New GCP API Call
This alert occurs when Lacework detects a user is accessing a service via an API call.
Why this Alert is Important
This alert is important for several reasons:
- Resource management: GCP provides various services, such as Compute Engine, Cloud Storage, and Cloud SQL, which are managed through APIs.
- Security: API calls can be an entry point for security threats, such as unauthorized access, data exfiltration, or denial-of-service attacks.
- Performance optimization: API calls can impact the performance of your applications and GCP services.
- Cost optimization: GCP services are priced based on usage, and API calls can contribute to your overall usage and cost.
Investigation
Investigating this alert involves analyzing the details of the API calls to gain insight into how GCP resources are being used, detect anomalies, troubleshoot issues, and improve your GCP environment's overall performance and security. Below are some suggested steps:
- Collect API call logs: GCP provides various tools and services, such as Stackdriver Logging, Cloud Audit Logs, and Cloud Monitoring to collect and store API call logs. Configure these tools to capture API call logs and ensure they are easily accessible for analysis.
- Analyze API call logs: Use the logs collected to analyze the API calls made to your GCP services. You can filter the logs based on various parameters, such as service, user, timestamp, or response code to gain insight into usage patterns, anomalies, and troubleshooting.
- Identify trends and patterns: Analyze the API call logs to identify trends and patterns in API usage. You can use this information to optimize resource usage, reduce costs, and improve the performance of your applications and GCP environment.
- Monitor for security threats: Analyze the API call logs to detect potential security threats, such as unauthorized access, data exfiltration, or denial-of-service attacks. Use tools such as Cloud Security Command Center or Cloud Monitoring to monitor for security threats and respond to them promptly.
- Automate actions: Consider automating actions based on API call logs. For example, you can set up alerts to notify you when specific API calls exceed a threshold or automatically scale resources up or down based on API usage.
Resolution
Resolving an anomalous API call that poses a security threat requires a high-priority and urgent response to prevent further damage or potential security breaches. Here are some general steps to resolve the incident:
- Immediately disable access to the resource that was targeted by the unauthorized API call. This could involve revoking access keys, changing passwords, or disabling specific IAM roles.
- Conduct a security audit of the affected resource to determine if any data was compromised or any other unauthorized access has occurred. This will help you understand the scope of the threat and determine any additional remediation steps.
- Update your security controls to prevent similar threats in the future. This could involve implementing stricter access controls, enabling multi-factor authentication, or configuring auditing and monitoring tools to detect anomalous behavior.
- Conduct regular security assessments to identify and address potential vulnerabilities or weaknesses in your GCP environment.