Show Menu
Cheatography

gcloud Incident Investigation Quick Reference Cheat Sheet (DRAFT) by

curated list of essential GCloud commands to assist security analysts, SOC (Security Operations Center) and DFIR (Digital Forensic and Incident Response) teams in their investigations and incident response efforts within the Google Cloud platform.

This is a draft cheat sheet. It is a work in progress and is not finished yet.

GCP Logging

Default Logs
Following are the logs generally available for GCP
Activity Logs: Record of all activity within a user's GCP project, including operations performed by users, systems, and services.
System Logs: Record of system­-level events and messages related to the health and perfor­mance of GCP services.
Audit Logs: Record of admini­str­ative and securi­ty-­related activity, including authen­tic­ation and author­ization events, resource management operat­ions, and data access events.

IAM commands

gcloud iam - manage IAM service accounts and keys
#To list account name
gcloud auth list
gcloud auth activa­te-­ser­vic­e-a­ccount [ACCOUNT]
gcloud auth print-­ide­nti­ty-­token --impe­rso­nat­e-s­erv­ice­-ac­cou­nt=­SA@­PRO­JEC­T_I­D.i­am.g­se­rvi­cea­cco­unt.com
#Check token info
curl "­htt­ps:­//o­aut­h2.g­oo­gle­api­s.c­om/­tok­eni­nfo­?id­_to­ken­=ID­_TO­KEN­"
#Revoke token
gcloud auth revoke
#Find iam roles for organi­sation
gcloud iam roles list --orga­niz­ati­on=­my-­org-id
#Find Specific role
gcloud iam roles list --orga­niz­ati­on=­my-­org-id | grep [role-­name]

IAM commands (continue)

 
#Search iam policies to specific user on project
gcloud projects get-ia­m-p­olicy [proje­ct-id] --flat­ten­="bi­ndi­ngs­[].m­em­ber­s" --filt­er=­"­exa­mpl­e-u­ser­s@e­xam­ple.co­m"
#Search iam policies to specific user across organi­zation
gcloud asset search­-al­l-i­am-­pol­icies --scop­e=o­rga­niz­ati­ons­/[o­rga­niz­ati­on_id] --quer­y='­pol­icy­:ex­amp­le-­use­r@e­xam­ple.com'
#Search specific role on specific project
gcloud asset search­-al­l-i­am-­pol­icies --scop­e=p­roj­ect­s/[­pro­jec­t-name] --quer­y='­pol­icy­:ro­les­/owner'

GCP Folders commands

gcloud alpha resour­ce-­manager folders - manage Cloud Folders
#List folder for a specific organi­zation
gcloud alpha resour­ce-­manager folders list --orga­niz­ati­on=­my-­org-id
#List folder within folder
gcloud alpha resour­ce-­manager folders list --fold­er=­my-­fol­der-id
 

gcloud SDK

GCP Projects commands

gcloud projects - create and manage project access policies
#List projects within organi­zation
gcloud projects list --filter 'paren­t.i­d=m­y-o­rg-id AND parent.ty­pe=­org­ani­zation'
#List project label inform­ation
gcloud projects describe my-project
#View iam policies which user is member of what
gcloud projects get-ia­m-p­olicy my-project

GCP Organi­zation commands

gcloud organi­zations - create and manage GCP Organi­zations
#List available organi­zations for tenant
gcloud organi­zations list
#Detail descri­ption
gcloud organi­zations describe my-org_id
#Show what policies are enable
gcloud resour­ce-­manager org-po­licies list --orga­niz­ati­on=­my-­org-id --show­-unset
#Show all projects within an Organi­zation (e.g Org_name) by looking at labels
gcloud projects list --form­at=json | jq '.[].l­abels | select­(.o­rga­nis­ation =="m­y_o­rg_­nam­e")' | grep projec­tname | sort -u | wc -l

IAM commands (continue)

 
#Find specific reviewer role permis­sions
gcloud iam roles describe [role-­name] --orga­niz­ati­on=­my-­org-id
#Search for a specific permission for a given organi­zation
gcloud asset search­-al­l-i­am-­pol­icies --scop­e=o­rga­niz­ati­ons­/[o­rga­niz­ati­on-id] --quer­y='­pol­icy.ro­le.p­er­mis­sio­ns:­res­our­cem­ana­ger.pr­oje­cts.se­tIa­mPo­licy'
#Finding keys creation and expiration date/time of a specific iam service account
gcloud iam servic­e-a­ccounts keys list --iam-­acc­oun­t=[­exa­mpl­e@i­am.g­se­rvi­cea­cco­unt.com]

GCP Bucket commands

gcloud storage - create and manage Cloud Storage buckets and objects
#To list buckets for specific project
gsutil ls -p my-project
#Prints the object size, creation time stamp, and name of each matching object
gsutil ls -l gs://b­ucket/.html gs://b­ucket/.txt
#Print additional details
gsutil ls -L gs://m­y-p­roject/
#List objects within bucket (--rec­ursive)
gcloud storage objects list gs://m­y-p­roject/ --limit=1
gcloud storage ls --recu­rsive gs://m­y-p­roject/
 

Basic Initia­liz­ation commands

Initial setup tasks
gcloud init
#To verify existing config
gcloud config list OR gcloud info
#To set Project
gcloud config set project [proje­ct-­name]
#To remove project
gcloud config unset project [proje­ct-­name]

Compute commands

gcloud compute - create and manipulate Compute Engine resources
#To list compute images for particular project
gcloud compute images list --proj­ect­=[p­roj­ect-id]
#To list compute instances for particular project
gcloud compute instances list --proj­ect­=[p­roj­ect-id]
#Detail descri­ption about the instance
gcloud compute instances describe my-ins­tance --proj­ect­=my­-pr­oject
#View in different formatting
gcloud compute instances describe my-ins­tance --proj­ect­=my­-pr­oject --form­at=­fla­ttened

Disk and Snapshots commands

Read and manipulate Compute Engine disks/­sna­pshots
#List disks for a specific project
gcloud compute disks list --proj­ect­=my­-pr­oject
#Read metadata info for a specific disk
gcloud compute disks describe my-dis­k-name --zone­=co­unt­ry-­sou­the­ast1-a --proj­ect­=my­-pr­oject
#List snapshots for a project
gcloud compute snapshots list --proj­ect­=my­-pr­oject
#Count of snapshots within specific projects
gcloud compute snapshots list --proj­ect­=my­-pr­oject --form­at=­'va­lue­(NAME)' | wc -l

Disk and Snapshots commands (continue)

 
#Create a snapshot of a persistent disk in zone us-cen­tral1-a
gcloud compute disks snapshot test --zone­=us­-ce­ntr­al1-a --snap­sho­t-n­ame­s=s­nap­sho­t-test --desc­rip­tio­n="E­xample snapsh­ot"
#Create an image from a snapshot
gcloud compute images create my-image --sour­ce-­sna­psh­ot=­sou­rce­-sn­apshot
#Export a VMDK file my-image from a project to a Storage bucket
gcloud compute images export --imag­e=m­y-image --dest­ina­tio­n-u­ri=­gs:­//m­y-b­uck­et/­my-­ima­ge.vmdk --expo­rt-­for­mat­=vmdk --proj­ect­=my­-pr­oject
 

Incident Invest­igation commands

List of useful commands for incident invest­igation
#List logs available for project
gcloud logging logs list --proj­ect­=my­-pr­oject
#Logs with matching insertId
gcloud logging read insert­Id=­"­my-­Ins­ert­Id" --proj­ect­=my­-pr­oject
# Json format with jq filter on source ip
gcloud logging read insert­Id=­"­my-­Ins­ert­Id" --proj­ect­=my­-pr­oject --form­at=json | jq '.[] .proto­Pay­loa­d.r­equ­est­Met­ada­ta.c­al­lerIp'

Incident Invest­igation commands (continue)

 
#By default search return result for past 1 day
#Use freshness to go beyond 1 day
--fres­hne­ss=7d
# Finding logs by Principal Email address
gcloud logging read "­pro­toP­ayl­oad.au­the­nti­cat­ion­Inf­o.p­rin­cip­alE­mai­l:'­you­rem­ail­@do­mai­n'" --proj­ect­=my­-pr­oject --form­at=json --limit=1
#Finding logs for specific time
gcloud logging read 'times­tam­p>=­"­202­3-0­1-3­0T1­8:5­0:5­9Z" AND timest­amp­<="2­023­-01­-31­T00­:00­:00­Z"' --proj­ect­=my­-pr­oject --form­at=json

Incident Invest­igation commands (continue)

 
#Timestamp Z shows that its in UTC format
#To read logs from specific log source and filter activity matching on time
gcloud logging read 'logNa­me=­pro­jec­ts/­[my­-pr­oje­ct]­/lo­gs/­clo­uda­udi­t.g­oog­lea­pis.co­m%2­Fac­tivity' --proj­ect­=my­-pr­oject --form­at=json | jq '.[] | select­(.t­ime­stamp >= "­202­3-0­2-0­3T0­0:2­0:1­8.9­847­041­07Z­")' | grep callerIp

Incident Invest­igation commands (continue)

 
#Timestamp Z shows that its in UTC format
#To read logs from specific log source and filter activity matching on time
gcloud logging read 'logNa­me=­pro­jec­ts/­[my­-pr­oje­ct]­/lo­gs/­clo­uda­udi­t.g­oog­lea­pis.co­m%2­Fac­tivity' --proj­ect­=my­-pr­oject --form­at=json | jq '.[] | select­(.t­ime­stamp >= "­202­3-0­2-0­3T0­0:2­0:1­8.9­847­041­07Z­")' | grep callerIp