Auf dieser Seite erfahren Sie, wie Sie Ergebnisse von Event Threat Detection in der Google Cloud Console prüfen können und enthält Beispiele für Event Threat Detection-Ergebnisse.
Event Threat Detection ist ein integrierter Dienst für die Premium-Stufe von Security Command Center das Cloud Logging überwacht Logging-Streams für Ihre Organisation oder Projekte und erkennt Bedrohungen nahezu in Echtzeit. Wenn Sie Premium-Stufe von Security Command Center auf Organisationsebene, Event Threat Detection kann auch die Google Workspace-Logging-Streams Ihrer Organisation überwachen. Weitere Informationen Weitere Informationen finden Sie unter Event Threat Detection – Übersicht.
Ergebnisse prüfen
Damit Ergebnisse von Event Threat Detection angezeigt werden können, muss der Dienst in den Services-Einstellungen von Security Command Center aktiviert sein. Nachdem Sie Event Threat Detection aktivieren, Event Threat Detection generiert Ergebnisse durch Scannen bestimmte Logs enthalten. Einige der Logs, die von Event Threat Detection gescannt werden können, sind durch Sie müssen sie möglicherweise aktivieren.
Weitere Informationen zu den integrierten Erkennungsregeln, die Event Threat Detection verwendet die von Event Threat Detection gescannten Logs verwendet werden, finden Sie in den folgenden Themen:
Die Event Threat Detection-Ergebnisse können in Security Command Center abgerufen werden. Wenn Sie kontinuierliche Exporte konfiguriert haben, um Logs zu schreiben, können Sie sich die Ergebnisse auch in Cloud Logging ansehen. Kontinuierliche Exporte nach Cloud Logging ist nur verfügbar, wenn Sie die Premium-Stufe von Security Command Center auf Organisationsebene aktivieren. Um eine können Sie absichtlich einen Detektor auslösen, und Event Threat Detection testen.
Event Threat Detection wird innerhalb weniger Sekunden aktiviert. Erkennungslatenzen sind in der Regel kürzer als 15 Minuten ab dem Zeitpunkt, zu dem ein Log in Security Command Center geschrieben wird. Weitere Informationen zur Latenz finden Sie unter Security Command Center-Latenz – Übersicht.
Ergebnisse in Security Command Center prüfen
Die IAM-Rollen für Security Command Center können in der Organisation, Ordner- oder Projektebene. Ihre Fähigkeit, Ergebnisse, Assets, und Sicherheitsquellen hängen von der Zugriffsebene ab. Weitere Informationen Weitere Informationen zu Security Command Center-Rollen finden Sie unter Zugriffssteuerung.
So überprüfen Sie die Ergebnisse in der Google Cloud Console:
Rufen Sie in der Google Cloud Console die Security Command Center-Seite Ergebnisse auf.
Wählen Sie gegebenenfalls Ihr Google Cloud-Projekt oder Ihre Organisation aus.
Gehen Sie im Abschnitt Schnellfilter im Unterabschnitt Anzeigename der Quelle wie folgt vor: Wählen Sie eine oder beide der folgenden Optionen aus:
- Event Threat Detection: zum Filtern von Ergebnissen, die von integrierten Event Threat Detection detektoren
- Benutzerdefinierte Module für Event Threat Detection: zum Filtern generierter Ergebnisse durch benutzerdefinierte Module für Event Threat Detection
Die Tabelle wird mit den Event Threat Detection-Ergebnissen gefüllt.
Klicken Sie auf den Namen des Ergebnisses unter
Category
, um Details zu einem bestimmten Ergebnis aufzurufen. Der Bereich mit den Ergebnisdetails wird erweitert und enthält nun die folgenden Informationen:- Eine KI-generierte ZusammenfassungVorschau des Problems
- Zeitpunkt des Ereignisses
- Quelle der Ergebnisdaten
- Schweregrad der Erkennung, z. B. Hoch
- Die ergriffenen Aktionen, z. B. das Hinzufügen einer IAM-Rolle (Identity and Access Management) für einen Gmail-Nutzer
- Der Nutzer, der die Aktion ausgeführt hat, wird neben E-Mail-Adresse des Hauptkontos angezeigt.
So zeigen Sie alle Ergebnisse an, die durch die Aktionen eines Nutzers ausgelöst wurden:
- Kopieren Sie im Detailbereich mit den Ergebnissen die E-Mail-Adresse neben Haupt-E-Mail-Adresse.
- Schließen Sie den Bereich.
Geben Sie im Query Builder die folgende Abfrage ein:
access.principal_email="USER_EMAIL"
Ersetzen Sie USER_EMAIL durch die zuvor kopierte E-Mail-Adresse.
Security Command Center zeigt alle Ergebnisse an, die mit Aktionen verknüpft sind, die von dem angegebenen Nutzer ausgeführt wurden.
Ergebnisse in Cloud Logging ansehen
Wenn Sie Kontinuierliche Exporte Logs schreiben möchten, können Ergebnisse von Event Threat Detection in Cloud Logging ansehen. Diese Funktion ist nur verfügbar, wenn Sie die Premium-Stufe von Security Command Center auf Organisationsebene aktivieren.
So rufen Sie die Ergebnisse von Event Threat Detection in Cloud Logging auf:
Rufen Sie in der Google Cloud Console den Log-Explorer auf.
Wählen Sie in der Projektauswahl oben auf der Seite das Projekt aus, in dem Sie die Event Threat Detection-Logs speichern.
Klicken Sie auf den Tab Query Builder.
Wählen Sie in der Drop-down-Liste Ressource die Option Threat Detector aus.
- Um Ergebnisse von allen Detektoren anzuzeigen, wählen Sie all detector_name aus.
- Wählen Sie den Namen eines Detektors aus, um die Ergebnisse zu sehen.
Klicken Sie auf Add. Die Abfrage wird im Textfeld des Query Builders angezeigt.
Alternativ können Sie die folgende Abfrage in das Textfeld eingeben:
resource.type="threat_detector"
Klicken Sie auf Abfrage ausführen. Die Tabelle Abfrageergebnisse wird mit den ausgewählten Logs aktualisiert.
Zum Aufrufen eines Logs klicken Sie auf eine Tabellenzeile und dann auf Verschachtelte Felder erweitern.
Sie können erweiterte Logabfragen erstellen, um eine Reihe von Logeinträgen aus beliebig vielen Logs anzugeben.
Beispiele für Ergebnisformate
Dieser Abschnitt enthält die JSON-Ausgabeformate für Event Threat Detection-Ergebnisse als Sie werden angezeigt, wenn Sie Exporte über die Google Cloud Console oder die Ausführungsliste erstellen in der Security Command Center API.
Die Ausgabebeispiele enthalten die Felder, die für alle Ergebnisse am häufigsten verwendet werden. Allerdings sind möglicherweise nicht alle Ergebnisse in jedem Ergebnis enthalten. Die tatsächliche Ausgabe hängt von der Konfiguration einer Ressource und der Art und dem Status der Ergebnisse ab.
Wenn Sie sich die Beispielergebnisse ansehen möchten, maximieren Sie einen oder mehrere der folgenden Knoten.
Aktiver Scan: Log4j-Sicherheitslücken für RCE
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "state": "ACTIVE", "category": "Active Scan: Log4j Vulnerable to RCE", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_scan_success" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639701222", "nanos": 7.22988344E8 }, "insertId": "INSERT_ID" } }], "properties": { "scannerDomain": "SCANNER_DOMAIN", "sourceIp": "SOURCE_IP_ADDRESS", "vpcName": "default" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1210/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-17T00:33:42.722Z", "createTime": "2021-12-17T00:33:44.633Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.compute.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "INSTANCE_ID" } }
Brute Force: SSH
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Brute Force: SSH", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "65" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "projectId": "PROJECT_ID", "zone": "us-west1-a", "instanceId": "INSTANCE_ID", "attempts": [ { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "SUCCESS" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" } ] }, "detectionPriority": "HIGH", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/003/" } }, "detectionCategory": { "technique": "brute_force", "indicator": "flow_log", "ruleName": "ssh_brute_force" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Zugriff auf Anmeldedaten: Externes Mitglied zur privilegierten Gruppe hinzugefügt
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME", "state": "ACTIVE", "category": "Credential Access: External Member Added To Privileged Group", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "external_member_added_to_privileged_group" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633622881", "nanos": 6.73869E8 }, "insertId": "INSERT_ID" } }], "properties": { "externalMemberAddedToPrivilegedGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "externalMember": "user:EXTERNAL_EMAIL", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:08:03.888Z", "createTime": "2021-10-07T16:08:04.516Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" } }
Zugriff auf Anmeldedaten: Privilegierte Gruppe öffentlich zugänglich gemacht
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings", "state": "ACTIVE", "category": "Credential Access: Privileged Group Opened To Public", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "privileged_group_opened_to_public" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1634774534", "nanos": 7.12E8 }, "insertId": "INSERT_ID" } }], "properties": { "privilegedGroupOpenedToPublic": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }], "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-21T00:02:19.173Z", "createTime": "2021-10-21T00:02:20.099Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" } }
Zugriff auf Anmeldedaten: Sensible Rolle der Hybridgruppe gewährt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "PROJECT_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Credential Access: Sensitive Role Granted To Hybrid Group", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-12-22T00:31:58.242Z", "database": {}, "eventTime": "2022-12-22T00:31:58.151Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_ID", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_ID", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "sensitive_role_to_group_with_external_member" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1671669114", "nanos": 715318000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleToHybridGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "bindingDeltas": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "resourceName": "projects/PROJECT_ID" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Umgehung von Abwehrmaßnahmen: Break-Glass-Workload-Deployment wurde erstellt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Created", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "create" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Umgehung von Abwehrmaßnahmen: Break-Glass-Workload-Deployment wurde aktualisiert
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Updated", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "update" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Defense Evasion: VPC Service Control modifizieren
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "state": "ACTIVE", "category": "Defense Evasion: Modify VPC Service Control", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "modify_auth_process", "indicator": "audit_log", "ruleName": "vpcsc_changes", "subRuleName": "reduce_perimeter_protection" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS", "delta": { "restrictedResources": [{ "resourceName": "PROJECT_NAME", "action": "REMOVE" }], "restrictedServices": [{ "serviceName": "SERVICE_NAME", "action": "REMOVE" }], "allowedServices": [{ "serviceName": "SERVICE_NAME", "action": "ADD" }], "accessLevels": [{ "policyName": "ACCESS_LEVEL_POLICY", "action": "ADD" }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": ""https://attack.mitre.org/techniques/T1556/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": {}, "serviceName": "accesscontextmanager.googleapis.com", "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter" } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "type": "google.cloud.resourcemanager.Organization", "displayName": "RESOURCE_DISPLAY_NAME" } }
Erkennung: Abrufen der Prüfung eines vertraulichen Kubernetes-Objekts
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "category": "Discovery: Can get sensitive Kubernetes object check", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T01:39:42.957Z", "database": {}, "eventTime": "2022-10-08T01:39:40.632Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "accessReviews": [ { "name": "secrets-1665218000", "resource": "secrets", "verb": "get" } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "can_get_sensitive_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665193180", "nanos": 632000000 }, "insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf" } } ], "properties": {}, "findingId": "03f466dc25a8496693b7482304fb2e7f", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0007/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Erkennung: Dienstkonto-Prüfung
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Discovery: Service Account Self-Investigation", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "discovery", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "service_account_gets_own_iam_policy" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1619200104", "nanos": 9.08E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceAccountGetsOwnIamPolicy": { "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com", "projectId": "PROJECT_ID", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "rawUserAgent": "RAW_USER_AGENT" } }, "contextUris": { "mitreUri": { "displayName": "Permission Groups Discovery: Cloud Groups", "url": "https://attack.mitre.org/techniques/T1069/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-23T17:48:24.908Z", "createTime": "2021-04-23T17:48:26.922Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "ORGANIZATION_NAME", "type": "google.cloud.resourcemanager.Project" } }
E-Mail: Zugriff vom Anonymisierungs-Proxy
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Evasion: Access from Anonymizing Proxy", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "proxy_access" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "changeFromBadIp": { "principalEmail": "PRINCIPAL_EMAIL", "ip": "SOURCE_IP_ADDRESS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1090/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Exfiltration: BigQuery-Daten-Exfiltration
Dieses Ergebnis kann eine von zwei möglichen Unterregeln enthalten:
exfil_to_external_table
mit dem SchweregradHIGH
.vpc_perimeter_violation
mit dem SchweregradLOW
.
Das folgende Beispiel zeigt die JSON-Datei für die untergeordnete Regel exfil_to_external_table
.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Exfiltration: BigQuery Data Exfiltration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2023-05-30T15:49:59.709Z", "database": {}, "eventTime": "2023-05-30T15:49:59.432Z", "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID" } ] }, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": [ "EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "parent_display_name": "FOLDER_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1685461795", "nanos": 341527000 }, "insertId": "INSERT_ID" } } ], "properties": { "dataExfiltrationAttempt": { "jobState": "SUCCEEDED", "jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults", "job": { "projectId": "PROJECT_ID", "jobId": "BIGQUERY_JOB_ID", "location": "BIGQUERY_JOB_LOCATION" }, "query": "QUERY", "sourceTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID" } ], "destinationTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table", "projectId": "TARGET_PROJECT_ID", "datasetId": "TARGET_DATASET_ID", "tableId": "TARGET_TABLE_ID" } ], "userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com" }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Exfiltration: BigQuery-Datenextraktion
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Extraction", "sourceProperties": { "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_cloud_storage" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration Extraction findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME", "collectionType": "GCS_BUCKET", "collectionName": "TARGET_GCS_BUCKET_NAME", "objectName": "TARGET_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:22:11.359Z", "createTime": "2022-03-31T21:22:12.689Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_GCS_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Exfiltration: BigQuery-Daten in Google Drive
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data to Google Drive", "sourceProperties": { "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "detectionCategory": { "technique": "google_drive_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_google_drive" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration to Google Drive findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME", "collectionType": "GDRIVE", "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER", "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:20:18.408Z", "createTime": "2022-03-31T21:20:18.715Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_GOOGLE_DRIVE_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Exfiltration: Cloud SQL-Daten-Exfiltration
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Data Exfiltration", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "export_to_public_gcs" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "exportToGcs": { "principalEmail": "PRINCIPAL_EMAIL", "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME", "bucketAccess": "PUBLICLY_ACCESSIBLE", "bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME", "exportScope": "WHOLE_INSTANCE" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-11T16:32:59.828Z", "createTime": "2021-10-11T16:33:00.229Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.export" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "components": [] } ], "targets": [ { "name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME", "components": [ "TARGET_FILE_NAME" ] } ] }, }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "INSTANCE_NAME" } }
Exfiltration: Wiederherstellung von Cloud SQL-Sicherung in externer Organisation
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Restore Backup to External Organization", "sourceProperties": { "sourceId": { "projectNumber": "SOURCE_PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "backup_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "restore_to_external_instance" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" }, ], "evidence": [{ "sourceLogId": { "projectId": "SOURCE_PROJECT_ID", "resourceContainer": "projects/SOURCE_PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "restoreToExternalInstance": { "principalEmail": "PRINCIPAL_EMAIL", "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "backupId": "BACKUP_ID", "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.restoreBackup" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" } ], "targets": [ { "name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } ] } }, "resource": { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER", "projectDisplayName": "SOURCE_PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "parentDisplayName": "SOURCE_INSTANCE_NAME", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "mysql-backup-restore-instance" } }
Exfiltration: Cloud SQL Überprivilegierte Berechtigung
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_exfil", "subRuleName": "user_granted_all_permissions" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Malware: Schädliche Domain
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad Domain", "sourceProperties": { "sourceId": { "customerOrganizationNumber": "ORGANIZATION_ID", "projectNumber": "PROJECT_NUMBER" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1568/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" } ] }, "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "domains": [ "DOMAIN" ], "network": { "location": "REGION", "project": "PROJECT_ID" }, "dnsContexts": [ { "authAnswer": true, "sourceIp": "IP_ADDRESS", "queryName": "DOMAIN", "queryType": "AAAA", "responseCode": "NOERROR", "responseData": [ { "domainName": "DOMAIN.", "ttl": 299, "responseClass": "IN", "responseType": "AAAA", "responseValue": "IP_ADDRESS" } ] } ] }, "detectionPriority": "HIGH", "detectionCategory": { "technique": "C2", "indicator": "domain", "subRuleName": "google_intel", "ruleName": "bad_domain" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: Schädliche IP
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad IP", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "ips": [ "SOURCE_IP_ADDRESS", "DESTINATION_IP_ADDRESS" ], "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 6 }, "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0011/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection" }, { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" } ] }, "detectionCategory": { "technique": "C2", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "google_intel" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "LOW", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: Ungültige Domain für Kryptomining
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad Domain", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "domain", "ruleName": "bad_domain", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566099", "nanos": 5.41483849E8 }, "insertId": "INSERT_ID" } }], "properties": { "domains": ["DOMAIN"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE" }, "dnsContexts": [{ "authAnswer": true, "sourceIp": "SOURCE_IP_ADDRESS", "queryName": "DOMAIN", "queryType": "A", "responseCode": "NXDOMAIN" }], "vpc": { "vpcName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:41:41.594Z", "createTime": "2021-11-10T17:41:42.014Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "domains": ["DOMAIN"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: Schädliche Kryptomining-IP-Adresse
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad IP", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566005", "nanos": 9.74622832E8 }, "insertId": "INSERT_ID" } }], "properties": { "ips": ["DESTINATION_IP_ADDRESS"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "destIp": "DESTINATION_IP_ADDRESS", "protocol": 1.0 }, "indicatorContext": [{ "ipAddress": "DESTINATION_IP_ADDRESS", "countryCode": "FR", "reverseDnsDomain": "REVERSE_DNS_DOMAIN", "carrierName": "CARRIER_NAME", "organizationName": "ORGANIZATION_NAME", "asn": "AUTONOMOUS_SYSTEM_NUMBERS" }], "srcVpc": { }, "destVpc": { "projectId": "PROJECT_ID", "vpcName": "default", "subnetworkName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:40:38.048Z", "createTime": "2021-11-10T17:40:38.472Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "ipAddresses": ["DESTINATION_IP_ADDRESS"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: Ausgehender DoS
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Malware: Outgoing DoS", "sourceProperties": { "evidence": [ { "sourceLogId": { "timestamp": { "nanos": 0.0, "seconds": "0" }, "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 17 } }, "detectionPriority": "HIGH", "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1498/" } }, "detectionCategory": { "technique": "malware", "indicator": "flow_log", "ruleName": "outgoing_dos" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Persistenz: Ungewöhnliche IAM-Gewährung
Das IAM Anomalous Grant
-Ergebnis ist einzigartig, da es Folgendes enthält:
Unterregeln, die genauere Informationen zu den einzelnen Instanzen liefern
dieser Erkenntnis. Die Schweregradklassifizierung dieses Ergebnisses hängt davon ab,
für die untergeordnete Regel gilt, und jede untergeordnete Regel erfordert möglicherweise eine andere Antwort.
In der folgenden Liste sind alle möglichen Unterregeln und deren Schweregrad aufgeführt:
external_service_account_added_to_policy
:HIGH
HIGH
, wenn eine streng vertrauliche Rolle gewährt wurde oder wenn wurde eine Rolle mit mittlerer Vertraulichkeit auf Organisationsebene gewährt. Für Weitere Informationen finden Sie unter Besonders sensible Rollen.MEDIUM
, wenn eine Rolle mit mittlerer Vertraulichkeit gewährt wurde. Für Weitere Informationen finden Sie unter Rollen mit mittlerer Vertraulichkeit.external_member_invited_to_policy
:HIGH
external_member_added_to_policy
:HIGH
, wenn eine streng vertrauliche Rolle gewährt wurde oder wenn wurde eine Rolle mit mittlerer Vertraulichkeit auf Organisationsebene gewährt. Für Weitere Informationen finden Sie unter Besonders sensible Rollen.MEDIUM
, wenn eine Rolle mit mittlerer Vertraulichkeit gewährt wurde. Für Weitere Informationen finden Sie unter Rollen mit mittlerer Vertraulichkeit.
custom_role_given_sensitive_permissions
:MEDIUM
service_account_granted_sensitive_role_to_member
:HIGH
policy_modified_by_default_compute_service_account
:HIGH
Die JSON-Felder, die ein Ergebnis enthält, können sich von einem Ergebnis unterscheiden in eine andere Kategorie. Die folgende JSON-Datei enthält beispielsweise Felder für ein Sicherheitskonto. Wenn sich eine Ergebniskategorie nicht auf ein Dienstkonto besteht, sind diese Felder nicht im JSON-Format enthalten.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: IAM Anomalous Grant", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "IAM_ROLE", "member": "serviceAccount:ACCOUNT_NAME" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_grant", "subRuleName": "TYPE_OF_ANOMALOUS_GRANT" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleGrant": { "principalEmail": "PRINCIPAL_EMAIL", "bindingDeltas": [ { "action": "ADD", "role": "roles/GRANTED_ROLE", "member": "serviceAccount:SERVICE_ACCOUNT_NAME", } ], "members": [ "serviceAccount:SERVICE_ACCOUNT_NAME" ] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": { "displayName": "Related Anomalous Grant Findings", "url": "LINK_TO_RELATED_FINDING" } } } }
Persistenz: Rolle „Impersonation“ für inaktives Dienstkonto gewährt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.SetIAMPolicy" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: Impersonation Role Granted for Dormant Service Account", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.serviceAccountTokenCreator", "member": "IAM_Account_Who_Received_Impersonation_Role" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.iam.ServiceAccount", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "impersonation_role_granted_over_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Persistenz: Neue API-Methode
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: New API Method", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "resourceContainer": "projects/PROJECT_NUMBER" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Persistenz: Neue Region
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h", "state": "ACTIVE", "category": "Persistence: New Geography", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "ip_geolocation" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "RESOURCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1617994703", "nanos": 5.08853E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousLocation": { "anomalousLocation": "BE", "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "notSeenInLast": "2592000s", "typicalGeolocations": [{ "country": { "identifier": "US" } }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T18:59:43.860Z", "createTime": "2021-04-09T18:59:44.440Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "RESOURCE_NAME" } }
Persistenz: Neuer User-Agent
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9", "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID", "state": "ACTIVE", "category": "Persistence: New User Agent", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "user_agent" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1614736482", "nanos": 9.76209552E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousSoftware": { "anomalousSoftwareClassification": ["USER_AGENT"], "behaviorPeriod": "2592000s", "callerUserAgent": "USER_AGENT", "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com" } }, "findingId": "FINDING_ID", "contextUris": { "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-03-03T01:54:47.681Z", "createTime": "2021-03-03T01:54:49.154Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//monitoring.googleapis.com/projects/PROJECT_ID" } }
Rechteausweitung: Dem inaktiven Dienstkonto wurde eine vertrauliche Rolle gewährt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "SENSITIVE_IAM_ROLE", "member": "serviceAccount:DORMANT_SERVICE_ACCOUNT" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_role_added_to_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Rechteausweitung: Änderungen an vertraulichen Kubernetes-RBAC-Objekten
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-07T07:42:36.536Z", "database": {}, "eventTime": "2022-10-07T07:42:06.044Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" }, "subjects": [ { "kind": "USER", "name": "testUser-1665153212" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "edit_sensitive_rbac_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665128526", "nanos": 44146000 }, "insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a" } } ], "properties": {}, "findingId": "05b52fe8267d44bdb33c89367f0dd11a", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Rechteausweitung: Kubernetes-CSR für Masterzertifikat erstellen
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "category": "Privilege Escalation: Create Kubernetes CSR for master cert", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T14:38:12.501Z", "database": {}, "eventTime": "2022-10-08T14:37:46.944Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "csr_for_master_cert" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665239866", "nanos": 944045000 }, "insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101" } } ], "properties": {}, "findingId": "0562169c2e3b44879030a7369dbf839c", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Rechteausweitung: Erstellung vertraulicher Kubernetes-Bindungen
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "category": "Privilege Escalation: Creation of sensitive Kubernetes bindings", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-11T09:29:44.425Z", "database": {}, "eventTime": "2022-10-11T09:29:26.309Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" } } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "create_sensitive_binding" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665480566", "nanos": 309136000 }, "insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321" } } ], "properties": {}, "findingId": "02dcbf565d9d4972a126ac3c38fd4295", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Rechteausweitung: Kubernetes-CSR mit manipulierten Bootstrap-Anmeldedaten abrufen
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.list" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-12T12:28:11.480Z", "database": {}, "eventTime": "2022-10-12T12:28:08.597Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "get_csr_with_compromised_bootstrap_credentials" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665577688", "nanos": 597107000 }, "insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993" } } ], "properties": {}, "findingId": "025e0ba774da4d678883257cd125fc43", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Rechteausweitung: Start eines privilegierten Kubernetes-Containers
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "category": "Privilege Escalation: Launch of privileged Kubernetes container", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T21:43:41.145Z", "database": {}, "eventTime": "2022-10-08T21:43:09.188Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "pods": [ { "ns": "default", "name": "POD_NAME", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "launch_privileged_container" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665265389", "nanos": 188357000 }, "insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c" } } ], "properties": {}, "findingId": "04206668443b45078d5b51c908ad87da", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Rechteausweitung: Anomale Identitätsübertragung des Dienstkontos für Administratoraktivitäten
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Rechteausweitung: Anomale mehrstufige Dienstkontodelegierung für Administratoraktivitäten
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Rechteausweitung: Anomale mehrstufige Dienstkontodelegierung für Datenzugriff
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Rechteausweitung: Anomale Dienstkonto-Identitätsübernahme für Administratoraktivitäten
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Rechteausweitung: Anomale Dienstkonto-Identitätsübernahme für Datenzugriff
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Systemwiederherstellung verhindern: Google Cloud Backup- und DR-Host gelöscht
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteHost", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Deleted Google Cloud Backup and DR host", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_hosts_delete_host" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ] } } }
Image: Vernichtung von Daten: Google Cloud-Sicherung und -Notfallwiederherstellung
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Data Destruction: Google Cloud Backup and DR expire image", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_image" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME" } } }
Systemwiederherstellung verhindern: Plan für Google Cloud-Sicherung und -Notfallwiederherstellung entfernen
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSla", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_remove_plan" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "backupDisasterRecovery": { "applications": [ "HOST_NAME" ] } } }
Datenvernichtung: Alle Images in Google Cloud Backup und DR laufen ab
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackups", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Data Destruction: Google Cloud Backup and DR expire all images", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_images_all" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups." } }
Systemwiederherstellung verhindern: Vorlage zum Löschen von Google Cloud-Sicherungen und Notfallwiederherstellungen
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlt", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete template", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_template" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME" } } }
Systemwiederherstellung verhindern: Löschrichtlinie für Google Cloud-Sicherung und -DR
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deletePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "policies": [ "DeleteMe" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete policy", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "backupDisasterRecovery": { "policies": [ "POLICY_NAME" ] } } }
Systemwiederherstellung verhindern: Profil löschen in Google Cloud Backup und DR
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlp", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete profile", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_profile" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "backupDisasterRecovery": { "profile": "PROFILE_NAME" } } }
Vernichtung von Daten: Google Cloud-Back-up und Notfallwiederherstellung entfernen Appliance
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteCluster", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Data Destruction: Google Cloud Backup and DR remove appliance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_appliances_remove_appliance" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME" } } }
Systemwiederherstellung verhindern: Speicherpool wird durch Google Cloud-Sicherung und -DR gelöscht
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteDiskPool", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete storage pool", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_storage_pools_delete" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME" } } }
Auswirkungen: Reduzierte Sicherungshäufigkeit für Sicherungen und Notfallwiederherstellungen in Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updatePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup frequency", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The backup schedule has been modified to reduce backup frequency.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_frequency" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The backup schedule has been modified to reduce backup frequency.", } }
Auswirkungen: Reduzierter Ablauf der Sicherung und Notfallwiederherstellung in Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updateBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup expiration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The expiration date for a backup has been reduced.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_expiration" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The expiration date for a backup has been reduced." } }
Erstzugriff: Konto deaktiviert – Gehackt
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Account Disabled Hijacked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "account_disabled_hijacked" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624034293", "nanos": 6.78E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledHijacked", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-18T16:38:13.678Z", "createTime": "2021-06-18T16:38:16.508Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Erstzugriff: Deaktiviert – Passwortleck
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Disabled Password Leak", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "disabled_password_leak" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626462896", "nanos": 6.81E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-16T19:14:56.681Z", "createTime": "2021-07-16T19:15:00.430Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Erstzugriff: Von staatlichen Stellen unterstützter Angriff
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Government Based Attack", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "government_based_attack" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624061458", "nanos": 7.4E7 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.govAttackWarning", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-19T00:10:58.074Z", "createTime": "2021-06-19T00:11:01.760Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Anfangszugriff: Log4j-Kompromittierungsversuch
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Initial Access: Log4j Compromise Attempt", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_compromise_attempt" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639690492", "nanos": 9.13836E8 }, "insertId": "INSERT_ID" } }], "properties": { "loadBalancerName": "LOAD_BALANCER_NAME", "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1190/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-16T21:34:52.913Z", "createTime": "2021-12-16T21:34:55.022Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "parentDisplayName": "FOLDER_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "PROJECT_ID" } }
Erstzugriff: Verdächtige Anmeldung blockiert
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Suspicious Login Blocked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "suspicious_login" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621637767", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLogin", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T22:56:07Z", "createTime": "2021-05-27T02:36:07.382Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Anfänglicher Zugriff: Datenbank-Superuser schreibt in Nutzertabellen
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Initial Access: Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_superuser_writes_to_user_tables", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": ["DEFAULT_ACCOUNTS"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Anfänglicher Zugriff: Aktionen aufgrund übermäßiger verweigerter Berechtigungen
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Excessive Permission Denied Actions", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "failedActions": [ { "methodName": "SetIamPolicy", "serviceName": "iam.googleapis.com", "attemptTimes": "7", "lastOccurredTime": "2023-03-15T17:35:18.771219Z" }, { "methodName": "iam.googleapis.com", "serviceName": "google.iam.admin.v1.CreateServiceAccountKey", "attemptTimes": "3", "lastOccurredTime": "2023-03-15T05:36:14.954701Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Anfänglicher Zugriff: Aktion über inaktives Dienstkonto
{ "findings": { "access": { "principalEmail": "DORMANT_SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Action", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "dormant_sa_used_in_action", }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Anfänglicher Zugriff: Inaktiver Dienstkontoschlüssel erstellt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.CreateServiceAccountKey" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Key Created", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "type": "google.iam.ServiceAccountKey", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "key_created_on_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Anfänglicher Zugriff: Gehackter Dienstkontoschlüssel verwendet
{ "findings": { "access": { "principalEmail": "SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" "serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Leaked Service Account Key Used", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-07-18T10:35:47.381Z", "database": {}, "eventTime": "2023-07-18T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "AFFECTED_RESOURCE", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "leaked_sa_key_used" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_RESOURCE" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } }, "description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL" }
Verteidigung beeinträchtigen: Starke Authentifizierung deaktiviert
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings", "state": "ACTIVE", "category": "Impair Defenses: Strong Authentication Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "enforce_strong_authentication" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1623952110", "nanos": 6.51337E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.enforceStrongAuthentication", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-17T17:48:30.651Z", "createTime": "2021-06-17T17:48:33.574Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" } }
Verteidigung beeinträchtigen: Bestätigung in zwei Schritten deaktiviert
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Impair Defenses: Two Step Verification Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "two_step_verification_disabled" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626391356", "nanos": 5.96E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svDisable", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-15T23:22:36.596Z", "createTime": "2021-07-15T23:22:40.079Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Persistenz: Umschalter für SSO-Aktivierung
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Enablement Toggle", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_enablement_toggle" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1622829313", "nanos": 3.42104E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.toggleSsoEnabled", "ssoState": "ENABLED", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-04T17:55:13.342Z", "createTime": "2021-06-04T17:55:15.900Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Persistenz: GCE-Administrator hat Startskript hinzugefügt
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added Startup Script", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_startup_script" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "GCE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", } }
Persistenz: vom GCE-Administrator hinzugefügter SSH-Schlüssel
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added SSH Key", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "GCE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", } }
Persistenz: SSO-Einstellungen geändert
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Settings Changed", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_settings_changed" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.changeSsoSettings", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T19:08:29.373Z", "createTime": "2021-05-27T11:36:24.429Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Cloud IDS
{ "finding": { "access": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Cloud IDS: THREAT_ID", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "connections": [ { "destinationIp": "IP_ADDRESS", "destinationPort": PORT, "sourceIp": "IP_ADDRESS", "sourcePort": PORT, "protocol": "PROTOCOL" } ], "createTime": "TIMESTAMP", "database": {}, "description": "This signature detects a payload in HTTP traffic which could possibly be malicious.", "eventTime": "TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "ctd-engprod-project", "parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER", "parent_display_name": "PARENT_DISPLAY_NAME", "folders": [ { "resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resource_folder_display_name": "FOLDER_DISPLAY_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_ids_threat_activity" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "TIMESTAMP", "nanos": TIMESTAMP }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LOGGING_QUERY_URI" } ], "relatedFindingUri": {} }, "description": "THREAT_DESCRIPTION" } }
Seitliche Bewegung: geändertes Bootlaufwerk an die Instanz angehängt
{ "finding": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.attachDisk", }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Lateral Movement: Modify Boot Disk Attaching to Instance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2024-02-01T23:55:17.589Z", "database": {}, "eventTime": "2024-02-01T23:55:17.396Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2024-02-01T23:55:15.017887Z" } } ], "mitreAttack": { "primaryTactic": "TACTIC_UNSPECIFIED" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION", "parentDisplayName": "Event Threat Detection", "resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "displayName": "INSTANCE_ID", "type": "google.compute.Instance", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_NUMBER", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_NUMBER, "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NUMBER" } ], "organization": "organizations/ORGANIZATION_NUMBER" } }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "modify_boot_disk", "subRuleName": "attach_to_instance" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID" }, { "gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_NUMBER", "resourceContainer": "PROJECT_NUMBER", "timestamp": { "seconds": "1706831715", "nanos": 17887000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": { "diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID", "targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "workerInstances": [ "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" ], "bootDiskPayloads": [ { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_ATTACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:06.706640Z" }, { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_DETACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:05.608631Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1570/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Rechteausweitung: Zuweisung von überprivilegierten AlloyDB-Berechtigungen
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
Rechteausweitung: AlloyDB-Datenbank-Superuser schreibt in Nutzertabellen
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
Nächste Schritte
- Weitere Informationen zur Funktionsweise von Event Threat Detection
- Weitere Informationen zum Untersuchen und Entwickeln von Reaktionsplänen für Bedrohungen.