Incident Response in Google Cloud

GCP offers comprehensive security capabilities:

GCP Response Commands:

# Isolate instance by removing external IP
gcloud compute instances delete-access-config instance-1 \
  --access-config-name "external-nat"

# Create disk snapshot
gcloud compute disks snapshot disk-1 \
  --snapshot-names incident-snapshot

# Export logs for analysis
gcloud logging read "resource.type=gce_instance" \
  --limit 1000 --format json > instance_logs.json

Stackdriver Logging Analysis:

from google.cloud import logging

def analyze_gcp_logs(project_id):
    client = logging.Client(project=project_id)
    
    # Define suspicious activities
    filter_str = '''
    protoPayload.methodName=("compute.instances.delete" OR 
                              "iam.serviceAccounts.create" OR
                              "storage.buckets.update")
    '''
    
    for entry in client.list_entries(filter_=filter_str):
        print(f"Suspicious activity: {entry.payload['methodName']}")
        print(f"User: {entry.payload['authenticationInfo']['principalEmail']}")
        print(f"Time: {entry.timestamp}")