Questa pagina mostra come esaminare i risultati di Event Threat Detection nella console Google Cloud e include esempi di risultati di Event Threat Detection.
Event Threat Detection è un servizio integrato per il livello Premium di Security Command Center che monitora i flussi di logging di Cloud Logging per la tua organizzazione o i tuoi progetti e rileva le minacce quasi in tempo reale. Se attivi il livello Security Command Center Premium a livello di organizzazione, Event Threat Detection può anche monitorare i flussi di logging di Google Workspace della tua organizzazione. Per saperne di più, consulta Panoramica di Event Threat Detection.
Esaminare i risultati
Per visualizzare i risultati di Event Threat Detection, il servizio deve essere abilitato nelle impostazioni dei servizi di Security Command Center. Dopo aver attivato Event Threat Detection, questo genera risultati analizzando log specifici. Alcuni dei log che Event Threat Detection può analizzare sono disattivati per impostazione predefinita, quindi potresti doverli attivare.
Per saperne di più sulle regole di rilevamento integrate utilizzate da Event Threat Detection e sui log analizzati da Event Threat Detection, consulta i seguenti argomenti:
Puoi visualizzare i risultati di Event Threat Detection in Security Command Center. Se hai configurato le esportazioni continue per scrivere i log, puoi anche visualizzare i risultati in Cloud Logging. Le esportazioni continue in Cloud Logging sono disponibili solo quando attivi il livello Security Command Center Premium a livello di organizzazione. Per generare un risultato e verificare la configurazione, puoi attivare intenzionalmente un rilevatore e testare Event Threat Detection.
L'attivazione di Event Threat Detection avviene in pochi secondi. Le latenze di rilevamento sono generalmente inferiori a 15 minuti dal momento in cui viene scritto un log a quando un risultato è disponibile in Security Command Center. Per saperne di più sulla latenza, vedi Panoramica della latenza di Security Command Center.
Esaminare i risultati in Security Command Center
I ruoli IAM per Security Command Center possono essere concessi a livello di organizzazione, cartella o progetto. La possibilità di visualizzare, modificare, creare o aggiornare risultati, asset e origini di sicurezza dipende dal livello per cui ti è stato concesso l'accesso. Per scoprire di più sui ruoli di Security Command Center, consulta Controllo dell'accesso.
Utilizza la seguente procedura per esaminare i risultati nella console Google Cloud :
Nella console Google Cloud , vai alla pagina Risultati di Security Command Center.
Se necessario, seleziona il tuo progetto Google Cloud o la tua organizzazione.
Nella sezione Filtri rapidi, nella sottosezione Nome visualizzato origine, seleziona una o entrambe le seguenti opzioni:
- Event Threat Detection: per filtrare i risultati generati dai detector Event Threat Detection integrati
- Moduli personalizzati per Event Threat Detection: per filtrare i risultati generati dai moduli personalizzati per Event Threat Detection
La tabella viene compilata con i risultati di Event Threat Detection.
Per visualizzare i dettagli di un problema specifico, fai clic sul nome del problema in
Category. Il riquadro dei dettagli del risultato si espande per mostrare informazioni tra cui:- Quando si è verificato l'evento
- L'origine dei dati dei risultati
- La gravità del rilevamento, ad esempio Alta
- Le azioni intraprese, ad esempio l'aggiunta di un ruolo Identity and Access Management (IAM) a un utente Gmail
- L'utente che ha eseguito l'azione, elencato accanto a Email entità
Per visualizzare tutti i risultati causati dalle azioni dello stesso utente:
- Nel riquadro dei dettagli del risultato, copia l'indirizzo email accanto a Email principale.
- Chiudi il riquadro.
Nell'editor di query, inserisci la seguente query:
access.principal_email="USER_EMAIL"Sostituisci USER_EMAIL con l'indirizzo email che hai copiato in precedenza.
Security Command Center mostra tutti i risultati associati alle azioni intraprese dall'utente che hai specificato.
Visualizzazione dei risultati in Cloud Logging
Se configuri Esportazioni continue per scrivere i log, puoi visualizzare i risultati di Event Threat Detection in Cloud Logging. Questa funzionalità è disponibile solo se attivi il livello Premium di Security Command Center a livello di organizzazione.
Per visualizzare i risultati di Event Threat Detection in Cloud Logging:
Vai a Esplora log nella console Google Cloud .
Seleziona il Google Cloud progetto o un'altra Google Cloud risorsa in cui archiviare i log di Event Threat Detection.
Utilizza il riquadro Query per creare la query in uno dei seguenti modi:
- Nell'elenco Tutte le risorse, segui questi passaggi:
- Seleziona Threat Detector per visualizzare un elenco di tutti i rilevatori.
- Per visualizzare i risultati di tutti i rilevatori, seleziona all detector_name. Per visualizzare i risultati di un rilevatore specifico, seleziona il relativo nome.
- Fai clic su Applica. La tabella Risultati delle query viene aggiornata con i log che hai selezionato.
Inserisci la seguente query nell'editor di query e fai clic su Esegui query:
resource.type="threat_detector"
La tabella Risultati delle query viene aggiornata con i log che hai selezionato.
- Nell'elenco Tutte le risorse, segui questi passaggi:
Per visualizzare un log, seleziona una riga della tabella e poi fai clic su Espandi campi nidificati.
Puoi creare query avanzate sui log per specificare un insieme di voci di log da un numero qualsiasi di log.
Esempi di formati di risultati
Questa sezione include i formati di output JSON per i risultati di Event Threat Detection così come appaiono quando crei esportazioni dalla console Google Cloud o esegui metodi di elenco nell'API Security Command Center.
Gli esempi di output contengono i campi più comuni a tutti i risultati. Tuttavia, non tutti i campi potrebbero essere visualizzati in ogni risultato. L'output effettivo visualizzato dipende dalla configurazione di una risorsa e dal tipo e dallo stato dei risultati.
Per visualizzare i risultati di esempio, espandi uno o più dei seguenti nodi.
Scansione attiva: Log4j vulnerabile all'esecuzione di codice remoto
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "state": "ACTIVE", "category": "Active Scan: Log4j Vulnerable to RCE", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_scan_success" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639701222", "nanos": 7.22988344E8 }, "insertId": "INSERT_ID" } }], "properties": { "scannerDomain": "SCANNER_DOMAIN", "sourceIp": "SOURCE_IP_ADDRESS", "vpcName": "default" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1210/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-17T00:33:42.722Z", "createTime": "2021-12-17T00:33:44.633Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.compute.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "INSTANCE_ID" } }
Forza bruta: SSH
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Brute Force: SSH", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "65" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "projectId": "PROJECT_ID", "zone": "us-west1-a", "instanceId": "INSTANCE_ID", "attempts": [ { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "SUCCESS" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" } ] }, "detectionPriority": "HIGH", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/003/" } }, "detectionCategory": { "technique": "brute_force", "indicator": "flow_log", "ruleName": "ssh_brute_force" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Rialzo dei privilegi: membro esterno aggiunto al gruppo con privilegi
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME", "state": "ACTIVE", "category": "Privilege Escalation: External Member Added To Privileged Group", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "external_member_added_to_privileged_group" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633622881", "nanos": 6.73869E8 }, "insertId": "INSERT_ID" } }], "properties": { "externalMemberAddedToPrivilegedGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "externalMember": "user:EXTERNAL_EMAIL", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:08:03.888Z", "createTime": "2021-10-07T16:08:04.516Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" } }
Escalation dei privilegi: gruppo con privilegi aperto al pubblico
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings", "state": "ACTIVE", "category": "Privilege Escalation: Privileged Group Opened To Public", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "privileged_group_opened_to_public" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1634774534", "nanos": 7.12E8 }, "insertId": "INSERT_ID" } }], "properties": { "privilegedGroupOpenedToPublic": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }], "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-21T00:02:19.173Z", "createTime": "2021-10-21T00:02:20.099Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" } }
Escalation dei privilegi: ruolo sensibile concesso al gruppo ibrido
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "PROJECT_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Sensitive Role Granted To Hybrid Group", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-12-22T00:31:58.242Z", "database": {}, "eventTime": "2022-12-22T00:31:58.151Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_ID", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_ID", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "sensitive_role_to_group_with_external_member" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1671669114", "nanos": 715318000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleToHybridGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "bindingDeltas": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "resourceName": "projects/PROJECT_ID" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Evasione della difesa: deployment di emergenza del workload creato
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Created", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "create" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Evasione della difesa: deployment di emergenza del workload aggiornato
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Updated", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "update" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Defense Evasion: Modify VPC Service Control
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "state": "ACTIVE", "category": "Defense Evasion: Modify VPC Service Control", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "modify_auth_process", "indicator": "audit_log", "ruleName": "vpcsc_changes", "subRuleName": "reduce_perimeter_protection" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS", "delta": { "restrictedResources": [{ "resourceName": "PROJECT_NAME", "action": "REMOVE" }], "restrictedServices": [{ "serviceName": "SERVICE_NAME", "action": "REMOVE" }], "allowedServices": [{ "serviceName": "SERVICE_NAME", "action": "ADD" }], "accessLevels": [{ "policyName": "ACCESS_LEVEL_POLICY", "action": "ADD" }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": ""https://attack.mitre.org/techniques/T1556/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": {}, "serviceName": "accesscontextmanager.googleapis.com", "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter" } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "type": "google.cloud.resourcemanager.Organization", "displayName": "RESOURCE_DISPLAY_NAME" } }
Scoperta: può ottenere il controllo di oggetti Kubernetes sensibili
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "category": "Discovery: Can get sensitive Kubernetes object check", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T01:39:42.957Z", "database": {}, "eventTime": "2022-10-08T01:39:40.632Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "accessReviews": [ { "name": "secrets-1665218000", "resource": "secrets", "verb": "get" } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "can_get_sensitive_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665193180", "nanos": 632000000 }, "insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf" } } ], "properties": {}, "findingId": "03f466dc25a8496693b7482304fb2e7f", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0007/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Discovery: auto-indagine sul service account
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Discovery: Service Account Self-Investigation", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "discovery", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "service_account_gets_own_iam_policy" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1619200104", "nanos": 9.08E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceAccountGetsOwnIamPolicy": { "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com", "projectId": "PROJECT_ID", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "rawUserAgent": "RAW_USER_AGENT" } }, "contextUris": { "mitreUri": { "displayName": "Permission Groups Discovery: Cloud Groups", "url": "https://attack.mitre.org/techniques/T1069/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-23T17:48:24.908Z", "createTime": "2021-04-23T17:48:26.922Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "ORGANIZATION_NAME", "type": "google.cloud.resourcemanager.Project" } }
Evasione: accesso da proxy con anonimizzazione
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Evasion: Access from Anonymizing Proxy", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "proxy_access" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "changeFromBadIp": { "principalEmail": "PRINCIPAL_EMAIL", "ip": "SOURCE_IP_ADDRESS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1090/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Esfiltrazione: esfiltrazione dei dati di BigQuery
Questo risultato può includere una delle due possibili regole secondarie:
exfil_to_external_table, con una gravità diHIGH.vpc_perimeter_violation, con una gravità diLOW.
L'esempio seguente mostra il codice JSON per la sotto regola exfil_to_external_table.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Exfiltration: BigQuery Data Exfiltration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2023-05-30T15:49:59.709Z", "database": {}, "eventTime": "2023-05-30T15:49:59.432Z", "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID" } ] }, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": [ "EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "parent_display_name": "FOLDER_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1685461795", "nanos": 341527000 }, "insertId": "INSERT_ID" } } ], "properties": { "dataExfiltrationAttempt": { "jobState": "SUCCEEDED", "jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults", "job": { "projectId": "PROJECT_ID", "jobId": "BIGQUERY_JOB_ID", "location": "BIGQUERY_JOB_LOCATION" }, "query": "QUERY", "sourceTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID" } ], "destinationTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table", "projectId": "TARGET_PROJECT_ID", "datasetId": "TARGET_DATASET_ID", "tableId": "TARGET_TABLE_ID" } ], "userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com" }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Esfiltrazione: estrazione dei dati di BigQuery
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Extraction", "sourceProperties": { "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_cloud_storage" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration Extraction findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME", "collectionType": "GCS_BUCKET", "collectionName": "TARGET_GCS_BUCKET_NAME", "objectName": "TARGET_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:22:11.359Z", "createTime": "2022-03-31T21:22:12.689Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_GCS_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Esfiltrazione: dati BigQuery su Google Drive
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data to Google Drive", "sourceProperties": { "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "detectionCategory": { "technique": "google_drive_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_google_drive" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration to Google Drive findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME", "collectionType": "GDRIVE", "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER", "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:20:18.408Z", "createTime": "2022-03-31T21:20:18.715Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_GOOGLE_DRIVE_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Esfiltrazione: esfiltrazione dei dati di Cloud SQL
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Data Exfiltration", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "export_to_public_gcs" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "exportToGcs": { "principalEmail": "PRINCIPAL_EMAIL", "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME", "bucketAccess": "PUBLICLY_ACCESSIBLE", "bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME", "exportScope": "WHOLE_INSTANCE" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-11T16:32:59.828Z", "createTime": "2021-10-11T16:33:00.229Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.export" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "components": [] } ], "targets": [ { "name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME", "components": [ "TARGET_FILE_NAME" ] } ] }, }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "INSTANCE_NAME" } }
Esfiltrazione: ripristino del backup di Cloud SQL in un'organizzazione esterna
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Restore Backup to External Organization", "sourceProperties": { "sourceId": { "projectNumber": "SOURCE_PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "backup_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "restore_to_external_instance" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" }, ], "evidence": [{ "sourceLogId": { "projectId": "SOURCE_PROJECT_ID", "resourceContainer": "projects/SOURCE_PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "restoreToExternalInstance": { "principalEmail": "PRINCIPAL_EMAIL", "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "backupId": "BACKUP_ID", "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.restoreBackup" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" } ], "targets": [ { "name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } ] } }, "resource": { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER", "projectDisplayName": "SOURCE_PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "parentDisplayName": "SOURCE_INSTANCE_NAME", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "mysql-backup-restore-instance" } }
Esfiltrazione: concessione di privilegi eccessivi di Cloud SQL
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_exfil", "subRuleName": "user_granted_all_permissions" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Malware: dominio non valido
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad Domain", "sourceProperties": { "sourceId": { "customerOrganizationNumber": "ORGANIZATION_ID", "projectNumber": "PROJECT_NUMBER" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1568/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" } ] }, "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "domains": [ "DOMAIN" ], "network": { "location": "REGION", "project": "PROJECT_ID" }, "dnsContexts": [ { "authAnswer": true, "sourceIp": "IP_ADDRESS", "queryName": "DOMAIN", "queryType": "AAAA", "responseCode": "NOERROR", "responseData": [ { "domainName": "DOMAIN.", "ttl": 299, "responseClass": "IN", "responseType": "AAAA", "responseValue": "IP_ADDRESS" } ] } ] }, "detectionPriority": "HIGH", "detectionCategory": { "technique": "C2", "indicator": "domain", "subRuleName": "google_intel", "ruleName": "bad_domain" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: IP non valido
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad IP", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "ips": [ "SOURCE_IP_ADDRESS", "DESTINATION_IP_ADDRESS" ], "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 6 }, "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0011/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection" }, { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" } ] }, "detectionCategory": { "technique": "C2", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "google_intel" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "LOW", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: dominio non valido per il cryptomining
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad Domain", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "domain", "ruleName": "bad_domain", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566099", "nanos": 5.41483849E8 }, "insertId": "INSERT_ID" } }], "properties": { "domains": ["DOMAIN"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE" }, "dnsContexts": [{ "authAnswer": true, "sourceIp": "SOURCE_IP_ADDRESS", "queryName": "DOMAIN", "queryType": "A", "responseCode": "NXDOMAIN" }], "vpc": { "vpcName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:41:41.594Z", "createTime": "2021-11-10T17:41:42.014Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "domains": ["DOMAIN"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: IP non valido per il cryptomining
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad IP", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566005", "nanos": 9.74622832E8 }, "insertId": "INSERT_ID" } }], "properties": { "ips": ["DESTINATION_IP_ADDRESS"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "destIp": "DESTINATION_IP_ADDRESS", "protocol": 1.0 }, "indicatorContext": [{ "ipAddress": "DESTINATION_IP_ADDRESS", "countryCode": "FR", "reverseDnsDomain": "REVERSE_DNS_DOMAIN", "carrierName": "CARRIER_NAME", "organizationName": "ORGANIZATION_NAME", "asn": "AUTONOMOUS_SYSTEM_NUMBERS" }], "srcVpc": { }, "destVpc": { "projectId": "PROJECT_ID", "vpcName": "default", "subnetworkName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:40:38.048Z", "createTime": "2021-11-10T17:40:38.472Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "ipAddresses": ["DESTINATION_IP_ADDRESS"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: DoS in uscita
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Malware: Outgoing DoS", "sourceProperties": { "evidence": [ { "sourceLogId": { "timestamp": { "nanos": 0.0, "seconds": "0" }, "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 17 } }, "detectionPriority": "HIGH", "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1498/" } }, "detectionCategory": { "technique": "malware", "indicator": "flow_log", "ruleName": "outgoing_dos" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Persistenza: concessione IAM anomala
Il risultato IAM Anomalous Grant è unico in quanto include
sotto-regole che forniscono informazioni più specifiche su ogni istanza
di questo risultato. La classificazione della gravità di questo risultato dipende
dalla regola secondaria e ogni regola secondaria potrebbe richiedere una risposta diversa.
Il seguente elenco mostra tutte le possibili regole secondarie e le relative gravità:
external_service_account_added_to_policy:HIGHHIGH, se è stato concesso un ruolo con sensibilità elevata o se è stato concesso un ruolo con sensibilità media a livello di organizzazione. Per maggiori informazioni, vedi Ruoli altamente sensibili.MEDIUM, se è stato concesso un ruolo con sensibilità media. Per maggiori informazioni, vedi Ruoli con sensibilità media.external_member_invited_to_policy:HIGHexternal_member_added_to_policy:HIGH, se è stato concesso un ruolo con sensibilità elevata o se è stato concesso un ruolo con sensibilità media a livello di organizzazione. Per maggiori informazioni, vedi Ruoli altamente sensibili.MEDIUM, se è stato concesso un ruolo con sensibilità media. Per maggiori informazioni, vedi Ruoli con sensibilità media.
custom_role_given_sensitive_permissions:MEDIUMservice_account_granted_sensitive_role_to_member:HIGHpolicy_modified_by_default_compute_service_account:HIGH
I campi JSON inclusi in un risultato possono variare da una categoria all'altra. Ad esempio, il seguente JSON include i campi per un account di sicurezza. Se una categoria di risultati non riguarda un account di servizio, questi campi non sono inclusi nel file JSON.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: IAM Anomalous Grant", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "IAM_ROLE", "member": "serviceAccount:ACCOUNT_NAME" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_grant", "subRuleName": "TYPE_OF_ANOMALOUS_GRANT" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleGrant": { "principalEmail": "PRINCIPAL_EMAIL", "bindingDeltas": [ { "action": "ADD", "role": "roles/GRANTED_ROLE", "member": "serviceAccount:SERVICE_ACCOUNT_NAME", } ], "members": [ "serviceAccount:SERVICE_ACCOUNT_NAME" ] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": { "displayName": "Related Anomalous Grant Findings", "url": "LINK_TO_RELATED_FINDING" } } } }
Privilegio Escalation: ruolo per furto d'identità concesso per service account inattivo
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.SetIAMPolicy" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Impersonation Role Granted for Dormant Service Account", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.serviceAccountTokenCreator", "member": "IAM_Account_Who_Received_Impersonation_Role" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.iam.ServiceAccount", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "impersonation_role_granted_over_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Persistenza: nuovo metodo API
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: New API Method", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "resourceContainer": "projects/PROJECT_NUMBER" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Persistenza: nuova regione
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h", "state": "ACTIVE", "category": "Persistence: New Geography", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "ip_geolocation" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "RESOURCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1617994703", "nanos": 5.08853E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousLocation": { "anomalousLocation": "BE", "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "notSeenInLast": "2592000s", "typicalGeolocations": [{ "country": { "identifier": "US" } }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T18:59:43.860Z", "createTime": "2021-04-09T18:59:44.440Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "RESOURCE_NAME" } }
Persistenza: nuovo user agent
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9", "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID", "state": "ACTIVE", "category": "Persistence: New User Agent", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "user_agent" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1614736482", "nanos": 9.76209552E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousSoftware": { "anomalousSoftwareClassification": ["USER_AGENT"], "behaviorPeriod": "2592000s", "callerUserAgent": "USER_AGENT", "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com" } }, "findingId": "FINDING_ID", "contextUris": { "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-03-03T01:54:47.681Z", "createTime": "2021-03-03T01:54:49.154Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//monitoring.googleapis.com/projects/PROJECT_ID" } }
Privilege Escalation: Dormant Service Account Granted Sensitive Role
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "SENSITIVE_IAM_ROLE", "member": "serviceAccount:DORMANT_SERVICE_ACCOUNT" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_role_added_to_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Escalation dei privilegi: modifiche agli oggetti RBAC Kubernetes sensibili
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-07T07:42:36.536Z", "database": {}, "eventTime": "2022-10-07T07:42:06.044Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" }, "subjects": [ { "kind": "USER", "name": "testUser-1665153212" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "edit_sensitive_rbac_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665128526", "nanos": 44146000 }, "insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a" } } ], "properties": {}, "findingId": "05b52fe8267d44bdb33c89367f0dd11a", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalation dei privilegi: crea una richiesta CSR Kubernetes per il certificato principale
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "category": "Privilege Escalation: Create Kubernetes CSR for master cert", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T14:38:12.501Z", "database": {}, "eventTime": "2022-10-08T14:37:46.944Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "csr_for_master_cert" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665239866", "nanos": 944045000 }, "insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101" } } ], "properties": {}, "findingId": "0562169c2e3b44879030a7369dbf839c", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalation dei privilegi: creazione di associazioni Kubernetes sensibili
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "category": "Privilege Escalation: Creation of sensitive Kubernetes bindings", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-11T09:29:44.425Z", "database": {}, "eventTime": "2022-10-11T09:29:26.309Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" } } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "create_sensitive_binding" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665480566", "nanos": 309136000 }, "insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321" } } ], "properties": {}, "findingId": "02dcbf565d9d4972a126ac3c38fd4295", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalation dei privilegi: recupera informazioni su CSR Kubernetes con credenziali bootstrap compromesse
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.list" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-12T12:28:11.480Z", "database": {}, "eventTime": "2022-10-12T12:28:08.597Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "get_csr_with_compromised_bootstrap_credentials" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665577688", "nanos": 597107000 }, "insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993" } } ], "properties": {}, "findingId": "025e0ba774da4d678883257cd125fc43", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalation dei privilegi: avvia un container Kubernetes con privilegi
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "category": "Privilege Escalation: Launch of privileged Kubernetes container", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T21:43:41.145Z", "database": {}, "eventTime": "2022-10-08T21:43:09.188Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "pods": [ { "ns": "default", "name": "POD_NAME", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "launch_privileged_container" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665265389", "nanos": 188357000 }, "insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c" } } ], "properties": {}, "findingId": "04206668443b45078d5b51c908ad87da", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Escalation dei privilegi: delega anomala del service account con più passaggi per l'attività di amministrazione
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilegio Escalation: Anomalous Service Account Impersonator for Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Privilege Escalation: Anomalous Service Account Impersonator for Data Access
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Impatto: host di backup e RE di Google Cloud eliminato
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteHost", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR host", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_hosts_delete_host" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ] } } }
Impatto: Google Cloud Backup e RE - Scadenza immagine
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR expire image", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_image" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME" } } }
Inhibit System Recovery: Google Cloud Backup and RE remove plan
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSla", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_remove_plan" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "backupDisasterRecovery": { "applications": [ "HOST_NAME" ] } } }
Impatto: backup e RE di Google Cloud scadono tutte le immagini
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackups", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR expire all images", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_images_all" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups." } }
Impatto: modello di eliminazione di backup e RE di Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlt", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete template", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_template" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME" } } }
Impatto: policy di eliminazione di backup e RE di Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deletePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "policies": [ "DeleteMe" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete policy", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "backupDisasterRecovery": { "policies": [ "POLICY_NAME" ] } } }
Impatto: eliminazione del profilo di backup e RE di Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlp", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete profile", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_profile" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "backupDisasterRecovery": { "profile": "PROFILE_NAME" } } }
Impatto: rimozione dell'appliance di backup e RE di Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteCluster", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR remove appliance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_appliances_remove_appliance" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME" } } }
Impatto: eliminazione del pool di archiviazione di Google Cloud Backup e RE
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteDiskPool", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR delete storage pool", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_storage_pools_delete" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME" } } }
Impatto: backup e RE di Google Cloud hanno ridotto la frequenza dei backup
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updatePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup frequency", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The backup schedule has been modified to reduce backup frequency.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_frequency" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The backup schedule has been modified to reduce backup frequency.", } }
Impatto: il servizio di backup e RE di Google Cloud ha ridotto la scadenza del backup
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updateBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup expiration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The expiration date for a backup has been reduced.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_expiration" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The expiration date for a backup has been reduced." } }
Impatto: eliminazione del vault di backup e DR di Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackupVault", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR Vault", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Backup Vault has been deleted from the Google Cloud Backup and DR Service. The affected Backup Vault was hosted in VAULT_LOCATION", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_delete_vault" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/locations/REGION/backupVaults/VAULT_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The expiration date for a backup has been reduced. The affected Backup Vault was hosted in REGION" } }
Impatto: backup di Google Cloud Backup e DR eliminato
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR Backup", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup stored in a backup vault has been manually deleted. The backup was stored in REGION", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_delete_vault_backup" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/locations/REGION/backupVaults/VAULT_ID/dataSources/DATA_SOURCE_NAME/backups/BACKUP_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup stored in a backup vault has been manually deleted. The backup was stored in REGION" } }
Impatto: associazione del piano di backup e RE di Google Cloud eliminata
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackupPlanAssociation", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR plan association", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup plan has been removed from a workload. Backups are no longer scheduled on the workload. The resource(s) affected are in REGION", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_delete_backup_plan_association }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/backupPlanAssociations/BACKUP_PLAN_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup plan has been removed from a workload. Backups are no longer scheduled on the workload. The resource(s) affected are in REGION" } }
Accesso iniziale: account compromesso disattivato
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Account Disabled Hijacked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "account_disabled_hijacked" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624034293", "nanos": 6.78E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledHijacked", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-18T16:38:13.678Z", "createTime": "2021-06-18T16:38:16.508Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Accesso iniziale: perdita di password disattivata
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Disabled Password Leak", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "disabled_password_leak" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626462896", "nanos": 6.81E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-16T19:14:56.681Z", "createTime": "2021-07-16T19:15:00.430Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Accesso iniziale: attacco supportato da enti governativi
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Government Based Attack", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "government_based_attack" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624061458", "nanos": 7.4E7 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.govAttackWarning", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-19T00:10:58.074Z", "createTime": "2021-06-19T00:11:01.760Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Accesso iniziale: tentativo di compromissione di Log4j
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Initial Access: Log4j Compromise Attempt", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_compromise_attempt" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639690492", "nanos": 9.13836E8 }, "insertId": "INSERT_ID" } }], "properties": { "loadBalancerName": "LOAD_BALANCER_NAME", "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1190/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-16T21:34:52.913Z", "createTime": "2021-12-16T21:34:55.022Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "parentDisplayName": "FOLDER_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "PROJECT_ID" } }
Accesso iniziale: accesso sospetto bloccato
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Suspicious Login Blocked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "suspicious_login" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621637767", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLogin", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T22:56:07Z", "createTime": "2021-05-27T02:36:07.382Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Accesso iniziale: il super user del database scrive nelle tabelle utente
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Initial Access: Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_superuser_writes_to_user_tables", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": ["DEFAULT_ACCOUNTS"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Accesso iniziale: azioni negate per autorizzazioni eccessive
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Excessive Permission Denied Actions", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "failedActions": [ { "methodName": "SetIamPolicy", "serviceName": "iam.googleapis.com", "attemptTimes": "7", "lastOccurredTime": "2023-03-15T17:35:18.771219Z" }, { "methodName": "iam.googleapis.com", "serviceName": "google.iam.admin.v1.CreateServiceAccountKey", "attemptTimes": "3", "lastOccurredTime": "2023-03-15T05:36:14.954701Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Accesso iniziale: azione service account inattivo
{ "findings": { "access": { "principalEmail": "DORMANT_SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Action", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "dormant_sa_used_in_action", }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Accesso iniziale: chiave del service account inattivo creata
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.CreateServiceAccountKey" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Key Created", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "type": "google.iam.ServiceAccountKey", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "key_created_on_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Accesso iniziale: chiave service account divulgata utilizzata
{ "findings": { "access": { "principalEmail": "SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" "serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Leaked Service Account Key Used", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-07-18T10:35:47.381Z", "database": {}, "eventTime": "2023-07-18T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "AFFECTED_RESOURCE", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "leaked_sa_key_used" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_RESOURCE" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } }, "description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL" }
Persistenza: autenticazione avanzata disattivata
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings", "state": "ACTIVE", "category": "Persistence: Strong Authentication Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "enforce_strong_authentication" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1623952110", "nanos": 6.51337E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.enforceStrongAuthentication", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-17T17:48:30.651Z", "createTime": "2021-06-17T17:48:33.574Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" } }
Compromissione delle difese: verifica in due passaggi disattivata
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Impair Defenses: Two Step Verification Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "two_step_verification_disabled" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626391356", "nanos": 5.96E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svDisable", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-15T23:22:36.596Z", "createTime": "2021-07-15T23:22:40.079Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Persistenza: attivazione/disattivazione SSO
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Enablement Toggle", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_enablement_toggle" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1622829313", "nanos": 3.42104E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.toggleSsoEnabled", "ssoState": "ENABLED", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-04T17:55:13.342Z", "createTime": "2021-06-04T17:55:15.900Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Persistenza: script di avvio aggiunto dall'amministratore GCE
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added Startup Script", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_startup_script" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "GCE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", } }
Persistenza: amministratore GCE ha aggiunto la chiave SSH
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added SSH Key", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "GCE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", } }
Persistenza: impostazioni SSO modificate
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Settings Changed", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_settings_changed" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.changeSsoSettings", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T19:08:29.373Z", "createTime": "2021-05-27T11:36:24.429Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Cloud IDS
{ "finding": { "access": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Cloud IDS: THREAT_ID", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "connections": [ { "destinationIp": "IP_ADDRESS", "destinationPort": PORT, "sourceIp": "IP_ADDRESS", "sourcePort": PORT, "protocol": "PROTOCOL" } ], "createTime": "TIMESTAMP", "database": {}, "description": "This signature detects a payload in HTTP traffic which could possibly be malicious.", "eventTime": "TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "ctd-engprod-project", "parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER", "parent_display_name": "PARENT_DISPLAY_NAME", "folders": [ { "resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resource_folder_display_name": "FOLDER_DISPLAY_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_ids_threat_activity" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "TIMESTAMP", "nanos": TIMESTAMP }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LOGGING_QUERY_URI" } ], "relatedFindingUri": {} }, "description": "THREAT_DESCRIPTION" } }
Movimento laterale: disco di avvio modificato collegato all'istanza
{ "finding": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.attachDisk", }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Lateral Movement: Modify Boot Disk Attaching to Instance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2024-02-01T23:55:17.589Z", "database": {}, "eventTime": "2024-02-01T23:55:17.396Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2024-02-01T23:55:15.017887Z" } } ], "mitreAttack": { "primaryTactic": "TACTIC_UNSPECIFIED" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION", "parentDisplayName": "Event Threat Detection", "resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "displayName": "INSTANCE_ID", "type": "google.compute.Instance", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_NUMBER", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_NUMBER, "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NUMBER" } ], "organization": "organizations/ORGANIZATION_NUMBER" } }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "modify_boot_disk", "subRuleName": "attach_to_instance" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID" }, { "gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_NUMBER", "resourceContainer": "PROJECT_NUMBER", "timestamp": { "seconds": "1706831715", "nanos": 17887000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": { "diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID", "targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "workerInstances": [ "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" ], "bootDiskPayloads": [ { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_ATTACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:06.706640Z" }, { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_DETACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:05.608631Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1570/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Escalation dei privilegi: concessione di privilegi eccessivi di AlloyDB
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
Escalation dei privilegi: il super user del database AlloyDB scrive nelle tabelle utente
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
Impatto: comandi di cryptomining
{ "finding": { "access": { "callerIpGeo": {}, "serviceName": "run.googleapis.com", "methodName": "/Jobs.CreateJob" }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Impact: Cryptomining Commands", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "imageId": "CONTAINER_IMAGE_ID", "labels": [ { "name": "command", "value": "getblockchaininfo" } ], "createTime": "1970-01-01T00:00:00Z" } ], "createTime": "2025-05-06T01:19:09.854Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-06T01:19:08.853Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-06T01:18:02.533391Z" } } ], "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "securityPosture": {}, "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "cloudresourcemanager.googleapis.com", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parentDisplayName": "FOLDER_NAME", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_jobs_cryptomining_commands" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/namespaces/PROJECT_ID/jobs/JOB_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1746494282", "nanos": 533391000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
Esecuzione: immagine Docker per il cryptomining
{ "finding": { "access": { "callerIpGeo": {}, "serviceName": "run.googleapis.com", "methodName": "/Services.DeleteService" }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Execution: Cryptomining Docker Image", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "containers": [ { "imageId": "CONTAINER_IMAGE_ID", "createTime": "1970-01-01T00:00:00Z" } ], "createTime": "2025-05-06T01:06:10.340Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-06T01:06:09.037Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-06T01:05:31.417999Z" } } ], "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "DEPLOY_CONTAINER" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "securityPosture": {}, "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "cloudresourcemanager.googleapis.com", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parentDisplayName": "FOLDER_NAME", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_cryptomining_docker_images" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/namespaces/PROJECT_ID/services/SERVICE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1746493531", "nanos": 417999000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1610/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
Escalation dei privilegi: Default Compute Engine Service Account SetIAMPolicy
{ "finding": { "access": { "principalEmail": "PROJECT_NUMBER-compute@developer.gserviceaccount.com", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "userAgent": "USER_AGENT", "serviceName": "run.googleapis.com", "methodName": "google.cloud.run.v1.Services.SetIamPolicy", "principalSubject": "serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com", "serviceAccountDelegationInfo": [ { "principalEmail": "service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com" } ] }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2025-05-27T20:36:26.627Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-27T20:36:26.527Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-27T20:35:26.897015Z" } } ], "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ADDITIONAL_CLOUD_ROLES" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME", "displayName": "SERVICE_NAME", "type": "google.run.Service", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "run.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_services_set_iam_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1748378126", "nanos": 897015000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/003/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
Persistenza: nuova area geografica per il servizio AI
Questo risultato non è disponibile per le attivazioni a livello di progetto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "state": "ACTIVE", "category": "Persistence: New Geography for AI Service", "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "CLOUD_ACCOUNTS" ] }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T18:59:43.860Z", "createTime": "2021-04-09T18:59:44.440Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_iam_anomalous_behavior_ip_geolocation" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Elevazione dei privilegi: delega anomala del service account con più passaggi per l'attività di amministrazione AI
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_multistep_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_multistep_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_impersonator_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Elevazione dei privilegi: simulatore anomalo dell'identità di un service account per l'accesso ai dati AI
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_impersonator_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Elevazione dei privilegi: simulazione anomala dell'identità del service account per l'attività di amministrazione AI
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "ai_anomalous_sa_delegation_impersonation_of_sa_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Persistenza: nuovo metodo API AI
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: New AI API Method", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ai_anomalous_behavior_new_api_method", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "resourceContainer": "projects/PROJECT_NUMBER" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Accesso iniziale: attività del service account inattivo nel servizio AI
{ "findings": { "access": { "principalEmail": "DORMANT_SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "aiplatform.googleapis.com", "methodName": "METHOD_NAME" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Activity in AI Service", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "domains": [ { "category": "AI" }, { "category": "IDENTITY_AND_ACCESS" } ], "aiModel": { "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "deploymentPlatform": "VERTEX_AI" }, "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "type": "google.aiplatform.Model", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ai_dormant_sa_used_in_action", }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://atlas.mitre.org/techniques/AML.T0012/" } } } }
Passaggi successivi
- Scopri di più sul funzionamento di Event Threat Detection.
- Scopri come analizzare e sviluppare piani di risposta alle minacce.