Persistence: New AI API Method

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

Anomalous admin activity for AI services by a potentially malicious actor was detected in an organization, folder, or project. Anomalous activity can be either of the following:

  • New activity by a principal in an organization, folder, or project
  • Activity that has not been seen in a while, performed by a principal in an organization, folder, or project

Step 1: Review finding details

  1. Open the Persistence: New AI API Method finding as directed in Reviewing findings.

  2. In the finding details, on the Summary tab, note the values of the following fields:

    • Under What was detected:
      • Principal email: the account that made the call
      • Method name: the method that was called
      • AI resources: the potentially impacted AI resources, such as the Vertex AI resources and the AI model.
    • Under Affected resource:
      • Resource display name: the name of the affected resource, which can be the same as the name of the organization, folder, or project
      • Resource path: the location in the resource hierarchy where the activity took place

Step 2: Research attack and response methods

  1. Review MITRE ATT&CK framework entries for this finding type: Persistence.
  2. Investigate whether the action was warranted in the organization, folder, or project and whether the action was taken by the legitimate owner of the account. The organization, folder, or project is displayed on the Resource path field and the account is displayed in the Principal email row.
  3. To develop a response plan, combine your investigation results with MITRE research.

What's next