This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
A principal repeatedly triggered permission denied errors across multiple methods and services.
To respond to this finding, do the following:
Step 1: Review finding details
- Open the
Initial Access: Excessive Permission Denied Actionsfinding, as directed in Reviewing findings. In the finding details, on the Summary tab, note the values of the following fields.
Under What was detected:
- Principal email: the principal that triggered multiple permission denied errors
- Service name: the API name of the Google Cloud service that the last permission denied error happened
- Method name: the method called when the last permission denied error happened
In the finding details, on the Source Properties tab, note the values of the following fields in the JSON:
- properties.failedActions: the permission denied errors that occurred. For each entry, details include the service name, method name, number of failed attempts, and the time the error last occurred. A maximum of 10 entries are shown.
Step 2: Check logs
- In the Google Cloud console, go to Logs Explorer by clicking the link in Cloud Logging URI.
- On the Google Cloud console toolbar, select your project.
On the page that loads, find related logs by using the following filter:
protoPayload.authenticationInfo.principalEmail="PRINCIPAL_EMAIL"protoPayload.status.code=7
Replace PRINCIPAL_EMAIL with the value that you noted in the Principal email field in the finding details.
Step 3: Research attack and response methods
- Review the MITRE ATT&CK framework entry for this finding type: Valid Accounts: Cloud Accounts.
- To develop a response plan, combine your investigation results with MITRE research.
Step 4: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.
- Contact the owner of the account in the Principal email field. Confirm whether the legitimate owner conducted the action.
- Delete project resources created by that account, like unfamiliar Compute Engine instances, snapshots, service accounts, and IAM users etc.
- Contact the owner of the project with the account, and potentially delete or disable the account.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.