Explore the complexities of Google Cloud Platform (GCP) audit logs in this 34-minute conference talk from the SANS DFIR Summit 2024. Gain practical insights into deciphering GCP audit logs, focusing on authentication details and principal identities. Learn to identify different types of impersonations and workload identities within the logs. Examine the "authenticationInfo" field to understand available information and discover various entities and identities in GCP. Investigate impersonation types, their usage, and the role of GCP VMs. Analyze the actions of internal GCP accounts and scenarios where logged identities are absent. Through real examples and demonstrations, enhance your cloud security monitoring and incident response capabilities. Acquire skills to improve your understanding of GCP principles representation and authentication within audit logs, empowering you to better detect and respond to potential security incidents in your GCP environment.
Overview
Syllabus
Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs
Taught by
SANS Digital Forensics and Incident Response