This page describes how to configure Cloud Run Threat Detection for your Cloud Run resources.
The procedures on this page apply only to Cloud Run Threat Detection runtime detectors. For information about how to work with the control plane detectors for Cloud Run, see Use Event Threat Detection.
Before you begin
-
To get the permissions that you need to manage the Cloud Run Threat Detection service and its modules, ask your administrator to grant you the Security Center Management Admin (
roles/securitycentermanagement.admin
) IAM role on the organization, folder, or project. For more information about granting roles, see Manage access to projects, folders, and organizations.You might also be able to get the required permissions through custom roles or other predefined roles.
Test your Cloud Run containers using the second generation execution environment to make sure that there are no compatibility issues. For more information, see Supported execution environments.
Grant the required IAM permissions to the Cloud Run service account
If your Cloud Run resources are using the Compute Engine default service account and you have not revoked permissions for that service account, then you already have the necessary permissions to run Cloud Run Threat Detection. You can skip this section.
Perform this task if any of the following applies to you:
- You made changes to the Compute Engine default service account.
- You created your own service account for your Cloud Run service.
- You are using a service account that was created for a project that is different from the project that contains your Cloud Run service.
Grant the Service Account Token Creator role to the service account that your Cloud Run resource uses as a service identity:
gcloud iam service-accounts add-iam-policy-binding \
PROJECT_NUMBER \
--member=serviceAccount:SERVICE_ACCOUNT_NAME \
--role=roles/iam.serviceAccountTokenCreator
Replace the following:
PROJECT_NUMBER
: the numeric identifier of the project where your Cloud Run service is deployed. This project can be different from the project that contains the service account. You can find your project number on the Dashboard page of the Google Cloud console.SERVICE_ACCOUNT_NAME
: the email address of your runtime Cloud Run service account.
Enable or disable Cloud Run Threat Detection
When you enable Cloud Run Threat Detection on an organization, folder, or project, it automatically monitors all supported Cloud Run resources in that scope.
After enabling Cloud Run Threat Detection, you must redeploy the Cloud Run services that you want to monitor.
To enable or disable Cloud Run Threat Detection, follow these steps:
Console
In the Google Cloud console, go to the Service Enablement page for Cloud Run Threat Detection.
Select your organization or project.
On the Service Enablement tab, in the Cloud Run Threat Detection column, select the enablement status of the organization, folder, or project that you want to modify, and then select one of the following:
- Enable: enable Cloud Run Threat Detection
- Disable: disable Cloud Run Threat Detection
- Inherit: inherit the enablement status from the parent folder or organization; available only for projects and folders
gcloud
The
gcloud scc manage services update
command updates the state of a Security Command Center service or module.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE
: the type of resource to update (organization
,folder
, orproject
) -
RESOURCE_ID
: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
NEW_STATE
:ENABLED
to enable Cloud Run Threat Detection;DISABLED
to disable Cloud Run Threat Detection; orINHERITED
to inherit the enablement status of the parent resource (valid only for projects and folders)
Execute the
gcloud scc manage services update
command:
Linux, macOS, or Cloud Shell
gcloud scc manage services update cloud-run-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=NEW_STATE
Windows (PowerShell)
gcloud scc manage services update cloud-run-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=NEW_STATE
Windows (cmd.exe)
gcloud scc manage services update cloud-run-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=NEW_STATE
You should receive a response similar to the following:
effectiveEnablementState: ENABLED intendedEnablementState: ENABLED modules: CLOUD_RUN_ADDED_BINARY_EXECUTED: effectiveEnablementState: DISABLED intendedEnablementState: DISABLED CLOUD_RUN_ADDED_LIBRARY_LOADED: effectiveEnablementState: DISABLED intendedEnablementState: DISABLED CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_CONTAINER_ESCAPE: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_URL_OBSERVED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REPORT_CLI_ARGUMENTS: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REVERSE_SHELL: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_UNEXPECTED_CHILD_SHELL: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED name: projects/1234567890123/locations/global/securityCenterServices/cloud-run-threat-detection updateTime: '2025-03-14T00:27:36.589993683Z'
REST
The Security Command Center Management API's
RESOURCE_TYPE.locations.securityCenterServices.patch
method updates the state of a Security Command Center service or module.
Before using any of the request data, make the following replacements:
-
RESOURCE_TYPE
: the type of resource to update (organizations
,folders
, orprojects
) -
QUOTA_PROJECT
: the project ID to use for billing and quota tracking -
RESOURCE_ID
: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
NEW_STATE
:ENABLED
to enable Cloud Run Threat Detection;DISABLED
to disable Cloud Run Threat Detection; orINHERITED
to inherit the enablement status of the parent resource (valid only for projects and folders)
HTTP method and URL:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/cloud-run-threat-detection?updateMask=intendedEnablementState
Request JSON body:
{ "intendedEnablementState": "NEW_STATE" }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/1234567890123/locations/global/securityCenterServices/cloud-run-threat-detection", "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED", "modules": { "CLOUD_RUN_REPORT_CLI_ARGUMENTS": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_CONTAINER_ESCAPE": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_LIBRARY_LOADED": { "intendedEnablementState": "DISABLED", "effectiveEnablementState": "DISABLED" }, "CLOUD_RUN_REVERSE_SHELL": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_UNEXPECTED_CHILD_SHELL": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_BINARY_EXECUTED": { "intendedEnablementState": "DISABLED", "effectiveEnablementState": "DISABLED" }, "CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_URL_OBSERVED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" } }, "updateTime": "2025-03-14T00:27:36.589993683Z" }
Enable or disable a Cloud Run Threat Detection module
To enable or disable an individual Cloud Run Threat Detection module, follow these steps. For information about all Cloud Run Threat Detection threat findings and their modules, see Cloud Run Threat Detection detectors.
gcloud
The
gcloud scc manage services update
command updates the state of a Security Command Center service or module.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE
: the type of resource to update (organization
,folder
, orproject
) -
RESOURCE_ID
: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
MODULE_NAME
: the name of the module to enable or disable; for valid values, see Cloud Run Threat Detection detectors -
NEW_STATE
:ENABLED
to enable the module;DISABLED
to disable the module; orINHERITED
to inherit the enablement status of the parent resource (valid only for projects and folders)
Save the following content in a file called request.json
:
{ "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } }
Execute the
gcloud scc manage services update
command:
Linux, macOS, or Cloud Shell
gcloud scc manage services update cloud-run-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=ENABLED \ --module-config-file=request.json
Windows (PowerShell)
gcloud scc manage services update cloud-run-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=ENABLED \ --module-config-file=request.json
Windows (cmd.exe)
gcloud scc manage services update cloud-run-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=ENABLED \ --module-config-file=request.json
You should receive a response similar to the following:
effectiveEnablementState: ENABLED intendedEnablementState: ENABLED modules: CLOUD_RUN_ADDED_BINARY_EXECUTED: effectiveEnablementState: DISABLED intendedEnablementState: DISABLED CLOUD_RUN_ADDED_LIBRARY_LOADED: effectiveEnablementState: DISABLED intendedEnablementState: DISABLED CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_CONTAINER_ESCAPE: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_URL_OBSERVED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REPORT_CLI_ARGUMENTS: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REVERSE_SHELL: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_UNEXPECTED_CHILD_SHELL: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED name: projects/1234567890123/locations/global/securityCenterServices/cloud-run-threat-detection updateTime: '2025-03-14T00:27:36.589993683Z'
REST
The Security Command Center Management API's
RESOURCE_TYPE.locations.securityCenterServices.patch
method updates the state of a Security Command Center service or module.
Before using any of the request data, make the following replacements:
-
RESOURCE_TYPE
: the type of resource to update (organizations
,folders
, orprojects
) -
QUOTA_PROJECT
: the project ID to use for billing and quota tracking -
RESOURCE_ID
: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
MODULE_NAME
: the name of the module to enable or disable; for valid values, see Cloud Run Threat Detection detectors -
NEW_STATE
:ENABLED
to enable the module;DISABLED
to disable the module; orINHERITED
to inherit the enablement status of the parent resource (valid only for projects and folders)
HTTP method and URL:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/cloud-run-threat-detection?updateMask=modules
Request JSON body:
{ "modules": { "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/1234567890123/locations/global/securityCenterServices/cloud-run-threat-detection", "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED", "modules": { "CLOUD_RUN_REPORT_CLI_ARGUMENTS": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_CONTAINER_ESCAPE": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_LIBRARY_LOADED": { "intendedEnablementState": "DISABLED", "effectiveEnablementState": "DISABLED" }, "CLOUD_RUN_REVERSE_SHELL": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_UNEXPECTED_CHILD_SHELL": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_BINARY_EXECUTED": { "intendedEnablementState": "DISABLED", "effectiveEnablementState": "DISABLED" }, "CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_URL_OBSERVED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" } }, "updateTime": "2025-03-14T00:27:36.589993683Z" }
Exclude environment variables from findings
By default, when Cloud Run Threat Detection generates a finding, it reports the environment variables used for all processes referenced in the finding. The values of environment variables can be important in threat investigations.
However, you might decide to exclude environment variables from findings, because some software packages store secrets and other sensitive information in environment variables.
To exclude process environment variables from Cloud Run Threat Detection findings, set the
CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES
module toDISABLED
.To include process environment variables in Cloud Run Threat Detection findings, set the
CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES
module toENABLED
.
For instructions, see Enable or disable a Cloud Run Threat Detection module on this page.
Exclude CLI arguments from findings
All processes have one or more command line interface (CLI) arguments. By default, when Cloud Run Threat Detection includes process details in a finding, it records the CLI arguments of the process. CLI argument values can be important in threat investigations.
However, you might decide to exclude CLI arguments from findings because some users might pass secrets and other sensitive information in CLI arguments.
To exclude CLI arguments from Cloud Run Threat Detection findings, set the
CLOUD_RUN_REPORT_CLI_ARGUMENTS
module toDISABLED
.To include CLI arguments in Cloud Run Threat Detection findings, set the
CLOUD_RUN_REPORT_CLI_ARGUMENTS
module toENABLED
.
For instructions, see Enable or disable a Cloud Run Threat Detection module on this page.
View the settings of the Cloud Run Threat Detection modules
For information about all Cloud Run Threat Detection threat findings, see the Cloud Run Threat Detection detectors table.
gcloud
The
gcloud scc manage services describe
command gets the state of a Security Command Center service or module.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE
: the type of resource to get (organization
,folder
, orproject
) -
QUOTA_PROJECT
: the project ID to use for billing and quota tracking -
RESOURCE_ID
: the numeric identifier of the organization, folder, or project to get; for projects, you can also use the alphanumeric project ID
Execute the
gcloud scc manage services describe
command:
Linux, macOS, or Cloud Shell
gcloud scc manage services describe cloud-run-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud scc manage services describe cloud-run-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud scc manage services describe cloud-run-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID
You should receive a response similar to the following:
effectiveEnablementState: ENABLED intendedEnablementState: ENABLED modules: CLOUD_RUN_ADDED_BINARY_EXECUTED: effectiveEnablementState: DISABLED intendedEnablementState: DISABLED CLOUD_RUN_ADDED_LIBRARY_LOADED: effectiveEnablementState: DISABLED intendedEnablementState: DISABLED CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_CONTAINER_ESCAPE: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MALICIOUS_URL_OBSERVED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REPORT_CLI_ARGUMENTS: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_REVERSE_SHELL: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CLOUD_RUN_UNEXPECTED_CHILD_SHELL: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED name: projects/1234567890123/locations/global/securityCenterServices/cloud-run-threat-detection updateTime: '2025-03-14T00:27:36.589993683Z'
REST
The Security Command Center Management API's
RESOURCE_TYPE.locations.securityCenterServices.get
method gets the state of a Security Command Center service or module.
Before using any of the request data, make the following replacements:
-
RESOURCE_TYPE
: the type of resource to get (organizations
,folders
, orprojects
) -
QUOTA_PROJECT
: the project ID to use for billing and quota tracking -
RESOURCE_ID
: the numeric identifier of the organization, folder, or project to get; for projects, you can also use the alphanumeric project ID
HTTP method and URL:
GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/cloud-run-threat-detection
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/1234567890123/locations/global/securityCenterServices/cloud-run-threat-detection", "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED", "modules": { "CLOUD_RUN_REPORT_CLI_ARGUMENTS": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_CONTAINER_ESCAPE": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_LIBRARY_LOADED": { "intendedEnablementState": "DISABLED", "effectiveEnablementState": "DISABLED" }, "CLOUD_RUN_REVERSE_SHELL": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_REPORT_ENVIRONMENT_VARIABLES": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_UNEXPECTED_CHILD_SHELL": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_BINARY_EXECUTED": { "intendedEnablementState": "DISABLED", "effectiveEnablementState": "DISABLED" }, "CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "CLOUD_RUN_MALICIOUS_URL_OBSERVED": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" } }, "updateTime": "2025-03-14T00:27:36.589993683Z" }
Review findings
When Cloud Run Threat Detection generates findings, you can view them in Security Command Center.
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
To review Cloud Run Threat Detection findings in Security Command Center, follow these steps:
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
- In the Quick filters section, in the Source display name subsection, select Cloud Run Threat Detection. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
To aid in your investigation, threat findings also contain links to the following external resources:
- MITRE ATT&CK framework entries. The framework explains techniques for attacks against cloud resources and provides remediation guidance.
- VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, scripts, URLs, and domains.
For a list of Cloud Run Threat Detection finding types, see Cloud Run Threat Detection detectors.
What's next
- Learn more about Cloud Run Threat Detection.
- Learn how to redeploy Cloud Run services.
- Learn how Cloud Run implements security best practices.