Persistence: New User Agent

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

This finding isn't available for project-level activations.

An IAM service account is accessing Google Cloud using suspicious software, as indicated by an anomalous user agent.

Step 1: Review finding details

  1. Open a Persistence: New User Agent finding, as directed in Reviewing finding details earlier on this page. The details panel for the finding opens to the Summary tab.

  2. On the Summary tab, review the information in the following sections:

    • What was detected, especially the following fields:
      • Principal email: the potentially compromised service account.
    • Affected resource, especially the following fields:
      • Project full name: the project that contains the potentially compromised service account.
    • Related links, especially the following fields:
      • Cloud Logging URI: link to Logging entries.
      • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
      • Related findings: links to any related findings.
    1. In the detail view of the finding, click the JSON tab.
    2. In the JSON, note the following fields.
    • projectId: the project that contains the potentially compromised service account.
    • callerUserAgent: the anomalous user agent.
    • anomalousSoftwareClassification: the type of software.
    • notSeenInLast: the time period used to establish a baseline for normal behavior.

Step 2: Review project and account permissions

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. If necessary, select the project listed in projectId.

  3. On the page that appears, in the Filter box, enter the account name that is listed on the Principal email row in the Summary tab of the finding details and check granted roles.

  4. In the Google Cloud console, go to the Service Accounts page.

    Go to Service Accounts

  5. On the page that appears, in the Filter box, enter the account name that is listed on the Principal email row in the Summary tab of the finding details.

  6. Check the service account's keys and key creation dates.

Step 3: Check logs

  1. On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.
  2. If necessary, select your project.
  3. On the page that loads, check logs for activity from new or updated IAM resources using the following filters:
    • proto_payload.method_name="google.iam.admin.v1.CreateServiceAccount"
    • protoPayload.methodName="SetIamPolicy"
    • protoPayload.methodName="google.iam.admin.v1.UpdateRole"
    • protoPayload.methodName="google.iam.admin.v1.CreateRole"
    • protoPayload.authenticationInfo.principalEmail="principalEmail"

Step 4: Research attack and response methods

  1. Review the MITRE ATT&CK framework entry for this finding type: Valid Accounts: Cloud Accounts.
  2. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

  • Contact the owner of the project with the compromised account.
  • Review the anomalousSoftwareClassification, callerUserAgent, and behaviorPeriod fields to verify whether the access is abnormal and if the account has been compromised.
  • Delete project resources created by unauthorized accounts, like unfamiliar Compute Engine instances, snapshots, service accounts, and IAM users.
  • To restrict the creation of new resources to specific regions, see Restricting resource locations.
  • To identify and fix overly permissive roles, use IAM Recommender.

What's next