Log Analysis PBQs: Google Cloud Professional Security Operations Engineer (PSOE)
easyQuestion 1 of 3
You are a Google Cloud Security Operations Engineer performing a routine review of Cloud Audit Logs. An automated alert flagged a service account making API calls outside its expected scope and region. The service account is assigned to a data processing pipeline and should only access resources in us-central1. Review the GCP audit log events, flag all entries related to the unauthorized API activity, and classify the incident.
Objectives
- •Review the GCP Cloud Audit Log for unauthorized API calls by the service account
- •Flag all entries showing API calls outside the service account's expected scope and region
- •Classify the type of security incident
- •Identify the suspicious service account
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 08:00:00 | INFO | audit-log | GCP Audit: svc-data-pipeline@proj-certnova.iam.gserviceaccount.com called storage.buckets.get on certnova-data-us-central1 (us-central1) -- ALLOWED | |
| 08:05:00 | INFO | audit-log | GCP Audit: admin@certnova.com called compute.instances.list in us-central1 -- routine admin activity | |
| 08:15:30 | WARN | audit-log | GCP Audit: svc-data-pipeline@proj-certnova.iam.gserviceaccount.com called storage.buckets.list in project proj-certnova -- unusual: service account normally accesses only its designated bucket | |
| 08:16:00 | WARN | audit-log | GCP Audit: svc-data-pipeline@proj-certnova.iam.gserviceaccount.com called cloudkms.cryptoKeys.list in us-central1 -- unusual: service account has no KMS-related duties | |
| 08:17:30 | ALERT | audit-log | GCP Audit: svc-data-pipeline@proj-certnova.iam.gserviceaccount.com called iam.serviceAccounts.getIamPolicy in us-east1 -- OUTSIDE expected region, querying IAM policies | |
| 08:18:00 | INFO | system | GCP Cloud Scheduler: daily-etl-job triggered successfully in us-central1 | |
| 08:19:00 | WARN | audit-log | GCP Audit: svc-data-pipeline@proj-certnova.iam.gserviceaccount.com called storage.buckets.list in europe-west1 -- OUTSIDE expected region | |
| 08:20:00 | INFO | web | 200 GET /admin/dashboard from 10.0.1.5 (GCP console proxy) | |
| 08:21:30 | ALERT | audit-log | GCP Audit: svc-data-pipeline@proj-certnova.iam.gserviceaccount.com called iam.serviceAccountKeys.list targeting svc-admin@proj-certnova.iam.gserviceaccount.com -- attempting to enumerate admin service account keys | |
| 08:22:00 | INFO | audit-log | GCP Audit: developer01@certnova.com called cloudfunctions.functions.list in us-central1 -- routine development activity | |
| 08:23:00 | INFO | system | GCP Monitoring: uptime check passed for certnova-api.certnova.com (latency 42ms) | |
| 08:25:00 | INFO | audit-log | GCP Audit: svc-data-pipeline@proj-certnova.iam.gserviceaccount.com called storage.objects.get on certnova-data-us-central1/daily-export.csv -- normal scheduled data access |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 8 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete