This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
Anomalous admin activity by a potentially malicious actor was detected in an organization, folder, or project. Anomalous activity can be either of the following:
- New activity by a principal in an organization, folder, or project
- Activity that has not been seen in a while by a principal in an organization, folder, or project
Step 1: Review finding details
- Open the
Persistence: New API Methodfinding as directed in Reviewing findings. In the finding details, on the Summary tab, note the values of the following fields:
- Under What was detected:
- Principal email: the account that made the call
- Service name: the API name of the Google Cloud service used in the action
- Method name: the method that was called
- Under Affected resource:
- Resource display name: the name of the affected resource, which could be the same as the name of the organization, folder, or project
- Resource path: the location in the resource hierarchy where the activity took place
- Under What was detected:
Step 2: Research attack and response methods
- Review MITRE ATT&CK framework entries for this finding type: Persistence.
- Investigate whether the action was warranted in the organization, folder, or project and whether the action was taken by the legitimate owner of the account. The organization, folder, or project is displayed on the Resource path row and the account is displayed on the Principal email row.
- To develop a response plan, combine your investigation results with MITRE research.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.