Active Scan: Log4j Vulnerable to RCE | Network | Event Threat Detection |
Added Binary Executed | Google Kubernetes Engine | Container Threat Detection |
Added Library Loaded | Google Kubernetes Engine | Container Threat Detection |
Brute force SSH | Compute Engine | Event Threat Detection |
Cloud IDS: THREAT_IDENTIFIER | Network | Event Threat Detection |
Collection: Pam.d Modification | Google Kubernetes Engine | Container Threat Detection |
Command and Control: DNS Tunneling | Network | Event Threat Detection |
Command and Control: Steganography Tool Detected | Google Kubernetes Engine | Container Threat Detection |
Credential Access: Access Sensitive Files On Nodes | Google Kubernetes Engine | Container Threat Detection |
Credential Access: CloudDB Failed login from Anonymizing Proxy IP | Database | Event Threat Detection |
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR) | Google Kubernetes Engine | Event Threat Detection |
Credential Access: Find Google Cloud Credentials | Google Kubernetes Engine | Container Threat Detection |
Credential Access: GPG Key Reconnaissance | Google Kubernetes Engine | Container Threat Detection |
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR) | Google Kubernetes Engine | Event Threat Detection |
Credential Access: Search Private Keys or Passwords | Google Kubernetes Engine | Container Threat Detection |
Credential Access: Secrets Accessed In Kubernetes Namespace | Google Kubernetes Engine | Event Threat Detection |
Defense Evasion: Anonymous Sessions Granted Cluster Admin Access | Google Kubernetes Engine | Event Threat Detection |
Defense Evasion: Base64 ELF File Command Line | Google Kubernetes Engine | Container Threat Detection |
Defense Evasion: Base64 Encoded Python Script Executed | Google Kubernetes Engine | Container Threat Detection |
Defense Evasion: Base64 Encoded Shell Script Executed | Google Kubernetes Engine | Container Threat Detection |
Defense Evasion: Breakglass Workload Deployment Created | Google Kubernetes Engine | Event Threat Detection |
Defense Evasion: Breakglass Workload Deployment Updated | Google Kubernetes Engine | Event Threat Detection |
Defense Evasion: Disable or Modify Linux Audit System | Google Kubernetes Engine | Container Threat Detection |
Defense Evasion: GCS Bucket IP Filtering Modified | Cloud Storage | Event Threat Detection |
Defense Evasion: Launch Code Compiler Tool In Container | Google Kubernetes Engine | Container Threat Detection |
Defense Evasion: Manually Deleted Certificate Signing Request (CSR) | Google Kubernetes Engine | Event Threat Detection |
Defense Evasion: Modify VPC Service Control | IAM | Event Threat Detection |
Defense Evasion: Organization-Level Service Account Token Creator Role Added | IAM | Event Threat Detection |
Defense Evasion: Potential Kubernetes Pod Masquerading | Google Kubernetes Engine | Event Threat Detection |
Defense Evasion: Project HTTP Policy Block Disabled | Cloud Storage | Event Threat Detection |
Defense Evasion: Project-Level Service Account Token Creator Role Added | IAM | Event Threat Detection |
Defense Evasion: Root Certificate Installed | Google Kubernetes Engine | Container Threat Detection |
Defense Evasion: Rootkit | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: Static Pod Created | Google Kubernetes Engine | Event Threat Detection |
Defense Evasion: Unexpected ftrace handler | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: Unexpected interrupt handler | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: Unexpected kernel modules | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: Unexpected kernel read-only data modification | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: Unexpected kprobe handler | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: Unexpected processes in runqueue | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: Unexpected system call handler | Compute Engine | Virtual Machine Threat Detection |
Defense Evasion: VPC Route Masquerade Attempt | Network | Event Threat Detection |
Discovery: Can get sensitive Kubernetes object check | Google Kubernetes Engine | Event Threat Detection |
Discovery: Information Gathering Tool Used | IAM | Event Threat Detection |
Discovery: Service Account Self-Investigation | IAM | Event Threat Detection |
Discovery: Unauthorized Service Account API Call | IAM | Event Threat Detection |
Evasion: Access from Anonymizing Proxy | IAM | Event Threat Detection |
Execution: Added Malicious Binary Executed | Google Kubernetes Engine | Container Threat Detection |
Execution: Added Malicious Library Loaded | Google Kubernetes Engine | Container Threat Detection |
Execution: Built in Malicious Binary Executed | Google Kubernetes Engine | Container Threat Detection |
Execution: Container Escape | Google Kubernetes Engine | Container Threat Detection |
Execution: cryptocurrency mining combined detection | Compute Engine | Virtual Machine Threat Detection |
Execution: Cryptocurrency Mining Hash Match | Compute Engine | Virtual Machine Threat Detection |
Execution: Cryptocurrency Mining YARA Rule | Compute Engine | Virtual Machine Threat Detection |
Execution: Cryptomining Docker Image | Cloud Run | Event Threat Detection |
Execution: Fileless Execution in /memfd: | Google Kubernetes Engine | Container Threat Detection |
Execution: GKE launch excessively capable container | Google Kubernetes Engine | Event Threat Detection |
Execution: Ingress Nightmare Vulnerability Exploitation | Google Kubernetes Engine | Container Threat Detection |
Execution: Kubernetes Attack Tool Execution | Google Kubernetes Engine | Container Threat Detection |
Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments | Google Kubernetes Engine | Event Threat Detection |
Execution: Local Reconnaissance Tool Execution | Google Kubernetes Engine | Container Threat Detection |
Execution: Malicious Python executed | Google Kubernetes Engine | Container Threat Detection |
Execution: Modified Malicious Binary Executed | Google Kubernetes Engine | Container Threat Detection |
Execution: Modified Malicious Library Loaded | Google Kubernetes Engine | Container Threat Detection |
Execution: Netcat Remote Code Execution in Container | Google Kubernetes Engine | Container Threat Detection |
Execution: Possible Remote Command Execution Detected | Google Kubernetes Engine | Container Threat Detection |
Execution: Program Run with Disallowed HTTP Proxy Env | Google Kubernetes Engine | Container Threat Detection |
Execution: Suspicious Cron Modification | Google Kubernetes Engine | Container Threat Detection |
Execution: Suspicious Exec or Attach to a System Pod | Google Kubernetes Engine | Event Threat Detection |
Execution: Suspicious OpenSSL Shared Object Loaded | Google Kubernetes Engine | Container Threat Detection |
Execution: Workload triggered in sensitive namespace | Google Kubernetes Engine | Event Threat Detection |
Exfiltration: Cloud SQL Data Exfiltration | Database | Event Threat Detection |
Exfiltration: Cloud SQL Over-Privileged Grant | Database | Event Threat Detection |
Exfiltration: Cloud SQL Restore Backup to External Organization | Database | Event Threat Detection |
Exfiltration: BigQuery Data Exfiltration | BigQuery | Event Threat Detection |
Exfiltration: BigQuery Data Extraction | BigQuery | Event Threat Detection |
Exfiltration: BigQuery Data to Google Drive | BigQuery | Event Threat Detection |
Exfiltration: Launch Remote File Copy Tools in Container | Google Kubernetes Engine | Container Threat Detection |
Exfiltration: Move to Public BigQuery resource | BigQuery | Event Threat Detection |
Impact: Billing Disabled | IAM | Event Threat Detection |
Impact: Billing Disabled | IAM | Event Threat Detection |
Impact: Cryptomining Commands | Cloud Run | Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR Backup | Backup and DR | Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR host | Backup and DR | Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR plan association | Backup and DR | Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR Vault | Backup and DR | Event Threat Detection |
Impact: Detect Malicious Cmdlines | Google Kubernetes Engine | Container Threat Detection |
Impact: GKE kube-dns modification detected | Google Kubernetes Engine | Event Threat Detection |
Impact: Google Cloud Backup and DR delete policy | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR delete profile | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR delete storage pool | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR delete template | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR expire all images | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR expire image | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR reduced backup expiration | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR reduced backup frequency | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR remove appliance | Backup and DR | Event Threat Detection |
Impact: Google Cloud Backup and DR remove plan | Backup and DR | Event Threat Detection |
Impact: Managed Instance Group Autoscaling Set To Maximum | Compute Engine | Event Threat Detection |
Impact: Remove Bulk Data From Disk | Google Kubernetes Engine | Container Threat Detection |
Impact: Service API Disabled | IAM | Event Threat Detection |
Impact: Suspicious crypto mining activity using the Stratum Protocol | Google Kubernetes Engine | Container Threat Detection |
Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining | Google Kubernetes Engine | Event Threat Detection |
Impact: VPC Firewall High Priority Block | Network | Event Threat Detection |
Impact: VPC Firewall Mass Rule Deletion | Network | Event Threat Detection |
Persistence: Strong Authentication Disabled | Google Workspace | Event Threat Detection |
Initial Access: Account Disabled Hijacked | Google Workspace | Event Threat Detection |
Initial Access: Anonymous GKE Resource Created from the Internet | Google Kubernetes Engine | Event Threat Detection |
Initial Access: CloudDB Successful login from Anonymizing Proxy IP | Database | Event Threat Detection |
Initial Access: Database Superuser Writes to User Tables | Database | Event Threat Detection |
Initial Access: Disabled Password Leak | Google Workspace | Event Threat Detection |
Initial Access: Dormant Service Account Action | IAM | Event Threat Detection |
Initial Access: Dormant Service Account Activity in AI Service | AI | Event Threat Detection |
Initial Access: Dormant Service Account Key Created | IAM | Event Threat Detection |
Initial Access: Excessive Permission Denied Actions | IAM | Event Threat Detection |
Initial Access: GKE NodePort service created | Google Kubernetes Engine | Event Threat Detection |
Initial Access: GKE Resource Modified Anonymously from the Internet | Google Kubernetes Engine | Event Threat Detection |
Initial Access: Government Based Attack | Google Workspace | Event Threat Detection |
Initial Access: Log4j Compromise Attempt | Network | Event Threat Detection |
Initial Access: Successful API call made from a TOR proxy IP | Google Kubernetes Engine | Event Threat Detection |
Initial Access: Suspicious Login Blocked | Google Workspace | Event Threat Detection |
Lateral Movement: Modified Boot Disk Attached to Instance | Compute Engine | Event Threat Detection |
Lateral Movement: OS Patch Execution From Service Account | Compute Engine | Event Threat Detection |
Log4j Malware: Bad Domain | Network | Event Threat Detection |
Log4j Malware: Bad IP | Network | Event Threat Detection |
Malicious Script Executed | Google Kubernetes Engine | Container Threat Detection |
Malicious URL Observed | Google Kubernetes Engine | Container Threat Detection |
Malware: bad domain | Network | Event Threat Detection |
Malware: bad IP | Network | Event Threat Detection |
Malware: Cryptomining Bad Domain | Network | Event Threat Detection |
Malware: Cryptomining Bad IP | Network | Event Threat Detection |
Malware: Malicious file on disk | Amazon EC2 | Virtual Machine Threat Detection |
Malware: Malicious file on disk (YARA) | Compute Engine | Virtual Machine Threat Detection |
Persistence: IAM Anomalous Grant | IAM | Event Threat Detection |
Persistence: GCE Admin Added SSH Key | Compute Engine | Event Threat Detection |
Persistence: GCE Admin Added Startup Script | Compute Engine | Event Threat Detection |
Persistence: GKE Webhook Configuration Detected | Google Kubernetes Engine | Event Threat Detection |
Persistence: Global Startup Script Added | Compute Engine | Event Threat Detection |
Persistence: Modify ld.so.preload | Google Kubernetes Engine | Container Threat Detection |
Persistence: New AI API Method | AI | Event Threat Detection |
Persistence: New API Method | IAM | Event Threat Detection |
Persistence: New Geography | IAM | Event Threat Detection |
Persistence: New Geography for AI Service | AI | Event Threat Detection |
Persistence: New User Agent | IAM | Event Threat Detection |
Persistence: Service Account Created in sensitive namespace | Google Kubernetes Engine | Event Threat Detection |
Persistence: Service Account Key Created | IAM | Event Threat Detection |
Persistence: SSO Enablement Toggle | Google Workspace | Event Threat Detection |
Persistence: SSO Settings Changed | Google Workspace | Event Threat Detection |
Persistence: Two Step Verification Disabled | Google Workspace | Event Threat Detection |
Persistence: Unmanaged Account Granted Sensitive Role | IAM | Event Threat Detection |
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables | Database | Event Threat Detection |
Privilege Escalation: AlloyDB Over-Privileged Grant | Database | Event Threat Detection |
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity | IAM | Event Threat Detection |
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity | AI | Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity | IAM | Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity | AI | Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access | AI | Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access | IAM | Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity | IAM | Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity | AI | Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access | AI | Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for Data Access | IAM | Event Threat Detection |
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: ClusterRole with Privileged Verbs | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: ClusterRoleBinding to Privileged Role | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: Create Kubernetes CSR for master cert | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: Creation of sensitive Kubernetes bindings | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy | Cloud Run | Event Threat Detection |
Privilege Escalation: Dormant Service Account Granted Sensitive Role | IAM | Event Threat Detection |
Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: External Member Added To Privileged Group | IAM | Event Threat Detection |
Privilege Escalation: Fileless Execution in /dev/shm | Google Kubernetes Engine | Container Threat Detection |
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: Global Shutdown Script Added | Compute Engine | Event Threat Detection |
Privilege Escalation: Impersonation Role Granted For Dormant Service Account | IAM | Event Threat Detection |
Privilege Escalation: Launch of privileged Kubernetes container | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: New Service Account is Owner or Editor | IAM | Event Threat Detection |
Privilege Escalation: Privileged Group Opened To Public | IAM | Event Threat Detection |
Privilege Escalation: Sensitive Role Granted To Hybrid Group | IAM | Event Threat Detection |
Privilege Escalation: Suspicious Cross-Project Permission Use | IAM | Event Threat Detection |
Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: Suspicious Token Generation | IAM | Event Threat Detection |
Privilege Escalation: Suspicious Token Generation | IAM | Event Threat Detection |
Privilege Escalation: Suspicious Token Generation | IAM | Event Threat Detection |
Privilege Escalation: Suspicious Token Generation | IAM | Event Threat Detection |
Privilege Escalation: Workload Created with a Sensitive Host Path Mount | Google Kubernetes Engine | Event Threat Detection |
Privilege Escalation: Workload with shareProcessNamespace enabled | Google Kubernetes Engine | Event Threat Detection |
Resource Development: Offensive Security Distro Activity | IAM | Event Threat Detection |
Reverse Shell | Google Kubernetes Engine | Container Threat Detection |
Unexpected Child Shell | Google Kubernetes Engine | Container Threat Detection |
Initial Access: Leaked Service Account Key Used | IAM | Event Threat Detection |
Account has leaked credentials | IAM | Anomaly Detection |
Defense Evasion: Organization Policy Changed | IAM | Sensitive Actions Service |
Defense Evasion: Remove Billing Admin | IAM | Sensitive Actions Service |
Impact: GPU Instance Created | Compute Engine | Sensitive Actions Service |
Impact: Many Instances Created | Compute Engine | Sensitive Actions Service |
Impact: Many Instances Deleted | Compute Engine | Sensitive Actions Service |
Persistence: Add Sensitive Role | IAM | Sensitive Actions Service |
Persistence: Project SSH Key Added | IAM | Sensitive Actions Service |
Execution: Added Malicious Binary Executed | Cloud Run | Cloud Run Threat Detection |
Execution: Added Malicious Library Loaded | Cloud Run | Cloud Run Threat Detection |
Execution: Built in Malicious Binary Executed | Cloud Run | Cloud Run Threat Detection |
Execution: Container Escape | Cloud Run | Cloud Run Threat Detection |
Execution: Kubernetes Attack Tool Execution | Cloud Run | Cloud Run Threat Detection |
Execution: Local Reconnaissance Tool Execution | Cloud Run | Cloud Run Threat Detection |
Execution: Malicious Python executed | Cloud Run | Cloud Run Threat Detection |
Execution: Modified Malicious Binary Executed | Cloud Run | Cloud Run Threat Detection |
Execution: Modified Malicious Library Loaded | Cloud Run | Cloud Run Threat Detection |
Malicious Script Executed | Cloud Run | Cloud Run Threat Detection |
Malicious URL Observed | Cloud Run | Cloud Run Threat Detection |
Reverse Shell | Cloud Run | Cloud Run Threat Detection |
Unexpected Child Shell | Cloud Run | Cloud Run Threat Detection |
Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177) | Google Kubernetes Engine | Container Threat Detection |
Execution: Socat Reverse Shell Detected | Google Kubernetes Engine | Container Threat Detection |
Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287) | Google Kubernetes Engine | Container Threat Detection |
Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) | Google Kubernetes Engine | Container Threat Detection |
Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156) | Google Kubernetes Engine | Container Threat Detection |
