Halaman ini menunjukkan cara meninjau temuan Layanan Tindakan Sensitif di konsol Google Cloud dan menyertakan contoh temuan Layanan Tindakan Sensitif.
Sensitive Actions Service adalah layanan bawaan Security Command Center yang mendeteksi saat tindakan dilakukan di Google Cloud organisasi, folder, dan project Anda yang dapat merusak bisnis Anda jika dilakukan oleh aktor berbahaya. Untuk mempelajari lebih lanjut, lihat Ringkasan Sensitive Actions Service.
Meninjau temuan Layanan Tindakan Sensitif
Layanan Tindakan Sensitif selalu diaktifkan saat Anda mengaktifkan paket Standar Security Command Center, dan tidak dapat dinonaktifkan. Untuk mengetahui informasi selengkapnya tentang jenis temuan Layanan Tindakan Sensitif, lihat Temuan.
Saat mendeteksi tindakan yang dianggap sensitif, Sensitive Actions Service akan membuat temuan dan entri log. Anda dapat melihat temuan di konsolGoogle Cloud . Anda dapat membuat kueri entri log di Cloud Logging. Untuk menguji Layanan Tindakan Sensitif, lakukan tindakan sensitif dan pastikan temuan muncul di halaman Temuan di konsol Google Cloud . Untuk mengetahui informasi selengkapnya, lihat Menguji Layanan Tindakan Sensitif.
Meninjau temuan di Security Command Center
Peran IAM untuk Security Command Center dapat diberikan di tingkat organisasi, folder, atau project. Kemampuan Anda untuk melihat, mengedit, membuat, atau memperbarui temuan, aset, dan sumber keamanan bergantung pada tingkat akses yang diberikan kepada Anda. Untuk mempelajari lebih lanjut peran Security Command Center, lihat Kontrol akses.
Untuk meninjau temuan Layanan Tindakan Sensitif di konsol, ikuti langkah-langkah berikut:
Standar atau Premium
- Di konsol Google Cloud , buka halaman Temuan di Security Command Center.
- Pilih project atau organisasi Google Cloud Anda.
- Di bagian Quick filters, di subbagian Source display name, pilih Sensitive Actions Service. Hasil kueri temuan diperbarui untuk menampilkan hanya temuan dari sumber ini.
- Untuk melihat detail temuan tertentu, klik nama temuan di kolom Kategori. Panel detail untuk temuan akan terbuka dan menampilkan tab Ringkasan.
- Di tab Ringkasan, tinjau detail temuan, termasuk informasi tentang apa yang terdeteksi, resource yang terpengaruh, dan—jika tersedia—langkah-langkah yang dapat Anda lakukan untuk memperbaiki temuan tersebut.
- Opsional: Untuk melihat definisi JSON lengkap dari temuan, klik tab JSON.
Enterprise
- Di konsol Google Cloud , buka halaman Temuan di Security Command Center.
- Pilih Google Cloud organisasi Anda.
- Di bagian Aggregations, klik untuk meluaskan subbagian Source Display Name.
- Pilih Layanan Tindakan Sensitif. Hasil kueri temuan diperbarui untuk hanya menampilkan temuan dari sumber ini.
- Untuk melihat detail temuan tertentu, klik nama temuan di kolom Kategori. Panel detail untuk temuan akan terbuka dan menampilkan tab Ringkasan.
- Di tab Ringkasan, tinjau detail temuan, termasuk informasi tentang apa yang terdeteksi, resource yang terpengaruh, dan—jika tersedia—langkah-langkah yang dapat Anda lakukan untuk memperbaiki temuan tersebut.
- Opsional: Untuk melihat definisi JSON lengkap dari temuan, klik tab JSON.
Melihat temuan yang disebabkan oleh aktor yang sama
Saat menyelidiki apakah tindakan sensitif dilakukan oleh aktor jahat, pertimbangkan untuk menelusuri temuan lain yang disebabkan oleh aktor tersebut.
Untuk melihat semua temuan yang disebabkan oleh aktor yang sama, ikuti langkah-langkah berikut:
- Buka temuan dan lihat detailnya.
- Di panel detail temuan, salin alamat email di samping Email utama.
- Tutup panel.
Di Query editor, tempel kueri berikut:
access.principal_email="PRINCIPAL_EMAIL"Ganti PRINCIPAL_EMAIL dengan alamat email yang Anda salin sebelumnya. Security Command Center menampilkan semua temuan yang terkait dengan tindakan yang dilakukan oleh aktor yang Anda tentukan.
Melihat temuan di Cloud Logging
Layanan Tindakan Sensitif menulis entri log ke log platformGoogle Cloud untuk setiap tindakan sensitif yang ditemukannya. Entri log ini ditulis meskipun Anda belum mengaktifkan Security Command Center.
Untuk melihat entri log tindakan sensitif di Cloud Logging, lakukan langkah berikut:
Buka Logs Explorer di konsol Google Cloud .
Di Pemilih project di bagian atas halaman, pilih project yang entri log Layanan Tindakan Sensitifnya ingin Anda lihat. Atau, untuk melihat entri log di tingkat organisasi, pilih organisasi.
Di kotak teks Query, masukkan definisi resource berikut:
resource.type="sensitiveaction.googleapis.com/Location"Klik Run Query. Tabel Hasil kueri diperbarui dengan entri log yang cocok dan ditulis dalam jangka waktu kueri Anda.
Untuk melihat detail entri log, klik baris tabel, lalu klik Luaskan kolom bertingkat.
Anda dapat membuat kueri log lanjutan untuk menentukan sekumpulan entri log dari sejumlah log.
Contoh Format Temuan
Bagian ini mencakup output JSON untuk temuan Sensitive Actions Service sebagaimana yang muncul saat Anda membuat ekspor dari konsol Google Cloud atau menjalankan metode daftar di Security Command Center API.
Contoh output berisi kolom yang paling umum untuk semua temuan. Namun, tidak semua kolom mungkin muncul di setiap temuan. Output sebenarnya yang Anda lihat bergantung pada konfigurasi resource dan jenis serta status temuan.
Untuk melihat contoh temuan, luaskan satu atau beberapa node berikut.
Penghindaran Pertahanan: Kebijakan Organisasi Diubah
Temuan ini tidak tersedia untuk aktivasi level project.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "orgpolicy.googleapis.com", "methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Organization Policy Changed", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-27T12:35:30.466Z", "database": {}, "eventTime": "2022-08-27T12:35:30.264Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "IMPAIR_DEFENSES" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "display_name": "", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "change_organization_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661603725", "nanos": 12242032 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Penghindaran Pertahanan: Menghapus Admin Penagihan
Temuan ini tidak tersedia untuk aktivasi level project.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Remove Billing Admin", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T14:47:11.752Z", "database": {}, "eventTime": "2022-08-31T14:47:11.256Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "REMOVE", "role": "roles/billing.admin", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "remove_billing_admin" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661957226", "nanos": 356329000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1578/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Dampak: Instance GPU Dibuat
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "beta.compute.instances.insert" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Impact: GPU Instance Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-11T19:13:11.134Z", "database": {}, "eventTime": "2022-08-11T19:13:09.885Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "gpu_instance_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1660245184", "nanos": 578768000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Dampak: Banyak Instance Dibuat
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.insert", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:18:18.112Z", "database": {}, "eventTime": "2022-08-22T21:18:17.759Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203092", "nanos": 314642000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Dampak: Banyak Instance Dihapus
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.delete", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Deleted", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:21:11.432Z", "database": {}, "eventTime": "2022-08-22T21:21:11.144Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_deleted" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203265", "nanos": 669160000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Persistensi: Menambahkan Peran Sensitif
Temuan ini tidak tersedia untuk aktivasi level project.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: Add Sensitive Role", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T17:20:13.305Z", "database": {}, "eventTime": "2022-08-31T17:20:11.929Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "ADD", "role": "roles/editor", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_sensitive_role" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661966410", "nanos": 132148000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Persistensi: Kunci SSH Project Ditambahkan
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.projects.setCommonInstanceMetadata", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Persistence: Project SSH Key Added", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-25T13:24:43.142Z", "database": {}, "eventTime": "2022-08-25T13:24:42.719Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION", "SSH_AUTHORIZED_KEYS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661433879", "nanos": 413362000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Langkah berikutnya
- Pelajari lebih lanjut cara kerja Layanan Tindakan Sensitif.
- Pelajari cara menyelidiki dan mengembangkan rencana respons terhadap ancaman.