This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
The Cloud SQL database superuser account (postgres
for PostgreSQL and root for MySQL) wrote to user
tables. The superuser (a role with very broad access) generally shouldn't be
used to write to user tables. A user account with more limited access should be used
for normal daily activity. When a superuser writes to a user table, that could
indicate that an attacker has escalated privileges or has compromised the
default database user and is modifying data. It could also indicate normal but
unsafe practices.
To respond to this finding, do the following:
Step 1: Review finding details
- Open an
Initial Access: Database Superuser Writes to User Tablesfinding, as directed in Reviewing findings. On the Summary tab of the finding details panel, review the information in the following sections:
- What was detected, especially the following fields:
- Database display name: the name of the database in the Cloud SQL PostgreSQL or MySQL instance that was affected.
- Database user name: the superuser.
- Database query: the SQL query executed while writing to user tables.
- Affected resource, especially the following fields:
- Resource full name: the resource name of the Cloud SQL instance that was affected.
- Parent full name: the resource name of the Cloud SQL instance.
- Project full name: the Google Cloud project that contains the Cloud SQL instance.
- Related links, especially the following fields:
- Cloud Logging URI: link to Logging entries.
- MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
- Related findings: links to any related findings.
- What was detected, especially the following fields:
To see the complete JSON for the finding, click the JSON tab.
Step 2: Check logs
- In the Google Cloud console, go to Logs Explorer by clicking
the link in
cloudLoggingQueryURI(from Step 1). The Logs Explorer page includes all logs related to the relevant Cloud SQL instance. - Check the logs for PostgreSQL pgaudit logs or Cloud SQL for MySQL audit
logs, which contain the queries executed by the superuser, by using the following filters:
protoPayload.request.user="SUPERUSER"
Step 3: Research attack and response methods
- Review the MITRE ATT&CK framework entry for this finding type: Exfiltration Over Web Service.
- To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.
Step 4: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.
Review the users allowed to connect to the database.
- For PostgreSQL, see Create and manage users
- For MySQL, see Manage users with built-in authentication
Consider changing the password for the superuser.
- For PostgreSQL, see Set the password for the default user
- For MySQL, see Set the password for the default user
Consider creating a new, limited access user for the different types of queries used on the instance.
Grant the new user only the necessary permissions needed to execute their queries.
- For PostgreSQL, see Grant (command)
- For MySQL, see Access Control and Account Management
Update the credentials for the clients that connect to the Cloud SQL instance
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.