This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A webhook configuration has been detected in your GKE cluster. Webhooks can intercept and modify Kubernetes API requests, which potentially allows attackers to persist within your cluster or manipulate resources.
Event Threat Detection is the source of this finding.
How to respond
The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.
To respond to this finding, do the following:
- Identify the purpose and origin of the webhook configuration. Verify that it is from a trusted source and serves a legitimate purpose.
- Review the webhook configuration to understand its scope and the types of requests it intercepts.
- Monitor the webhook activity for any suspicious or unauthorized actions.
- If the webhook is not necessary or its behavior is concerning, consider removing or disabling it.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.