This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
Event Threat Detection examines audit logs to detect the IP filtering config has been updated on a Cloud Storage bucket.
To respond to this finding, do the following:
Step 1: Review finding details
- Open the
Defense Evasion: GCS Bucket IP Filtering Modifiedfinding, as detailed in Reviewing findings. The details panel for the finding opens to the Summary tab. - On the Summary tab, review the information in the following sections:
- What was detected, especially the following fields:
- Description: information about the detection
- Principal subject: a user or service account that has successfully executed an action
- Affected resource
- Resource display name: the bucket in which the config has been updated.
- Related links, especially the following fields:
- MITRE ATTACK method: link to the MITRE ATT&CK documentation.
- Logging URI: link to open the Logs Explorer.
- What was detected, especially the following fields:
Step 2: Research attack and response methods
Contact the owner of the service account or user account in the Principal subject field. Confirm whether the legitimate owner conducted the action.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.