Skip to content

GCP

Overview

Why is it important for Threat Hunting?

GCP logs provide unique and crucial visibility into the activities and resources in an organization’s GCP environment.

As Cloud environments are vastly different from regular on-prem environments, many classic security products and auditing and logging mechanisms do not exist anymore in the Cloud environment as they were, which make the multiple logging mechanisms of GCP all the more important for defending an organization’s GCP environment.

Supported APIs and data types

  • GCP Audit logs: Logs regarding actions in GCP. These include logs for read and write operations on cloud resources. For example - creation of a new Virtual Machine.
  • GCP Security Command Center Assets: Provides a list of all GCP assets currently available in the environment.
  • GCP Security Command Center Findings: Provides alerts from the GCP environment such as misconfigurations.

Sending Audit logs to hunters

Audit logs - General Information

First, we will configure the Audit Logs which are needed for the Hunters detection and investigation.

After all the relevant Audit Logs are created, we need them to flow properly into Hunters.

Making the logs accessible to external applications will include the following steps-

  • A Pub/Sub Topic should be configured to consume the Audit Logs
  • A subscription should be configured to allow reading from the Topic we configured
  • The Audit Logs should be configured to be read by a Sink. The Sink should be configured to write to the Pub/Sub Topic
  • A service account should be created and defined to allow Hunters to query the data - This is defined at the end of the document

After these steps are over - the logs will automatically flow into a Pub/Sub Topic. The service account will be used by Hunters to query the data from Pub/Sub and ingest it.

Definition of interesting Audit Logs

By default, some GCP Audit logs are not enabled. In order to allow proper detection and investigation in Hunters, we will enable such logs.

Definition of which logs should be saved is configured under "IAM & Admin" -> "Audit Logs". The definition describes which types of logs will be saved for each service and API.

The following changes should be done-

  • Change the default (Under "DEFAULT AUDIT CONFIG") - to include both "Admin Read" and "Admin Write" logs
  • Enable logging of "Data Read" and "Data Write" For the following services-
    • “Identity and Access Management (IAM) API”
    • “Identity Toolkit API“
    • “Security Token Service API”
    • “Security Command Center API”

Note that these changes may have an effect on costs. You can read more about this here.

Creating of Pub/Sub Topic

In order to create a Topic - follow the following manual.

Things to note while configuring the Topic-

  • Give the Topic an indicative name such as "Hunters-Audit-Logs-Topic"
  • Do not create a default subscription for the Topic
  • Other than the mentioned configurations - we suggest using the default GCP configuration for the Topic

Note that these changes may have an effect on costs. You can read more about this here.

Creating a Subscription

In order to create a Subscription - follow the following manual.

Things to note while configuring the Subscription-

  • The Subscription should be created for the Topic we created in the last section
  • Give the Subscription an indicative name such as "Hunters-Audit-Logs-Subscription"
  • The name of this subscription should be shared with hunters
  • Set pull delivery
  • Configure a retention duration of 7 days
  • Set subscription to never expire
  • Do not set a subscription filter
  • Message ordering- Order messages with the order they arrive
  • We suggest leaving the rest of the configuration as it is by default

Definition of the sink

In order to create a sink - follow the following manual.

Things to note while configuring the sink-

  • "Sink details" step
    • Give the sink an indicative name such as "Hunters-Audit-Logs-Sink"
  • "Sink destination" step
    • The Sink service should be "Cloud Pub/Sub Topic"
    • Select the Topic which was created in the previous sections
  • "Choose logs to include in sink" and "Choose logs to filter out of sink" steps
    • When defining the sink - it is possible to filter logs that written to the sink. We recommend sending all GCP Audit Logs. Partial logs may cause the detection and investigation to be partial.

Allow Hunters to access the Security Command Center

Enabling the Security command center

In this part, we assume you have enabled the Security Command Center in your GCP environment. If you have not - this can be done using this manual.

Enabling the Security Command Center API

To allow Hunters to query the security command center - you will need to enable the "Security Command Center API". This can be done here.

A service account will need to be configured in order to allow Hunters to query the API. This will be described in the next part.

Definition of the Service Account

In order to define a service account - follow the following manual.

Things to note while configuring the Service Account-

  • Give the Service Account an indicative name such as "Hunters-Service-Account"
  • Give the Service Account the following roles -
    • "Security Center Assets Viewer" - To allow Hunters to query the Security Command Center
    • "Security Center Findings Viewer" - To allow Hunters to query the Security Command Center
    • "Security Center Sources Viewer" - To allow Hunters to query the Security Command Center
  • In order to allow the Service Account to query the Pub/Sub subscription, we will give it the required permissions-
    • Go to the "Subscriptions" page under "Pub/Sub"
    • Click on the Subscription which was created for Hunters
    • In the "Permissions" tab - click "ADD MEMBER"
    • Add the Service Account Name as a new member with the role "Pub/Sub Subscriber"
    • You should be able to see the user account under the "Permissions" tab under "Pub/Sub Subscriber"

Important to note: Security Center roles should be assigned at the organization level, and not at the project level.

Once the service account is created - generate a key for the service account.

This is done inside the definition of the service account -> Keys -> ADD KEY (Create new key) -> Json.

Parameters to share with Hunters

  • The generated Service Account Json
  • The name of the topic subscription
  • for example, the string "Hunters-Audit-Logs-Subscription"
  • Your project id (name of the project in which the subscription was created)
  • Your organization code (can be found here)