![]() We recommend that Google Cloud enterprise customers handle IAM permissioning by first assigning users to groups, and then listing these groups as members of IAM Roles. Alerting on these events and others can help you be aware of and react to login-related security threats. For example, the “Leaked Password” event type is logged when we detect compromised credentials and requires a password reset, and the Government-Backed Attack event type is logged when we believe government-backed attackers have tried to compromise a user account. You can create alerts for other Login audit events in the same way. The notified users can then take action to mitigate the security concern. In our example, would receive an email alert if there’s a Suspicious Login. You supply a list of recipients who will be notified by email every time this alert is triggered. You can create an alert by pressing the bell-shaped button in the top right corner of the console. Once you’re viewing Login audit logs, create a filter for logs with the “Suspicious Login” event name. Let’s create an alert for this situation so we can take action if we think a user account has been compromised.įrom the Reports > Audit log section of the Admin Console, choose the type of log you want to create an alert for. Cloud Identity will see that this user is trying to sign in from an unfamiliar IP address and log it as a Suspicious Login event. In this scenario, let’s say a user has unknowingly had their Google credentials stolen, and a malicious actor is trying to use them to sign in as the user from outside the company network. Let’s explore some potentially useful alerts. When you create an alert, you specify a filter and a list of recipients who will get an email when this alert is triggered. A good first line of defense is setting up alerts in the Admin Console. To detect threats and respond to potential malicious activity in a timely manner, you can alert on events in Cloud Identity logs. The number of events Cloud Identity tracks is quite large, and these events can be explored in the Reports > Audit log section of the Admin Console. Suspicious Login happens if a user logged in under suspicious circumstances, such as from an unfamiliar IP address. ![]() Failed Login happens every time a user fails to login. For example, the Login audit logs track “Failed Login” and “Suspicious Login” events. Cloud Identity logs track a large number of predefined “events” that can occur in your deployment. The core information in each log entry is the event name and description. SAML audit log (G Suite/Cloud Identity Premium only): view your users’ successful and failed logins to SAML applications OAuth Token audit log: track third-party application usage and data access requests Groups audit log: track changes to group settings and group memberships in Google Groups Login audit log: track when users sign in to your domain For example, you can see when an administrator added a user to your domain or changed a setting. ![]() Relevant logs include:Īdmin audit log: track actions performed in the Google Admin Console. ![]() Cloud Identity logsĬloud Identity logs track events that may have a direct impact on your GCP environment. Now think about this: What if a rogue actor gets admin access in Cloud Identity and starts adding users to Google Groups? What if one of those groups is assigned privileged access within GCP? Cloud Identity logs can provide visibility into these situations and serve as your first line of defense against authentication and authorization-based attacks. Cloud Identity is how the people in your organization gain a Google identity, and it’s these identities that are granted access to your Google Cloud resources. Cloud IdentityĬustomers use Cloud Identity to provision, manage, and authenticate users across their Google Cloud deployment. We’ll start with a look into alerting on Cloud Identity logs in the Admin Console. ![]() The end result will be an end-to-end logs-based security alerting pipeline in Google Cloud Platform (GCP). In this series of blog posts, we’ll cover some cloud-native technologies you can use to detect security threats and alert on logs in Google Cloud. Shifting from an on-premise model to a cloud-based one opens up new opportunities when it comes to logging and securing your workloads. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |