GCP Enrichment and Remediation

Details
Content
Dependencies
Version History

Playbooks using multiple GCP content packs for enrichment and remediation purposes

What does this pack do?

The pack is intended to contain GCP playbooks that conduct enrichment and/or remediation and can use other multiple GCP
content packs.

There are multiple GCP content packs for multiple GCP products (GSuiteAdmin, GCP-IAM, Google Cloud Compute, etc). The intent was that users can install and use only the packs they need. However, if a GCP playbook uses multiple pack integrations (such
as GSuiteAdmin and GCP-IAM), they can't reside in one of the current packs because they include content from multiple packs. This
pack was created as a place to put GCP playbooks that use GCP integrations from multiple packs with a focus on enrichment and
remediation.

Playbooks

Users are only able to run the playbook in v6.5.0 or higher as it requires commands to execute the task.
This content pack includes the following playbooks:

Cloud Response - GCP
GCP - Enrichment
GCP - Firewall Remediation

Automation Scripts

GCPProjectHierarchy

Automation to determine GCP project hierarchy by looking up parent objects until the organization level is reached.

GCPProjectHierarchy

GCPOffendingFirewallRule

Automation to determine potential offending firewall rules in GCP based on port, protocol and possibly target tags (network tags).

GCPOffendingFirewallRule

What does this pack do?

The pack is intended to contain GCP playbooks that conduct enrichment and/or remediation and can use other multiple GCP
content packs.

Playbooks

Users are only able to run the playbook in v6.5.0 or higher as it requires commands to execute the task.
This content pack includes the following playbooks:

Cloud Response - GCP
GCP - Enrichment
GCP - Firewall Remediation

Automation Scripts

GCPProjectHierarchy

Automation to determine GCP project hierarchy by looking up parent objects until the organization level is reached.

GCPProjectHierarchy

GCPOffendingFirewallRule

Automation to determine potential offending firewall rules in GCP based on port, protocol and possibly target tags (network tags).

GCPOffendingFirewallRule

Automations

Name	Description
GCPOffendingFirewallRule	Determine potential offending firewall rules in GCP based on port, protocol and possibly target tags (network tags). Considerations: At this time this automation only find potential offending rules and not necessarily the rule that is matching traffic.
GCPProjectHierarchy	Determine GCP project hierarchy by looking up parent objects until the organization level is reached.

Playbooks

Name	Description
Cloud Credentials Rotation - GCP	GCP Credentials Rotation Playbook IAM Remediation For compromised service accounts: Access Key Disabling: Immediately disable the compromised service account access key. New Key Generation: After ensuring the old key is disabled, generate a new access key. GSuite Admin Remediation Admin accounts are crucial: Reset Password: Resets the user password to halt any unauthorized access. Revoke Access Token: Revoke any suspicious or unauthorized access tokens. Combo Action: Reset the password and revoke access tokens to ensure complete safety.
GCP - User Investigation	This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user: Failed login attempt Suspicious API usage by the user Anomalous network traffic by the user Unusual and suspicious login attempt User's password leaked
GCP - Enrichment	Given the IP address this playbook enriches GCP and Firewall information.
Cloud Response - GCP	This playbook provides response actions to GCP. The following are available for execution automatically/manually: Resource remediation: Delete the instance Stop the instance Identity remediation: Disable the user Delete the user Access key remediation: Disable the access key Delete the access key Block indicators.
GCP - Firewall Remediation	This playbook adds new firewall rules with access only from private ip address range and blocks traffic that's exposed to public internet. For example, if RDP is exposed to the entire world, this playbook adds new firewall rules that only allows traffic from private ip address and blocks rest of the RDP traffic.

Automations

Name	Description
GCPProjectHierarchy	Determine GCP project hierarchy by looking up parent objects until the organization level is reached.
GCPOffendingFirewallRule	Determine potential offending firewall rules in GCP based on port, protocol and possibly target tags (network tags). Considerations: At this time this automation only find potential offending rules and not necessarily the rule that is matching traffic.

Playbooks

Name	Description
Cloud Credentials Rotation - GCP	GCP Credentials Rotation Playbook IAM Remediation For compromised service accounts: Access Key Disabling: Immediately disable the compromised service account access key. New Key Generation: After ensuring the old key is disabled, generate a new access key. GSuite Admin Remediation Admin accounts are crucial: Reset Password: Resets the user password to halt any unauthorized access. Revoke Access Token: Revoke any suspicious or unauthorized access tokens. Combo Action: Reset the password and revoke access tokens to ensure complete safety.
GCP - Enrichment	Given the IP address this playbook enriches GCP and Firewall information.
GCP - Firewall Remediation	This playbook adds new firewall rules with access only from private ip address range and blocks traffic that's exposed to public internet. For example, if RDP is exposed to the entire world, this playbook adds new firewall rules that only allows traffic from private ip address and blocks rest of the RDP traffic.
Cloud Response - GCP	This playbook provides response actions to GCP. The following are available for execution automatically/manually: Resource remediation: Delete the instance Stop the instance Identity remediation: Disable the user Delete the user Access key remediation: Disable the access key Delete the access key Block indicators.
GCP - User Investigation	This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user: Failed login attempt Suspicious API usage by the user Anomalous network traffic by the user Unusual and suspicious login attempt User's password leaked

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
GCP IAM	By: Cortex XSOAR
G Suite Admin	By: Cortex XSOAR
Google Cloud Compute	By: Cortex XSOAR

Optional Content Packs (3)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Google Cloud Logging	By: Cortex XSOAR
GsuiteAuditor	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
GCP IAM	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
G Suite Admin	By: Cortex XSOAR
Google Cloud Compute	By: Cortex XSOAR

1.1.19 - 1082615 (June 10, 2024)

GCP Enrichment and Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

1.1.18 - 998827 (May 6, 2024)

GCP Enrichment and Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34212

Download

1.1.17 - 911181 (March 24, 2024)

Playbooks

Cloud Response - GCP

Fixed Data Collection titles
Fixed tasks that use the alertJson context path
Added new inputs: accountType

Related pull requests:
- 33122

Download

1.1.16 - 828628 (February 14, 2024)

Playbooks

GCP - Enrichment

Updated the playbook to include the new GCPOffendingFirewallRule script.

Scripts

New: GCPOffendingFirewallRule

New: Determine potential offending firewall rules in GCP based on port, protocol and possibly target tags (network tags).
Considerations:
At this time this automation only finds potential offending rules and not necessarily the rule that is matching traffic. (Available from Cortex XSOAR 6.8.0).

Related pull requests:
- 32795
- 32678

Download

1.1.15 - 778227 (January 22, 2024)

GCP Enrichment and Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

1.1.14 - 767481 (January 17, 2024)

Scripts

GCPProjectHierarchy

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32259

Download

1.1.13 - 746830 (January 7, 2024)

Playbooks

GCP - Firewall Remediation

Added the instance_name input to allow the ability to specify a Google Cloud Compute integration instance if you have multiple instances configured (optional).

Related pull requests:
- 31854
- 31982

Download

1.1.12 - 728763 (December 31, 2023)

Playbooks

Cloud Response - GCP

Changed the To values in the data collection tasks to incident.assigneduser.

Related pull requests:
- 31679

Download

1.1.11 - 7149458 (December 13, 2023)

Scripts

GCPProjectHierarchy

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31427

Download

1.1.10 - 6955725 (November 21, 2023)

Playbooks

GCP - User Investigation

Updated the outputs description.

Related pull requests:
- 30965

Download

1.1.9 - 6641023 (October 18, 2023)

Playbooks

New: Cloud Credentials Rotation - GCP

New: This playbook provides a credentials rotation capabilities both for IAM and Google Workspace users. (Available from Cortex XSOAR 6.9.0).

Related pull requests:
- 30112

Download

1.1.8 - 6521786 (October 5, 2023)

Playbooks

GCP - Firewall Remediation

Updated the naming standard of the firewall rules to be in the format remediation-<block|allow>-<vpc name>-port-<port number>-<tcp|udp>, where the VPC name is truncated to 30 characters to meet the overall 63 character limit for firewall rule names. This ensures that unique firewall names are made in each VPC that a firewall rule could be created.

Related pull requests:
- 30062
- 29951

Download

1.1.7 - 6285754 (September 10, 2023)

GCP-Enrichment-Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 29466

Download

1.1.6 - 6058978 (August 15, 2023)

Playbooks

New: GCP - User Investigation

New: This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging.
(Available from Cortex XSOAR 6.9.0).

Related pull requests:
- 28843

Download

1.1.5 - 5998185 (August 9, 2023)

Playbooks

GCP - Firewall Remediation

Updated the playbook to check for both allow and block rules before creating.

Related pull requests:
- 28756
- 28849

Download

1.1.4 - 5969979 (August 6, 2023)

GCP-Enrichment-Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 28753

Download

1.1.3 - 5698017 (July 6, 2023)

Scripts

GCPProjectHierarchy

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27948

Download

1.1.2 - R5692327 (July 5, 2023)

Playbooks

GCP - Enrichment

Updated the playbook to incorporate the GCP-IAM integration improvements as well as GCPProjectHierarchy automation.

Scripts

New: GCPProjectHierarchy

Added the GCPProjectHierarchy script to determine GCP project hierarchy by looking up parent objects until the organization level is reached.

Related pull requests:
- 25809
- 25993

Download

1.1.1 - 4935746 (March 30, 2023)

Playbooks

GCP - Enrichment

Updated the playbook to incorporate the Google Cloud Compute integration improvements.

GCP - Firewall Remediation

Updated the playbook to incorporate the Google Cloud Compute integration improvements.

Related pull requests:
- 25615
- 25484

Download

1.1.0 - R4718798 (March 1, 2023)

Playbooks

New: GCP - Enrichment

Given the IP address this playbook enriches GCP, firewall and ownership information. (Available from Cortex XSOAR 6.5.0).

New: GCP - Firewall Remediation

Replace current firewall rules with limited access Firewall rules. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 23466
- 22877

Download

1.0.0 - 4321146 (December 2, 2022)

Playbooks using multiple GCP content packs for enrichment and remediation purposes

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 2, 2022
Last Release	June 10, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

GCP Enrichment and Remediation

What does this pack do?

Playbooks

Automation Scripts

GCPProjectHierarchy

GCPOffendingFirewallRule

What does this pack do?

Playbooks

Automation Scripts

GCPProjectHierarchy

GCPOffendingFirewallRule

GCP Credentials Rotation Playbook

IAM Remediation

GSuite Admin Remediation

GCP Credentials Rotation Playbook

IAM Remediation

GSuite Admin Remediation

GCP Enrichment and Remediation

GCP Enrichment and Remediation

Playbooks

Cloud Response - GCP

Playbooks

GCP - Enrichment

Scripts

New: GCPOffendingFirewallRule

GCP Enrichment and Remediation

Scripts

GCPProjectHierarchy

Playbooks

GCP - Firewall Remediation

Playbooks

Cloud Response - GCP

Scripts

GCPProjectHierarchy

Playbooks

GCP - User Investigation

Playbooks

New: Cloud Credentials Rotation - GCP

Playbooks

GCP - Firewall Remediation

GCP-Enrichment-Remediation

Playbooks

New: GCP - User Investigation

Playbooks

GCP - Firewall Remediation

GCP-Enrichment-Remediation

Scripts

GCPProjectHierarchy

Playbooks

GCP - Enrichment

Scripts

New: GCPProjectHierarchy

Playbooks

GCP - Enrichment

GCP - Firewall Remediation

Playbooks

New: GCP - Enrichment

New: GCP - Firewall Remediation

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER