:
  • Download locally
  • Open in a new tab
  • Save to Google Drive

Analyzing Logs with SOF-ELK:

  • If opting for JSON format, logs can be imported into SOF-ELK for further processing, leveraging the Google Cloud Logstash parser.

Ensuring Proper Permissions:

  • To access Logs Explorer, ensure your Google Cloud account has the necessary IAM role assigned, such as the Private Logs Viewer role mentioned in the gcloud section.

Logs For Threat Hunting and Incident Response:

In our exploration of Google Cloud logs, understanding the different log categories and their purposes is crucial for effective monitoring and management. Let’s delve into key categories and their associated logs:

Identity and Administration Logs:

Admin:

  • Description: Tracks actions performed in the Google Admin console.
  • Default Enabled: Yes
  • Location: Admin Console > Reporting > Audit
  • Default Retention: 180 days

User:

  • Description: Records user events such as logins, password changes, and 2FA usage.
  • Default Enabled: Yes
  • Location: Admin Console > Reporting > Audit
  • Default Retention: 180 days

OAuth:

  • Description: Monitors 3rd party data access requests and app usage.
  • Default Enabled: Yes
  • Location: Admin Console > Reporting > Audit
  • Default Retention: 180 days

SAML:

  • Description: Tracks successful and failed sign-ins to SAML apps.
  • Default Enabled: Yes
  • Location: Admin Console > Reporting > Audit
  • Default Retention: 180 days

Groups:

  • Description: Monitors changes to groups and memberships via Groups interface.
  • Default Enabled: Yes
  • Location: Admin Console > Reporting > Audit
  • Default Retention: 180 days

Groups Enterprise:

  • Description: Tracks changes to groups and memberships via Admin console, Cloud console, Admin SDK API, Cloud Identity API, and Groups user interface.
  • Default Enabled: Yes
  • Location: Admin Console > Reporting > Audit
  • Default Retention: 180 days

Security Logs:

Admin Activity:

  • Description: Tracks API calls and actions modifying configuration or metadata.
  • Default Enabled: Yes
  • Location: Log Bucket (_Required)
  • Default Retention: 400 days

Data Access:

  • Description: Observes API calls reading or modifying resource configuration or metadata.
  • Default Enabled: No
  • Location: Log Bucket (_Default)
  • Default Retention: 30 days

Policy Denied:

  • Description: Logs when a GCP service denies access to a member due to a security policy violation (manually configured in VPC Service Controls).
  • Default Enabled: Yes
  • Location: Log Bucket (_Required)
  • Default Retention: 30 days

Platform-Centric Logs:

VPC Flow:

  • Description: Captures network connection metadata to and from VM instances.
  • Default Enabled: No
  • Location: Log Bucket (_Default)
  • Default Retention: 30 days

GCS Usage:

  • Description: Monitors HTTP web requests made to a specific bucket.
  • Default Enabled: No
  • Location: Configured Storage Bucket
  • Default Retention: N/A

Cloud DNS:

  • Description: Records queries that name servers resolve for VPC networks.
  • Default Enabled: No
  • Location: Log Bucket (_Default)
  • Default Retention: 30 days

Firewall Rules:

  • Description: Tracks the effects of configured VPC firewall rules.
  • Default Enabled: No
  • Location: Log Bucket (_Default)
  • Default Retention: 30 days

HTTP/S Load Balancing:

  • Description: Monitors load-balanced web connections to backend services.
  • Default Enabled: No
  • Location: Log Bucket (_Default)
  • Default Retention: 30 days

User-written Agent:

  • Description: Captures host-based logs (standard OS logs, metrics, etc.) collected from Compute-oriented service resources (GCE instances, GKE nodes, etc.).
  • Default Enabled: No
  • Location: Log Bucket (_Default)
  • Default Retention: 30 days

Understanding and effectively utilizing these logs will empower you to enhance the security and performance of your Google Cloud environment. Stay tuned for more insights into Google Cloud logs and their management strategies.

Reference :
1. https://www.sans.org/blog/google-cloud-log-extraction/

2. https://drive.google.com/file/d/1l4vCli5XKHMQM2qPwWEdFbe0Iyti4klN/view

--

--

Rajendraprasanth

Written by Rajendraprasanth

26 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams