Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Anomalous admin activity for AI services by a potentially malicious actor was
detected in an organization, folder, or project. Anomalous activity can be
either of the following:
New activity by a principal in an organization, folder, or project
Activity that has not been seen in a while, performed by a principal in an organization, folder, or project
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Persistence: New AI API Method finding as directed in Reviewing findings.
In the finding details, on the Summary tab, note the values of the following fields:
Under What was detected:
Principal email: the account that made the call
Method name: the method that was called
AI resources: the potentially impacted AI resources, such as the Vertex AI resources and the AI model.
Under Affected resource:
Resource display name: the name of the affected resource, which can
be the same as the name of the organization, folder, or project
Resource path: the location in the resource hierarchy where the activity took place
Step 2: Research attack and response methods
Review MITRE ATT&CK framework entries for this finding type: Persistence.
Investigate whether the action was warranted in the organization, folder, or project and whether the action was taken by the legitimate owner of the account. The organization, folder, or project is displayed on the Resource path field and the account is displayed in the Principal email row.
To develop a response plan, combine your investigation results with MITRE research.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nAnomalous admin activity for AI services by a potentially malicious actor was\ndetected in an organization, folder, or project. Anomalous activity can be\neither of the following:\n\n- New activity by a principal in an organization, folder, or project\n- Activity that has not been seen in a while, performed by a principal in an organization, folder, or project\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Persistence: New AI API Method` finding as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. In the finding details, on the **Summary** tab, note the values of the following fields:\n\n - Under **What was detected** :\n - **Principal email**: the account that made the call\n - **Method name**: the method that was called\n - AI resources: the potentially impacted AI resources, such as the Vertex AI resources and the AI model.\n - Under **Affected resource** :\n - **Resource display name**: the name of the affected resource, which can be the same as the name of the organization, folder, or project\n - **Resource path**: the location in the resource hierarchy where the activity took place\n\nStep 2: Research attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for this finding type: **Persistence**.\n2. Investigate whether the action was warranted in the organization, folder, or project and whether the action was taken by the legitimate owner of the account. The organization, folder, or project is displayed on the **Resource path** field and the account is displayed in the **Principal email** row.\n3. To develop a response plan, combine your investigation results with MITRE research.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
