Utiliser Event Threat Detection

Cette page explique comment examiner les résultats de Event Threat Detection dans le tableau de bord de Security Command Center et comprend des exemples de résultats de Event Threat Detection.

Event Threat Detection est un service intégré pour le niveau Premium de Security Command Center qui surveille les flux de journalisation Cloud Logging et Google Workspace de votre organisation et détecte les menaces presque en temps réel. Pour en savoir plus, consultez la présentation d'Event Threat Detection.

La vidéo suivante décrit les étapes de configuration d'Event Threat Detection et fournit des informations sur l'utilisation du tableau de bord. Pour en savoir plus sur l'affichage et la gestion des résultats de Event Threat Detection, consultez la section Examiner les résultats de cette page.

Examiner les résultats

Pour afficher les résultats d'Event Threat Detection, le service doit être activé dans les paramètres Services de Security Command Center. Une fois que vous avez activé Event Threat Detection, Event Threat Detection génère des résultats en analysant des journaux spécifiques. Certains des journaux qu'Event Threat Detection peut analyser sont désactivés par défaut. Vous devrez donc peut-être les activer.

Pour en savoir plus sur les règles de détection utilisées par Event Threat Detection et sur les journaux analysés par Event Threat Detection, consultez les articles suivants:

Vous pouvez afficher les résultats d'Event Threat Detection dans Security Command Center. Si vous avez configuré les exportations continues pour écrire des journaux, vous pouvez également afficher les résultats dans Cloud Logging. Pour générer un résultat et vérifier votre configuration, vous pouvez déclencher intentionnellement un détecteur et tester Event Threat Detection.

Event Threat Detection est activé en quelques secondes. Les latences de détection sont généralement inférieures à 15 minutes entre le moment où un journal est écrit et celui où un résultat est disponible dans Security Command Center. Pour en savoir plus sur la latence, consultez la section Présentation de la latence de Security Command Center.

Examiner les résultats dans Security Command Center

Les rôles Security Command Center sont attribués au niveau de l'organisation, du dossier ou du projet. Votre capacité à afficher, modifier, créer ou mettre à jour les résultats, les éléments et les sources de sécurité dépend du niveau pour lequel vous disposez d'un accès. Pour en savoir plus sur les rôles Security Command Center, consultez la page Contrôle des accès.

Pour examiner les résultats de Event Threat Detection dans Security Command Center, procédez comme suit :

Ancienne page de résultats

  1. Accédez à la page Résultats de Security Command Center dans Google Cloud Console.

    Accéder

  2. À côté de Afficher par, cliquez sur Type de source.

  3. Dans la liste Type de source, sélectionnez Event Threat Detection.

  4. Pour afficher des informations détaillées sur un résultat spécifique, cliquez sur le nom de ce résultat sous Catégories. Le panneau de détails du résultat se développe pour afficher des informations, y compris les suivantes :

    • En quoi l'événement a consisté
    • Quand l'événement a eu lieu
    • La source des données de résultat
    • Le niveau de gravité de détection ; par exemple, Élevé
    • Les actions effectuées, telles que l'ajout d'un rôle de gestion de l'authentification et des accès (IAM) à un utilisateur Gmail
    • L'utilisateur qui a effectué l'action, indiqué à côté de properties_principalEmail
  5. Pour afficher tous les résultats issus des actions du même utilisateur, procédez comme suit :

    1. Dans le volet des détails du résultat, copiez l'adresse e-mail à côté de properties_principalEmail.
    2. Fermez le volet des détails du résultat.
    3. Dans la zone Filtre de l'onglet "Résultats", saisissez la requête suivante :
    sourceProperties.properties_principalEmail:"USER_EMAIL"
    

    Remplacez USER_EMAIL par l'adresse e-mail que vous avez copiée précédemment.

    Security Command Center affiche tous les résultats associés aux actions effectuées par l'utilisateur que vous avez spécifié.

Page de résultats (Bêta)

Si vous avez choisi de passer à la version améliorée du workflow de résultats, procédez comme suit :

  1. Dans Google Cloud Console, accédez à la page Résultats de Security Command Center.

    Accéder

  2. Si nécessaire, sélectionnez votre projet ou votre organisation GooglenCloud.

    Sélecteur de projet

  3. Dans la sous-section Nom à afficher pour la source de la section Filtres rapides, sélectionnez Event Threat Detection.

    Les résultats d'Event Threat Detection sont insérés dans la table.

  4. Pour afficher les détails d'un résultat spécifique, cliquez sur le nom du résultat sous Category. Le volet de détails du résultat se développe pour afficher des informations, y compris les suivantes :

    • En quoi l'événement a consisté
    • Quand l'événement a eu lieu
    • La source des données de résultat
    • Le niveau de gravité de détection ; par exemple, Élevé
    • Les actions effectuées, telles que l'ajout d'un rôle de gestion de l'authentification et des accès (IAM) à un utilisateur Gmail
    • L'utilisateur ayant effectué l'action, indiqué à côté de Adresse e-mail principale.
  5. Pour afficher tous les résultats issus des actions du même utilisateur, procédez comme suit :

    1. Dans le volet des détails du résultat, copiez l'adresse e-mail située à côté de Adresse e-mail principale.
    2. Fermez le volet.
    3. Dans le générateur de requêtes, saisissez la requête suivante :
    access.principal_email="USER_EMAIL"
    

    Remplacez USER_EMAIL par l'adresse e-mail que vous avez copiée précédemment.

    Security Command Center affiche tous les résultats associés aux actions effectuées par l'utilisateur que vous avez spécifié.

Afficher les résultats dans Cloud Logging

Pour afficher les résultats de Event Threat Detection dans Cloud Logging, procédez comme suit :

  1. Accédez à l'explorateur de journaux dans la console Google Cloud.

    Accéder à l'explorateur de journaux

  2. Dans le sélecteur de projet en haut de la page, sélectionnez le projet dans lequel vous stockez vos journaux Event Threat Detection.

  3. Cliquez sur l'onglet Générateur de requêtes.

  4. Dans la liste déroulante Ressources, sélectionnez Détecteur de menaces.

    • Pour afficher les résultats de tous les détecteurs, sélectionnez all detector_name.
    • Pour afficher les résultats d'un détecteur spécifique, sélectionnez le nom de ce détecteur.
  5. Cliquez sur Ajouter. La requête apparaît dans la zone de texte du générateur de requêtes.

  6. Vous pouvez également saisir la requête suivante dans la zone de texte :

    resource.type="threat_detector"

  7. Cliquez sur Exécuter la requête (Run Query). La table Résultats de la requête est mise à jour avec les journaux que vous avez sélectionnés.

  8. Pour afficher un journal, cliquez sur une ligne du tableau, puis sur Développer les champs imbriqués.

Vous pouvez créer des requêtes de journaux avancées pour spécifier un ensemble d'entrées de journal à partir d'un nombre quelconque de journaux.

Examiner les résultats dans Chronicle

Vous pouvez utiliser Chronicle pour examiner les résultats Malware: Bad Domain, Malware: Bad IP, Persistence: IAM Anomalous Grant, Brute Force: SSH et Exfiltration: BigQuery Data Exfiltration.

Event Threat Detection s'intègre parfaitement à Chronicle, un service Google Cloud qui vous permet d'examiner les menaces et de parcourir les actions et événements associés selon une chronologie unifiée. Chronicle enrichit les résultats, facilite l'identification des indicateurs d'intérêt et simplifie les enquêtes.

Par exemple, si Event Threat Detection identifie un compte principal ayant attribué une autorisation suspecte à un rôle IAM, vous pouvez utiliser Chronicle pour afficher l'activité de connexion récente de cet utilisateur et vérifier s'il a effectué d'autres modifications suspectes après l'attribution de rôle.

Pour envoyer les résultats compatibles avec Event Threat Detection à Chronicle, procédez comme suit :

  1. Accédez à la page Résultats de Security Command Center dans Google Cloud Console.

    Accéder

  2. À côté de Afficher par, cliquez sur Type de source.

  3. Dans la liste Type de source, sélectionnez Event Threat Detection.

    La table présente les résultats correspondant au type de source que vous avez sélectionné.

  4. Dans le tableau, sous Catégorie, cliquez sur un résultat Malware: Bad Domain, Malware: Bad IP, Persistence: IAM Anomalous Grant, Brute Force: SSH ou Exfiltration: BigQuery Data Exfiltration.

  5. Dans le volet Détails du résultat, cliquez sur Examiner dans Chronicle.

  6. Suivez les instructions de l'interface utilisateur guidée de Chronicle.

Pour apprendre à utiliser Chronicle, consultez la documentation Chronicle qui inclut des guides utiles pour mener des enquêtes :

Vous pouvez également examiner les menaces en examinant des informations supplémentaires. Pour en savoir plus, consultez la page Examiner et contrer les menaces.

Exemples de formats de résultat

Cette section inclut les formats de sortie JSON pour les résultats d'Event Threat Detection tels qu'ils apparaissent lorsque vous créez des exportations à partir du tableau de bord Security Command Center ou exécutez des méthodes de liste dans l'API Security Command Center.

Les exemples de sortie contiennent les champs les plus courants de tous les résultats. Cependant, tous les champs peuvent ne pas apparaître dans tous les résultats. Le résultat réel dépend de la configuration d'une ressource ainsi que du type et de l'état des résultats.

Pour afficher des exemples de résultats, développez un ou plusieurs des nœuds suivants.

Analyse active : Log4j vulnérable à RCE

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "state": "ACTIVE",
    "category": "Active Scan: Log4j Vulnerable to RCE",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "ruleName": "log4j_scan_success"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }, {
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1639701222",
            "nanos": 7.22988344E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "scannerDomain": "SCANNER_DOMAIN",
        "sourceIp": "SOURCE_IP_ADDRESS",
        "vpcName": "default"
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1210/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-12-17T00:33:42.722Z",
    "createTime": "2021-12-17T00:33:44.633Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.compute.Instance",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
      "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
    }],
    "displayName": "INSTANCE_ID"
  }
}
    

Attaques par force brute SSH

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Brute Force: SSH",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "65"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "projectId": "PROJECT_ID",
          "zone": "us-west1-a",
          "instanceId": "INSTANCE_ID",
          "attempts": [
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "SUCCESS"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            }
          ]
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/003/"
          }
        },
        "detectionCategory": {
          "technique": "brute_force",
          "indicator": "flow_log",
          "ruleName": "ssh_brute_force"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Accès aux identifiants : membre externe ajouté au groupe privilégié

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME",
    "state": "ACTIVE",
    "category": "Credential Access: External Member Added To Privileged Group",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "external_member_added_to_privileged_group"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633622881",
            "nanos": 6.73869E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "externalMemberAddedToPrivilegedGroup": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
          "externalMember": "user:EXTERNAL_EMAIL",
          "sensitiveRoles": [{
            "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
            "roleName": ["ROLES"]
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": " https://attack.mitre.org/techniques/T1078"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:08:03.888Z",
    "createTime": "2021-10-07T16:08:04.516Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
  }
}
    

Accès aux identifiants : groupe privilégié ouvert au public

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings",
    "state": "ACTIVE",
    "category": "Credential Access: Privileged Group Opened To Public",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "privileged_group_opened_to_public"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1634774534",
            "nanos": 7.12E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "privilegedGroupOpenedToPublic": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
          "sensitiveRoles": [{
            "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
            "roleName": ["ROLES"]
          }],
          "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": " https://attack.mitre.org/techniques/T1078"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-21T00:02:19.173Z",
    "createTime": "2021-10-21T00:02:20.099Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
  }
}
    

Accès aux identifiants : rôle sensible attribué au groupe hybride

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Credential Access: Sensitive Role Granted To Hybrid Group",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "sensitive_role_to_group_with_external_member"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633625631",
            "nanos": 1.78978E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "sensitiveRoleToHybridGroup": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
          "bindingDeltas": [{
            "action": "ADD",
            "role": "ROLE",
            "member": "group:GROUP_NAME@ORGANIZATION_NAME"
          }],
          "resourceName": "organizations/ORGANIZATION_ID"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": " https://attack.mitre.org/techniques/T1078"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:53:53.875Z",
    "createTime": "2021-10-07T16:53:54.411Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "type": "google.cloud.resourcemanager.Organization",
    "displayName": "ORGANIZATION_NAME"
  }
}
    

Defense Evasion : Modifier VPC Service Controls

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
    "state": "ACTIVE",
    "category": "Defense Evasion: Modify VPC Service Control",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "modify_auth_process",
        "indicator": "audit_log",
        "ruleName": "vpcsc_changes",
        "subRuleName": "reduce_perimeter_protection"
      },
      "detectionPriority": "LOW",
      "affectedResources": [
        {
          "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER"
        },
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }
      ],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633625631",
            "nanos": 1.78978E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
        "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS",
        "delta": {
          "restrictedResources": [{
            "resourceName": "PROJECT_NAME",
            "action": "REMOVE"
          }],
          "restrictedServices": [{
            "serviceName": "SERVICE_NAME",
            "action": "REMOVE"
          }],
          "allowedServices": [{
            "serviceName": "SERVICE_NAME",
            "action": "ADD"
          }],
          "accessLevels": [{
            "policyName": "ACCESS_LEVEL_POLICY",
            "action": "ADD"
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": ""https://attack.mitre.org/techniques/T1556/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:53:53.875Z",
    "createTime": "2021-10-07T16:53:54.411Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {},
      "serviceName": "accesscontextmanager.googleapis.com",
      "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter"
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "type": "google.cloud.resourcemanager.Organization",
    "displayName": "RESOURCE_DISPLAY_NAME"
  }
}
    

Découverte : Auto-enquête sur le compte de service

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Discovery: Service Account Self-Investigation",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "discovery",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "service_account_gets_own_iam_policy"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1619200104",
            "nanos": 9.08E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceAccountGetsOwnIamPolicy": {
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
          "projectId": "PROJECT_ID",
          "callerIp": "IP_ADDRESS",
          "callerUserAgent": "CALLER_USER_AGENT",
          "rawUserAgent": "RAW_USER_AGENT"
        }
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "Permission Groups Discovery: Cloud Groups",
          "url": "https://attack.mitre.org/techniques/T1069/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-23T17:48:24.908Z",
    "createTime": "2021-04-23T17:48:26.922Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "ORGANIZATION_NAME",
    "type": "google.cloud.resourcemanager.Project"
  }
}
    

Fuite : accès depuis le proxy d'anonymisation

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Evasion: Access from Anonymizing Proxy",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "proxy_access"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633625631",
            "nanos": 1.78978E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "changeFromBadIp": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "ip": "SOURCE_IP_ADDRESS"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1090/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:53:53.875Z",
    "createTime": "2021-10-07T16:53:54.411Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "type": "google.cloud.resourcemanager.Organization",
    "displayName": "RESOURCE_DISPLAY_NAME"
  }
}
    

Exfiltration : exfiltration de données BigQuery

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Exfiltration: BigQuery Data Exfiltration",
      "sourceProperties": {
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"
          }
        ],
        "detectionCategory": {
          "technique": "org_exfiltration",
          "indicator": "audit_log",
          "ruleName": "big_query_exfil",
          "subRuleName": "exfil_to_external_table"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          }
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "dataExfiltrationAttempt": {
            "jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults",
            "jobState": "SUCCEEDED",
            "query": "SQL_QUERY",
            "userEmail": "PROJECT_ID@PROJECT_ID.iam.gserviceaccount.com",
            "job": {
              "projectId": "SOURCE_PROJECT_ID",
              "jobId": "JOB_ID",
              "location": "US"
            },
            "sourceTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "SOURCE_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ],
            "destinationTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "DESTINATION_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ]
          }
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Exfiltration : extraction de données BigQuery

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "state": "ACTIVE",
    "category": "Exfiltration: BigQuery Data Extraction",
    "sourceProperties": {
      "affectedResources": [
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }
      ],
      "detectionCategory": {
        "technique": "storage_bucket_exfiltration",
        "indicator": "audit_log",
        "ruleName": "big_query_exfil",
        "subRuleName": "exfil_to_cloud_storage"
      },
      "detectionPriority": "LOW",
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1567/002/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }],
        "relatedFindingUri": {
          "displayName": "Related BigQuery Exfiltration Extraction findings",
          "url": "RELATED_FINDINGS_LINK"
        }
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": PROJECT_ID,
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "extractionAttempt": {
          "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
          "job": {
            "projectId": "SOURCE_PROJECT_ID",
            "jobId": "JOB_ID",
            "location": "US"
          },
          "sourceTable": {
            "projectId": "DESTINATION_PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID",
            "resourceUri": "FULL_URI"
          },
          "destinations": [
            {
              "originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
              "collectionType": "GCS_BUCKET",
              "collectionName": "TARGET_GCS_BUCKET_NAME",
              "objectName": "TARGET_FILE_NAME"
            }
          ]
        },
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2022-03-31T21:22:11.359Z",
    "createTime": "2022-03-31T21:22:12.689Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
    },
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    }
  },
  "resource": {
    "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
    "parentDisplayName": "PROJECT_ID:DATASET_ID",
    "type": "google.cloud.bigquery.Table",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
      "resourceFolderDisplayName": "FOLDER_NAME"
    }],
    "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
  }
}
    

Exfiltration : données BigQuery vers Google Drive

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "state": "ACTIVE",
    "category": "Exfiltration: BigQuery Data to Google Drive",
    "sourceProperties": {
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "detectionCategory": {
        "technique": "google_drive_exfiltration",
        "indicator": "audit_log",
        "ruleName": "big_query_exfil",
        "subRuleName": "exfil_to_google_drive"
      },
      "detectionPriority": "LOW",
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1567/002/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }],
        "relatedFindingUri": {
          "displayName": "Related BigQuery Exfiltration to Google Drive findings",
          "url": "RELATED_FINDINGS_LINK"
        }
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": PROJECT_ID,
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"        }
      }],
      "properties": {
        "extractionAttempt": {
          "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
          "job": {
            "projectId": "SOURCE_PROJECT_ID",
            "jobId": "JOB_ID",
            "location": "US"
          },
          "sourceTable": {
            "projectId": "DESTINATION_PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID",
            "resourceUri": "FULL_URI"
          },
          "destinations": [
            {
              "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME",
              "collectionType": "GDRIVE",
              "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER",
              "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME"
            }
          ]
        },
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2022-03-31T21:20:18.408Z",
    "createTime": "2022-03-31T21:20:18.715Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
    },
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    }
  },
  "resource": {
    "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
  }
}
    

Exfiltration : exfiltration de données Cloud SQL

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Data Exfiltration",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "technique": "storage_bucket_exfiltration",
          "indicator": "audit_log",
          "ruleName": "cloudsql_exfil",
          "subRuleName": "export_to_public_gcs"
        },
        "detectionPriority": "HIGH",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": PROJECT_ID,
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "properties": {
          "exportToGcs": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
            "gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
            "bucketAccess": "PUBLICLY_ACCESSIBLE",
            "bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
            "exportScope": "WHOLE_INSTANCE"
          }
        },
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "eventTime": "2021-10-11T16:32:59.828Z",
      "createTime": "2021-10-11T16:33:00.229Z",
      "severity": "HIGH",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
      },
      "access": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "callerIp": "IP",
        "callerIpGeo": {
        },
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.export"
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_ID",
      "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_ID",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_NAME"
      }],
      "displayName": "INSTANCE_NAME"
    }
}
    

Exfiltration : restauration de la sauvegarde Cloud SQL dans l'organisation externe

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Restore Backup to External Organization",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "SOURCE_PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "technique": "backup_exfiltration",
          "indicator": "audit_log",
          "ruleName": "cloudsql_exfil",
          "subRuleName": "restore_to_external_instance"
        },
        "detectionPriority": "HIGH",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          },
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "SOURCE_PROJECT_ID",
            "resourceContainer": "projects/SOURCE_PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "properties": {
          "restoreToExternalInstance": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
            "backupId": "BACKUP_ID",
            "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          }
        },
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "eventTime": "2022-01-19T21:36:07.901Z",
      "createTime": "2022-01-19T21:36:08.695Z",
      "severity": "HIGH",
      "workflowState": "NEW",
      "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
      },
      "access": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "callerIp": "IP",
        "callerIpGeo": {
        },
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.restoreBackup"
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER",
      "projectDisplayName": "SOURCE_PROJECT_ID",
      "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
      "parentDisplayName": "SOURCE_INSTANCE_NAME",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_ID"
      }],
      "displayName": "mysql-backup-restore-instance"
    }
}
    

Logiciel malveillant : domaine malveillant

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad Domain",
      "sourceProperties": {
        "sourceId": {
          "customerOrganizationNumber": "ORGANIZATION_ID",
          "projectNumber": "PROJECT_NUMBER"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1568/"
          },          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal Domain Link",
              "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
            }
          ]
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "domains": [
            "DOMAIN"
          ],
          "network": {
            "location": "REGION",
            "project": "PROJECT_ID"
          },
          "dnsContexts": [
            {
              "authAnswer": true,
              "sourceIp": "IP_ADDRESS",
              "queryName": "DOMAIN",
              "queryType": "AAAA",
              "responseCode": "NOERROR",
              "responseData": [
                {
                  "domainName": "DOMAIN.",
                  "ttl": 299,
                  "responseClass": "IN",
                  "responseType": "AAAA",
                  "responseValue": "IP_ADDRESS"
                }
              ]
            }
          ]
        },
        "detectionPriority": "HIGH",
        "detectionCategory": {
          "technique": "C2",
          "indicator": "domain",
          "subRuleName": "google_intel",
          "ruleName": "bad_domain"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Logiciel malveillant : adresse IP malveillante

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad IP",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "ips": [
            "SOURCE_IP_ADDRESS",
            "DESTINATION_IP_ADDRESS"
          ],
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 6
          },
          "network": {
            "project": "PROJECT_ID",
            "location": "ZONE",
            "subnetworkId": "SUBNETWORK_ID",
            "subnetworkName": "default"
          },
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/tactics/TA0011/"
          },
          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
            },
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
            }
          ]
        },
        "detectionCategory": {
          "technique": "C2",
          "indicator": "ip",
          "ruleName": "bad_ip",
          "subRuleName": "google_intel"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Logiciel malveillant : domaine malveillant minant de la cryptomonnaie

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Malware: Cryptomining Bad Domain",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "cryptomining",
        "indicator": "domain",
        "ruleName": "bad_domain",
        "subRuleName": "cryptomining"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1636566099",
            "nanos": 5.41483849E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "domains": ["DOMAIN"],
        "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
        "network": {
          "project": "PROJECT_ID",
          "location": "ZONE"
        },
        "dnsContexts": [{
          "authAnswer": true,
          "sourceIp": "SOURCE_IP_ADDRESS",
          "queryName": "DOMAIN",
          "queryType": "A",
          "responseCode": "NXDOMAIN"
        }],
        "vpc": {
          "vpcName": "default"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1496/"
        },
        "virustotalIndicatorQueryUri": [{
          "displayName": "VirusTotal Domain Link",
          "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
        }],
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-11-10T17:41:41.594Z",
    "createTime": "2021-11-10T17:41:42.014Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "indicator": {
      "domains": ["DOMAIN"]
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}
    

Logiciel malveillant : adresse IP malveillante minant de la cryptomonnaie

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Malware: Cryptomining Bad IP",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "cryptomining",
        "indicator": "ip",
        "ruleName": "bad_ip",
        "subRuleName": "cryptomining"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1636566005",
            "nanos": 9.74622832E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "ips": ["DESTINATION_IP_ADDRESS"],
        "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
        "network": {
          "project": "PROJECT_ID",
          "location": "ZONE",
          "subnetworkId": "SUBNETWORK_ID",
          "subnetworkName": "default"
        },
        "ipConnection": {
          "srcIp": "SOURCE_IP_ADDRESS",
          "destIp": "DESTINATION_IP_ADDRESS",
          "protocol": 1.0
        },
        "indicatorContext": [{
          "ipAddress": "DESTINATION_IP_ADDRESS",
          "countryCode": "FR",
          "reverseDnsDomain": "REVERSE_DNS_DOMAIN",
          "carrierName": "CARRIER_NAME",
          "organizationName": "ORGANIZATION_NAME",
          "asn": "AUTONOMOUS_SYSTEM_NUMBERS"
        }],
        "srcVpc": {
        },
        "destVpc": {
          "projectId": "PROJECT_ID",
          "vpcName": "default",
          "subnetworkName": "default"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1496/"
        },
        "virustotalIndicatorQueryUri": [{
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
        }],
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-11-10T17:40:38.048Z",
    "createTime": "2021-11-10T17:40:38.472Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "indicator": {
      "ipAddresses": ["DESTINATION_IP_ADDRESS"]
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}
    

Logiciel malveillant : DoS sortant

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "state": "ACTIVE",
      "category": "Malware: Outgoing DoS",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 17
          }
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1498/"
          }
        },
        "detectionCategory": {
          "technique": "malware",
          "indicator": "flow_log",
          "ruleName": "outgoing_dos"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Persistance : Octroi anormal d'autorisations IAM

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Persistence: IAM Anomalous Grant",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1611833917",
            "nanos": 8.71508E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "detectionPriority": "HIGH",
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-01-28T11:38:37.871508Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
          "displayName": "Related Anomalous Grant Findings",
          "url": "https://console.cloud.google.com/security/command-center/findings?organizationId\u003dORGANIZATION_ID\u0026pageState\u003d(%22cscc-inventory%22:(%22f%22:%22%255B%257B_22k_22_3A_22sourceProperties.detectionCategory.ruleName_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22iam_anomalous_grant_5C_22_22%257D_2C%257B_22k_22_3A_22_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22%2528sourceProperties.properties.sensitiveRoleGrant.principalEmail_3A_5C_5C_5C_22PRINCIPAL_EMAIL_5C_5C_5C_22%2529_5C_22_22%257D%255D%22))"
        }
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_grant",
        "subRuleName": "external_member_invited_to_policy"
      },
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "properties": {
        "sensitiveRoleGrant": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "members": ["user:USER_EMAIL"]
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-01-28T11:38:41.301Z",
    "createTime": "2021-01-28T11:38:42.198Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
      "resourceFolderDisplayName": "PARENT_NAME"
    }]
  }
}
    

Persistance : Nouvel emplacement géographique

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",
    "state": "ACTIVE",
    "category": "Persistence: New Geography",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "ip_geolocation"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "RESOURCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1617994703",
            "nanos": 5.08853E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousLocation": {
          "anomalousLocation": "BE",
          "callerIp": "IP_ADDRESS",
          "principalEmail": "PRINCIPAL_EMAIL",
          "notSeenInLast": "2592000s",
          "typicalGeolocations": [{
            "country": {
              "identifier": "US"
            }
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T18:59:43.860Z",
    "createTime": "2021-04-09T18:59:44.440Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "RESOURCE_NAME"
  }
}
    

Persistance : Nouvel agent utilisateur

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",
    "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",
    "state": "ACTIVE",
    "category": "Persistence: New User Agent",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "user_agent"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1614736482",
            "nanos": 9.76209552E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousSoftware": {
          "anomalousSoftwareClassification": ["USER_AGENT"],
          "behaviorPeriod": "2592000s",
          "callerUserAgent": "USER_AGENT",
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-03-03T01:54:47.681Z",
    "createTime": "2021-03-03T01:54:49.154Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//monitoring.googleapis.com/projects/PROJECT_ID"
  }
}
    

Accès initial : piratage - compte désactivé

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Account Disabled Hijacked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "account_disabled_hijacked"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624034293",
            "nanos": 6.78E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledHijacked",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-18T16:38:13.678Z",
    "createTime": "2021-06-18T16:38:16.508Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Accès initial : fuite de mot de passe - désactivé

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Disabled Password Leak",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "disabled_password_leak"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626462896",
            "nanos": 6.81E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-16T19:14:56.681Z",
    "createTime": "2021-07-16T19:15:00.430Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Accès initial : Attaque de personnes malveillantes soutenues par un gouvernement

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Government Based Attack",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "government_based_attack"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624061458",
            "nanos": 7.4E7
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.govAttackWarning",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-19T00:10:58.074Z",
    "createTime": "2021-06-19T00:11:01.760Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Accès initial : tentative de compromis Log4j

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Initial Access: Log4j Compromise Attempt",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "ruleName": "log4j_compromise_attempt"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1639690492",
            "nanos": 9.13836E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "loadBalancerName": "LOAD_BALANCER_NAME",
        "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}"
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1190/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-12-16T21:34:52.913Z",
    "createTime": "2021-12-16T21:34:55.022Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
    "parentDisplayName": "FOLDER_DISPLAY_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
      "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
    }],
    "displayName": "PROJECT_ID"
  }
}

    

Accès initial : connexion suspecte - bloqué

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Suspicious Login Blocked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "suspicious_login"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621637767",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousLogin",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
       "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T22:56:07Z",
    "createTime": "2021-05-27T02:36:07.382Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Défenses diminuées : authentification forte - désactivé

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",
    "state": "ACTIVE",
    "category": "Impair Defenses: Strong Authentication Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "enforce_strong_authentication"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1623952110",
            "nanos": 6.51337E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.enforceStrongAuthentication",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
"workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-17T17:48:30.651Z",
    "createTime": "2021-06-17T17:48:33.574Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
  }
}

    

Défenses diminuées : Vérification en deux étapes - désactivé

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Impair Defenses: Two Step Verification Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "two_step_verification_disabled"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626391356",
            "nanos": 5.96E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svDisable",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-15T23:22:36.596Z",
    "createTime": "2021-07-15T23:22:40.079Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Persistance : activer/désactiver l'authentification unique

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Enablement Toggle",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_enablement_toggle"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1622829313",
            "nanos": 3.42104E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.toggleSsoEnabled",
        "ssoState": "ENABLED",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-04T17:55:13.342Z",
    "createTime": "2021-06-04T17:55:15.900Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

Persistance: script de démarrage ajouté par l'administrateur GCE

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
    "category": "Persistence: GCE Admin Added Startup Script",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "gce_admin"
        "subRuleName": "instance_add_startup_script"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "callerIp": "IP_ADDRESS",
        "principalEmail": "PRINCIPAL_EMAIL",
        "gceInstanceId": "GCE_INSTANCE_ID",
        "projectId": "PROJECT_ID",
        "metadataKeyOperation": "ADDED",
        "callerUserAgent": "USER_AGENT",
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1543/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }]
      }
    },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
  }
}
    

Persistance: clé SSH ajoutée par l'administrateur GCE

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
    "category": "Persistence: GCE Admin Added SSH Key",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "gce_admin"
        "subRuleName": "instance_add_ssh_key"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "callerIp": "IP_ADDRESS",
        "principalEmail": "PRINCIPAL_EMAIL",
        "gceInstanceId": "GCE_INSTANCE_ID",
        "projectId": "PROJECT_ID",
        "metadataKeyOperation": "ADDED",
        "callerUserAgent": "USER_AGENT",
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1543/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }]
      }
    },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
  }
}
    

Persistance : paramètres SSO modifiés

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Settings Changed",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_settings_changed"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.changeSsoSettings",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T19:08:29.373Z",
    "createTime": "2021-05-27T11:36:24.429Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

Étapes suivantes