Initial Access: CloudDB Successful login from Anonymizing Proxy IP
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A successful login in a database instance occurred from a known
anonymizing IP address. These anonymizing addresses are Tor nodes.
This could indicate an attacker gaining initial access to your instance.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open an Initial Access: CloudDB Successful login from Anonymizing Proxy IP
finding, as directed in Reviewing findings.
On the Summary tab of the finding details panel, review the
information in the following sections:
What was detected, especially the following fields:
Indicator IP address, the anonymizing ip address.
Database display name: the name of the database in the
Cloud SQL PostgreSQL, MySQL or AlloyDB instance that was affected.
Database user name: the user.
Project full name: the Google Cloud project that contains
the Cloud SQL instance.
Step 2: Research attack and response methods
Review the MITRE ATT&CK framework entry for this finding type:
Initial Access.
To determine if additional remediation steps are necessary, combine your investigation results with MITRE
research.
Step 3: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Review the users allowed to connect to the database.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nA successful login in a database instance occurred from a known\nanonymizing IP address. These anonymizing addresses are Tor nodes.\nThis could indicate an attacker gaining initial access to your instance.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open an `Initial Access: CloudDB Successful login from Anonymizing Proxy IP` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. On the **Summary** tab of the finding details panel, review the\n information in the following sections:\n\n - **What was detected**, especially the following fields:\n - **Indicator IP address**, the anonymizing ip address.\n - **Database display name**: the name of the database in the Cloud SQL PostgreSQL, MySQL or AlloyDB instance that was affected.\n - **Database user name**: the user.\n - **Project full name**: the Google Cloud project that contains the Cloud SQL instance.\n\nStep 2: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Initial Access](https://attack.mitre.org/techniques/T1078/).\n2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.\n\nStep 3: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Review the users allowed to connect to the database.\n\n - For PostgreSQL, see [Create and manage users](/sql/docs/postgres/create-manage-users)\n - For MySQL, see [Manage users with built-in authentication](/sql/docs/mysql/create-manage-users)\n- Consider changing the password for the user.\n\n - For PostgreSQL, see [Set the password for the default user](/sql/docs/postgres/create-manage-users#user-root)\n - For MySQL, see\n [Set the password for the default user](/sql/docs/mysql/create-manage-users#user-root)\n\n - Update the credentials for the clients that connect to the Cloud SQL instance\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
