This document offers informal guidance on how you can respond to findings of suspicious activities in your Cloud Run resources. The recommended steps might not be appropriate for all findings and might impact your operations. Before you take any action, you should investigate the findings; assess the information that you gather; and decide how to respond.
The techniques in this document aren't guaranteed to be effective against any previous, current, or future threats that you face. To understand why Security Command Center does not provide official remediation guidance for threats, see Remediating threats.
Before you begin
- Review the finding. Note the affected container and the detected binaries, processes, or libraries.
- To learn more about the finding that you're investigating, search for the finding in the Threat findings index.
General recommendations
- Contact the owner of the affected resource.
- View the logs for the potentially compromised Cloud Run service or job.
- For forensic analysis, collect and back up the logs from the affected service or job.
- For further investigation, consider using incident response services like Mandiant.
- Consider deleting the affected Cloud Run service or service
revision:
- To delete the service, see Delete existing services.
- To delete the service revision, roll back to a previous revision or deploy a new, more secure revision. Then, delete the affected revision.
- Consider deleting the affected Cloud Run job.
Malicious script or Python code executed
If the script or Python code was making intended changes to the container, deploy a revision to the service that has all the intended changes. Don't rely on a script to make changes after the container is deployed.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.