- Splunk enterprise use cases how to#
- Splunk enterprise use cases series#
- Splunk enterprise use cases download#
Synchronize the playbook list with the community repository, then find and activate the GCP Unusual Service Account Usage playbook using the label created for Splunk Enterprise alertsĪside from the particular API methods listed in the SPL search for this detection, there is nothing limiting this detection and response pattern to just the Compute service in GCP. Save and test connectivity to make sure the asset is functional.įollow similar steps for the Google Cloud Compute Engine app. On the Asset Settings page, provide the service account JSON and project ID. Give the asset a name such as 'google_cloud_iam. Navigate to Home>Apps>Unconfigured Apps>Search for Google Cloud IAM>Configure New Asset. Set up the Google Cloud IAM and Google Cloud Compute Engine apps on Splunk SOAR: Configure Splunk Enterprise to send alerts to Splunk SOAR.Here is a guide to configure a GCP Pub/Sub pipeline into Splunk HEC. GCP log ingestion into Splunk Enterprise is also required.
Splunk enterprise use cases download#
If you don't already have Splunk SOAR, you can sign up and download the free community version. Splunk Enterprise and Splunk SOAR are both required for this use case. Here are the steps to get this playbook and use it: After gathering this data, format blocks are used to compile it into a prompt, and the analyst is asked whether to delete the associated service account keys and stop the Compute instance, if applicable. Metadata about the keys owned by that service account will be gathered using the GCP IAM app, and if there is a Compute VM instance the playbook will gather metadata about that as well. From there, the playbook will check if there is a service account and a Compute VM or just a service account. Once the search above is scheduled and is producing results, the 'Send to Phantom' action or an event forwarding search can be used to automatically forward events to Splunk SOAR. The Playbook: GCP Unusual Service Account Usage To reduce false positives, a lookup file could also be introduced that would exclude specific accounts that are allowed to use these API methods. Note that the transaction is used to group together events with the same key name to prevent the playbook from running multiple times for the same account. Sourcetype='google:gcp:pubsub:message' tag=compute '' IN ('*stop', '*setMetadata', '*delete') While there are a wide variety of possible detections that could trigger this use case, one example would be to trigger on potentially destructive API methods executed using the Compute service, such as 'stop,' 'setMetadata,' or 'delete': By leveraging Splunk SOAR to automatically monitor new accounts and detect malicious conduct within cloud platforms like GCP, you can add another line of defense to prevent threat actors from exfiltrating sensitive information. As expected usage changes over time, one or more searches can be updated to reduce the false positive rate or continue to enforce the principle of least privilege across user accounts and services. This could be an API method that should not be executed from a certain account, an instance created in a new region that should not be used, or any other behavior that can be defined based on metadata in the GCP audit log. Once these logs are streamed to Splunk Enterprise, the security team can start to detect usage of service accounts that does not fit into expected patterns.
Splunk enterprise use cases how to#
For details on how to set this up, see our recent blog post, ' Elevate Your Cloud SecurityPosture with Splunk and Google Cloud,' on the Splunk Enterprise and GCP integration. This use case relies on GCP audit logs ingested into Splunk using Cloud Logging. In today's new Splunk SOAR (formerly known as Splunk Phantom) Community Playbook, we will show how a Splunk Enterprise search can trigger automated enrichment, an analyst prompt, and rapid response actions to prevent damage caused by malicious account access. This makes it particularly important for the security team to monitor how usage is changing over time and to set up alerting mechanisms that will notify the team when unexpected access occurs. Just like AWS and Azure, GCP is one of those systems where an organization may start off just using one or two components, but over time that usage tends to expand across a wider variety of services and use cases.
Splunk enterprise use cases series#
In previous playbooks, we have shown examples of AWS and Azure account monitoring, but the series would not be complete without also supporting Google Cloud Platform (GCP). As organizations increase their cloud footprints, it becomes more and more important to implement access control monitoring for as many resources as possible.