![GCP | Cloud Cyber Forensics](data:image/svg+xml,%3Csvg xmlns="http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg" width="256" height="256" viewBox="0 0 256 256"%3E%3Cg fill="none"%3E%3Crect width="256" height="256" fill="%23242938" rx="60"%2F%3E%3Cpath fill="%23EA4335" d="m161.009 92.39l17.385-17.386l1.159-7.32c-31.68-28.807-82.04-25.54-110.6 6.816c-7.932 8.986-13.817 20.19-16.955 31.76l6.226-.878l34.77-5.733l2.684-2.745c15.466-16.986 41.617-19.272 59.475-4.82l5.856.305Z"%2F%3E%3Cpath fill="%234285F4" d="M203.16 105.749a78.318 78.318 0 0 0-23.607-38.064l-24.4 24.4a43.37 43.37 0 0 1 15.921 34.404v4.331c11.993 0 21.716 9.722 21.716 21.715c0 11.994-9.723 21.473-21.716 21.473h-43.493l-4.27 4.636v26.047l4.27 4.087h43.493c31.195.243 56.681-24.605 56.924-55.8a56.483 56.483 0 0 0-24.838-47.229Z"%2F%3E%3Cpath fill="%2334A853" d="M84.149 208.778h43.432v-34.77H84.149a21.312 21.312 0 0 1-8.906-1.952l-6.161 1.891l-17.507 17.385l-1.525 5.917c9.818 7.413 21.796 11.582 34.099 11.529Z"%2F%3E%3Cpath fill="%23FBBC05" d="M84.149 95.989C52.953 96.175 27.815 121.615 28 152.81a56.486 56.486 0 0 0 22.049 44.438l25.193-25.193c-10.93-4.938-15.787-17.802-10.849-28.731c4.938-10.93 17.802-15.787 28.73-10.85a21.718 21.718 0 0 1 10.85 10.85l25.193-25.193a56.421 56.421 0 0 0-45.018-22.143Z"%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
Summary
Notes around GCP Incident Response & Threat Hunting.
# Connect to GCP with service account key file
gcloud auth activate-service-account [email protected] --key-file=service-account-key-file.json
# List authenticated accounts
gcloud auth list
# Set the project
gcloud config set project some-project
# Find Logging Buckets
gcloud logging buckets list
# Read Logging Bucket files and output as JSON
gcloud logging read 'timestamp<="2022-10-01T00:00:00Z" AND timestamp>="2022-09-01T00:00:00Z"' --bucket=gcp-log-store --location=global --view=_AllLogs --format="json" > logs-gcp.json