Name:GCP Multiple Users Failing To Authenticate From Ip id:da20828e-d6fb-4ee5-afb7-d0ac200923d5 version:3 date:2024-09-30 author:Bhavin Patel, Splunk status:production type:Anomaly Description:The following analytic detects a single source IP address failing to authenticate into more than 20 unique Google Workspace user accounts within a 5-minute window. It leverages Google Workspace login failure events to identify potential password spraying attacks. This activity is significant as it may indicate an adversary attempting to gain unauthorized access or elevate privileges within the Google Cloud Platform. If confirmed malicious, this behavior could lead to unauthorized access to sensitive resources, data breaches, or further exploitation within the environment. Data_source:
-Google Workspace login_failure
search:`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`
how_to_implement:You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. known_false_positives:No known false postives for this detection. Please review this alert. References: -https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks -https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite -https://attack.mitre.org/techniques/T1110/003/ -https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf drilldown_searches: name:'View the detection results for - "$tried_accounts$"' search:'%original_detection_search% | search tried_accounts = "$tried_accounts$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$tried_accounts$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'GCP Account Takeover' asset_type:Google Cloud Platform tenant confidence:90 impact:60 message:Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$ mitre_attack_id: - 'T1586' - 'T1586.003' - 'T1110' - 'T1110.003' - 'T1110.004' observable: name:'tried_accounts' type:'User' - role: - 'Victim' name:'src' type:'IP Address' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'event.name' - 'event.type' - 'authentication_method' - 'app' - 'id.applicationName' - 'src' risk_score:54 security_domain:threat
