Esta página mostra como revisar as descobertas do Event Threat Detection no console do Google Cloud e inclui exemplos dessas descobertas.
O Event Threat Detection é um serviço integrado para o nível Premium do Security Command Center que monitora os streams de geração de registros do Cloud Logging para sua organização ou projetos e detecta ameaças quase em tempo real. Se você ativar o nível Premium do Security Command Center no nível da organização, o Event Threat Detection também poderá monitorar os fluxos de geração de registros do Google Workspace da organização. Para saber mais, consulte Visão geral do Event Threat Detection.
Como revisar descobertas
Para ver as descobertas do Event Threat Detection, o serviço precisa estar ativado nas configurações Serviços do Security Command Center. Depois que você ativa o Event Threat Detection, ele detecta as descobertas verificando os registros específicos. Alguns dos registros que o Event Threat Detection pode verificar estão desativados por padrão. Talvez seja necessário ativá-los.
Para mais informações sobre as regras de detecção integradas que o Event Threat Detection usa e os registros que ele verifica, consulte os seguintes tópicos.
Você pode ver as descobertas do Event Threat Detection no Security Command Center. Se você configurou Exportações contínuas para gravar registros, também será possível ver as descobertas no Cloud Logging. As exportações contínuas para o Cloud Logging só ficam disponíveis quando o nível Premium do Security Command Center é ativado no nível da organização. Para gerar uma descoberta e verificar a configuração, você pode acionar intencionalmente um detector e testar o Event Threat Detection.
A ativação do Event Threat Detection ocorre em segundos. As latências de detecção geralmente são menores que 15 minutos a partir do momento em que um registro é gravado até o momento em que uma descoberta está disponível no Security Command Center. Para mais informações sobre latência, leia Visão geral da latência do Security Command Center.
Como analisar as descobertas no Security Command Center
Os papéis do IAM para o Security Command Center podem ser concedidos no nível da organização, da pasta ou do projeto. A capacidade de ver, editar, criar ou atualizar descobertas, recursos e fontes de segurança depende do nível a que você tem acesso. Para saber mais sobre os papéis do Security Command Center, consulte Controle de acesso.
Use o procedimento a seguir para analisar as descobertas no console do Google Cloud:
No console do Google Cloud, acesse a página Descobertas do Security Command Center.
Se necessário, selecione o projeto ou a organização do Google Cloud.
Na seção Filtros rápidos, na subseção Nome de exibição da origem, selecione uma das opções a seguir ou ambas:
- Event Threat Detection: para filtrar descobertas geradas por detectores integrados de Event Threat Detection
- Módulos personalizados de detecção de ameaças do evento: para filtrar descobertas geradas por módulos personalizados do Event Threat Detection
A tabela é preenchida com descobertas do Event Threat Detection.
Para ver detalhes sobre uma descoberta específica, clique no nome da descoberta em
Category
. O Painel de detalhes da descoberta é expandido para mostrar informações, incluindo:- Quando o evento ocorreu
- A fonte dos dados de descoberta
- A gravidade de detecção, por exemplo, Alta
- As ações realizadas, como adicionar um papel de Gerenciamento de identidade e acesso (IAM, na sigla em inglês) a um usuário do Gmail.
- O usuário que realizou a ação, listado ao lado de E-mail principal
Para exibir todas as descobertas causadas pelas ações do mesmo usuário:
- No Painel de detalhes da descoberta, copie o endereço de e-mail ao lado de E-mail principal.
- Fechar painel.
No editor de consultas, insira a seguinte consulta:
access.principal_email="USER_EMAIL"
Substitua USER_EMAIL pelo endereço de e-mail que você copiou anteriormente.
O Security Command Center exibe todas as descobertas associadas a ações realizadas pelo usuário que você especificou.
Como visualizar descobertas no Cloud Logging
Se você configurar Exportações contínuas para gravar registros, é possível conferir as descobertas do Event Threat Detection no Cloud Logging. Esse recurso só fica disponível se o nível Premium do Security Command Center Premium for ativado no nível da organização.
Para visualizar as descobertas do Event Threat Detection no Cloud Logging:
Acesse o Explorador de registros no console do Google Cloud.
Selecione o projeto do Google Cloud ou outro recurso do Google Cloud em que você está armazenando os registros do Event Threat Detection.
Use o painel Consulta para criar a consulta de uma das seguintes maneiras:
- Na lista Todos os recursos, faça o seguinte:
- Selecione Detector de Ameaças para mostrar uma lista de todos os detectores.
- Para ver as descobertas de todos os detectores, selecione all detector_name. Para ver as descobertas de um detector específico, selecione o nome dele.
- Clique em Aplicar. A tabela Resultados da consulta é atualizada com os registros selecionados por você.
Insira a consulta a seguir no editor de consultas e clique em Executar consulta:
resource.type="threat_detector"
A tabela Resultados da consulta é atualizada com os registros selecionados.
- Na lista Todos os recursos, faça o seguinte:
Para visualizar um registro, selecione uma linha da tabela e clique em Expandir campos aninhados.
É possível criar consultas de registro avançadas para especificar um conjunto de entradas de registro a partir de qualquer número de registros.
Exemplos de formatos de descoberta
Esta seção inclui os formatos de saída JSON para descobertas do Event Threat Detection conforme aparecem quando você cria exportações a partir do Console do Google Cloud ou executa métodos de lista na API Security Command Center.
Os exemplos de saída contêm os campos mais comuns a todas as descobertas. No entanto, é possível que nem todos os campos apareçam em todas as descobertas. A saída real que você vê depende da configuração de um recurso e do tipo e do estado das descobertas.
Para ver exemplos de descobertas, expanda um ou mais dos seguintes nós.
Verificação ativa: Log4j vulnerável a RCE
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "state": "ACTIVE", "category": "Active Scan: Log4j Vulnerable to RCE", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_scan_success" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639701222", "nanos": 7.22988344E8 }, "insertId": "INSERT_ID" } }], "properties": { "scannerDomain": "SCANNER_DOMAIN", "sourceIp": "SOURCE_IP_ADDRESS", "vpcName": "default" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1210/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-17T00:33:42.722Z", "createTime": "2021-12-17T00:33:44.633Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.compute.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "INSTANCE_ID" } }
Força bruta: SSH
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Brute Force: SSH", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "65" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "projectId": "PROJECT_ID", "zone": "us-west1-a", "instanceId": "INSTANCE_ID", "attempts": [ { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "SUCCESS" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" }, { "sourceIp": "SOURCE_IP_ADDRESS", "username": "PROJECT_ID", "vmName": "INSTANCE_ID", "authResult": "FAIL" } ] }, "detectionPriority": "HIGH", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/003/" } }, "detectionCategory": { "technique": "brute_force", "indicator": "flow_log", "ruleName": "ssh_brute_force" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Acesso às credenciais: participante externo adicionado ao grupo privilegiado
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME", "state": "ACTIVE", "category": "Credential Access: External Member Added To Privileged Group", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "external_member_added_to_privileged_group" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633622881", "nanos": 6.73869E8 }, "insertId": "INSERT_ID" } }], "properties": { "externalMemberAddedToPrivilegedGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "externalMember": "user:EXTERNAL_EMAIL", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:08:03.888Z", "createTime": "2021-10-07T16:08:04.516Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" } }
Acesso às credenciais: grupo privilegiado aberto para público
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings", "state": "ACTIVE", "category": "Credential Access: Privileged Group Opened To Public", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "privileged_group_opened_to_public" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1634774534", "nanos": 7.12E8 }, "insertId": "INSERT_ID" } }], "properties": { "privilegedGroupOpenedToPublic": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "sensitiveRoles": [{ "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": ["ROLES"] }], "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": " https://attack.mitre.org/techniques/T1078" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-21T00:02:19.173Z", "createTime": "2021-10-21T00:02:20.099Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings" } }
Acesso às credenciais: papel confidencial concedido ao grupo híbrido
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "PROJECT_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Credential Access: Sensitive Role Granted To Hybrid Group", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-12-22T00:31:58.242Z", "database": {}, "eventTime": "2022-12-22T00:31:58.151Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_ID", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_ID", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "sensitive_role_to_group_with_external_member" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1671669114", "nanos": 715318000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleToHybridGroup": { "principalEmail": "PRINCIPAL_EMAIL", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "bindingDeltas": [ { "action": "ADD", "role": "roles/iam.securityAdmin", "member": "group:GROUP_NAME@ORGANIZATION_NAME", } ], "resourceName": "projects/PROJECT_ID" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Evasão de defesa: implantação forçada da carga de trabalho criada
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Created", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "create" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Evasão de defesa: implantação forçada da carga de trabalho atualizada
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Breakglass Workload Deployment Updated", "cloudDlpInspection": {}, "containers": [ { "name": "test-container", "uri": "test-image" } ], "createTime": "2023-03-24T17:38:45.756Z", "database": {}, "eventTime": "2023-03-24T17:38:45.709Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd, "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "NAMESPACE", "name": "POD_NAME", "labels": [ { "name": "image-policy.k8s.io/break-glass", "value": "true" } ], "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "ABUSE_ELEVATION_CONTROL_MECHANISM" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE", "display_name": "default", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "parent_display_name": "CLUSTER_NAME", "type": "k8s.io.Namespace", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1548/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "binary_authorization_breakglass_workload", "subRuleName": "update" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1679679521", "nanos": 141571000 }, "insertId": "INSERT_ID" } } ] } }
Evasão de defesa: modificar o VPC Service Control
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "state": "ACTIVE", "category": "Defense Evasion: Modify VPC Service Control", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "modify_auth_process", "indicator": "audit_log", "ruleName": "vpcsc_changes", "subRuleName": "reduce_perimeter_protection" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER", "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS", "delta": { "restrictedResources": [{ "resourceName": "PROJECT_NAME", "action": "REMOVE" }], "restrictedServices": [{ "serviceName": "SERVICE_NAME", "action": "REMOVE" }], "allowedServices": [{ "serviceName": "SERVICE_NAME", "action": "ADD" }], "accessLevels": [{ "policyName": "ACCESS_LEVEL_POLICY", "action": "ADD" }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": ""https://attack.mitre.org/techniques/T1556/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": {}, "serviceName": "accesscontextmanager.googleapis.com", "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter" } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "type": "google.cloud.resourcemanager.Organization", "displayName": "RESOURCE_DISPLAY_NAME" } }
Descoberta: pode receber verificações confidenciais de objetos do Kubernetes
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "category": "Discovery: Can get sensitive Kubernetes object check", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T01:39:42.957Z", "database": {}, "eventTime": "2022-10-08T01:39:40.632Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "accessReviews": [ { "name": "secrets-1665218000", "resource": "secrets", "verb": "get" } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "can_get_sensitive_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665193180", "nanos": 632000000 }, "insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf" } } ], "properties": {}, "findingId": "03f466dc25a8496693b7482304fb2e7f", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0007/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Descoberta: autoinvestigação da conta de serviço
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Discovery: Service Account Self-Investigation", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "discovery", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "service_account_gets_own_iam_policy" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1619200104", "nanos": 9.08E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceAccountGetsOwnIamPolicy": { "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com", "projectId": "PROJECT_ID", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "rawUserAgent": "RAW_USER_AGENT" } }, "contextUris": { "mitreUri": { "displayName": "Permission Groups Discovery: Cloud Groups", "url": "https://attack.mitre.org/techniques/T1069/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-23T17:48:24.908Z", "createTime": "2021-04-23T17:48:26.922Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "ORGANIZATION_NAME", "type": "google.cloud.resourcemanager.Project" } }
Evasão: acesso de proxy de anonimização
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Evasion: Access from Anonymizing Proxy", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "proxy_access" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1633625631", "nanos": 1.78978E8 }, "insertId": "INSERT_ID" } }], "properties": { "changeFromBadIp": { "principalEmail": "PRINCIPAL_EMAIL", "ip": "SOURCE_IP_ADDRESS" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1090/003/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-07T16:53:53.875Z", "createTime": "2021-10-07T16:53:54.411Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Exfiltração: exfiltração de dados do BigQuery
Essa descoberta pode incluir uma destas duas subregras:
exfil_to_external_table
, com uma gravidade deHIGH
.vpc_perimeter_violation
, com uma gravidade deLOW
.
O exemplo a seguir mostra o JSON da subregra exfil_to_external_table
.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Exfiltration: BigQuery Data Exfiltration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2023-05-30T15:49:59.709Z", "database": {}, "eventTime": "2023-05-30T15:49:59.432Z", "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID" } ] }, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": [ "EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "parent_display_name": "FOLDER_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID", "resourceFolderDisplayName": "FOLDER_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "org_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_external_table" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1685461795", "nanos": 341527000 }, "insertId": "INSERT_ID" } } ], "properties": { "dataExfiltrationAttempt": { "jobState": "SUCCEEDED", "jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults", "job": { "projectId": "PROJECT_ID", "jobId": "BIGQUERY_JOB_ID", "location": "BIGQUERY_JOB_LOCATION" }, "query": "QUERY", "sourceTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table", "projectId": "PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID" } ], "destinationTables": [ { "resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table", "projectId": "TARGET_PROJECT_ID", "datasetId": "TARGET_DATASET_ID", "tableId": "TARGET_TABLE_ID" } ], "userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com" }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Exfiltração: extração de dados do BigQuery
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data Extraction", "sourceProperties": { "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_cloud_storage" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration Extraction findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME", "collectionType": "GCS_BUCKET", "collectionName": "TARGET_GCS_BUCKET_NAME", "objectName": "TARGET_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:22:11.359Z", "createTime": "2022-03-31T21:22:12.689Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_GCS_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Exfiltração: dados do BigQuery para o Google Drive
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "state": "ACTIVE", "category": "Exfiltration: BigQuery Data to Google Drive", "sourceProperties": { "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "detectionCategory": { "technique": "google_drive_exfiltration", "indicator": "audit_log", "ruleName": "big_query_exfil", "subRuleName": "exfil_to_google_drive" }, "detectionPriority": "LOW", "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related BigQuery Exfiltration to Google Drive findings", "url": "RELATED_FINDINGS_LINK" } }, "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "extractionAttempt": { "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults", "job": { "projectId": "SOURCE_PROJECT_ID", "jobId": "JOB_ID", "location": "US" }, "sourceTable": { "projectId": "DESTINATION_PROJECT_ID", "datasetId": "DATASET_ID", "tableId": "TABLE_ID", "resourceUri": "FULL_URI" }, "destinations": [ { "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME", "collectionType": "GDRIVE", "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER", "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME" } ] }, "principalEmail": "PRINCIPAL_EMAIL" }, "findingId": "FINDING_ID" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-03-31T21:20:18.408Z", "createTime": "2022-03-31T21:20:18.715Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.JobService.InsertJob" }, "exfiltration": { "sources": [ { "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID" } ], "targets": [ { "name": "TARGET_GOOGLE_DRIVE_URI" } ] } }, "resource": { "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID", "parentDisplayName": "PROJECT_ID:DATASET_ID", "type": "google.cloud.bigquery.Table", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID" } }
Exfiltração: exfiltração de dados do CloudSQL
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Data Exfiltration", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "storage_bucket_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "export_to_public_gcs" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": PROJECT_ID, "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "exportToGcs": { "principalEmail": "PRINCIPAL_EMAIL", "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME", "bucketAccess": "PUBLICLY_ACCESSIBLE", "bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME", "exportScope": "WHOLE_INSTANCE" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-10-11T16:32:59.828Z", "createTime": "2021-10-11T16:33:00.229Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.export" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "components": [] } ], "targets": [ { "name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME", "components": [ "TARGET_FILE_NAME" ] } ] }, }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" }], "displayName": "INSTANCE_NAME" } }
Exfiltração: backup de restauração do Cloud SQL para organização externa
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Restore Backup to External Organization", "sourceProperties": { "sourceId": { "projectNumber": "SOURCE_PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "backup_exfiltration", "indicator": "audit_log", "ruleName": "cloudsql_exfil", "subRuleName": "restore_to_external_instance" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" }, ], "evidence": [{ "sourceLogId": { "projectId": "SOURCE_PROJECT_ID", "resourceContainer": "projects/SOURCE_PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "restoreToExternalInstance": { "principalEmail": "PRINCIPAL_EMAIL", "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "backupId": "BACKUP_ID", "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"] }, "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP", "callerIpGeo": { }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.restoreBackup" }, "exfiltration": { "sources": [ { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME" } ], "targets": [ { "name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME" } ] } }, "resource": { "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER", "projectDisplayName": "SOURCE_PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME", "parentDisplayName": "SOURCE_INSTANCE_NAME", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "mysql-backup-restore-instance" } }
Exfiltração: concessão privilegiada demais do Cloud SQL
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Exfiltration: CloudSQL Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_exfil", "subRuleName": "user_granted_all_permissions" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "EXFILTRATION", "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Malware: domínio inválido
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad Domain", "sourceProperties": { "sourceId": { "customerOrganizationNumber": "ORGANIZATION_ID", "projectNumber": "PROJECT_NUMBER" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1568/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" } ] }, "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "domains": [ "DOMAIN" ], "network": { "location": "REGION", "project": "PROJECT_ID" }, "dnsContexts": [ { "authAnswer": true, "sourceIp": "IP_ADDRESS", "queryName": "DOMAIN", "queryType": "AAAA", "responseCode": "NOERROR", "responseData": [ { "domainName": "DOMAIN.", "ttl": 299, "responseClass": "IN", "responseType": "AAAA", "responseValue": "IP_ADDRESS" } ] } ] }, "detectionPriority": "HIGH", "detectionCategory": { "technique": "C2", "indicator": "domain", "subRuleName": "google_intel", "ruleName": "bad_domain" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: IP inválido
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Bad IP", "sourceProperties": { "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "timestamp": { "nanos": 0.0, "seconds": "0" }, "insertId": "INSERT_ID", "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "ips": [ "SOURCE_IP_ADDRESS", "DESTINATION_IP_ADDRESS" ], "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 6 }, "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" }, "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0011/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection" }, { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" } ] }, "detectionCategory": { "technique": "C2", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "google_intel" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ] }, "severity": "LOW", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Malware: domínio inválido de criptomineração
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad Domain", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "domain", "ruleName": "bad_domain", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566099", "nanos": 5.41483849E8 }, "insertId": "INSERT_ID" } }], "properties": { "domains": ["DOMAIN"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE" }, "dnsContexts": [{ "authAnswer": true, "sourceIp": "SOURCE_IP_ADDRESS", "queryName": "DOMAIN", "queryType": "A", "responseCode": "NXDOMAIN" }], "vpc": { "vpcName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal Domain Link", "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:41:41.594Z", "createTime": "2021-11-10T17:41:42.014Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "domains": ["DOMAIN"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: IP inválido de criptomineração
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Malware: Cryptomining Bad IP", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "cryptomining", "indicator": "ip", "ruleName": "bad_ip", "subRuleName": "cryptomining" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1636566005", "nanos": 9.74622832E8 }, "insertId": "INSERT_ID" } }], "properties": { "ips": ["DESTINATION_IP_ADDRESS"], "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "network": { "project": "PROJECT_ID", "location": "ZONE", "subnetworkId": "SUBNETWORK_ID", "subnetworkName": "default" }, "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "destIp": "DESTINATION_IP_ADDRESS", "protocol": 1.0 }, "indicatorContext": [{ "ipAddress": "DESTINATION_IP_ADDRESS", "countryCode": "FR", "reverseDnsDomain": "REVERSE_DNS_DOMAIN", "carrierName": "CARRIER_NAME", "organizationName": "ORGANIZATION_NAME", "asn": "AUTONOMOUS_SYSTEM_NUMBERS" }], "srcVpc": { }, "destVpc": { "projectId": "PROJECT_ID", "vpcName": "default", "subnetworkName": "default" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [{ "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection" }], "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-11-10T17:40:38.048Z", "createTime": "2021-11-10T17:40:38.472Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT", "indicator": { "ipAddresses": ["DESTINATION_IP_ADDRESS"] } }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parentDisplayName": "PARENT_NAME", "type": "google.cloud.resourcemanager.Project", "displayName": "PROJECT_ID" } }
Malware: DoS de saída
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Malware: Outgoing DoS", "sourceProperties": { "evidence": [ { "sourceLogId": { "timestamp": { "nanos": 0.0, "seconds": "0" }, "resourceContainer": "projects/PROJECT_ID" } } ], "properties": { "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "ipConnection": { "srcIp": "SOURCE_IP_ADDRESS", "srcPort": SOURCE_PORT, "destIp": "DESTINATION_IP_ADDRESS", "destPort": DESTINATION_PORT, "protocol": 17 } }, "detectionPriority": "HIGH", "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1498/" } }, "detectionCategory": { "technique": "malware", "indicator": "flow_log", "ruleName": "outgoing_dos" } }, "severity": "HIGH", "eventTime": "1970-01-01T00:00:00Z", "createTime": "1970-01-01T00:00:00Z" } }
Persistência: concessão anômala de IAM
A descoberta de IAM Anomalous Grant
é única porque inclui
subregras que fornecem informações mais específicas sobre cada instância
dessa descoberta. A classificação de gravidade dessa descoberta depende da subregra, e cada subregra pode exigir uma resposta diferente.
A lista a seguir mostra todas as subregras possíveis e as gravidades delas:
external_service_account_added_to_policy
:HIGH
HIGH
, se um papel altamente confidencial tiver sido concedido ou um papel de confidencialidade média for concedido no nível da organização. Para mais informações, consulte Papéis altamente confidenciais.MEDIUM
, se um papel de confidencialidade média for concedido. Para mais informações, consulte Papéis de confidencialidade média.external_member_invited_to_policy
:HIGH
external_member_added_to_policy
:HIGH
, se um papel altamente confidencial tiver sido concedido ou um papel de confidencialidade média for concedido no nível da organização. Para mais informações, consulte Papéis altamente confidenciais.MEDIUM
, se um papel de confidencialidade média for concedido. Para mais informações, consulte Papéis de confidencialidade média.
custom_role_given_sensitive_permissions
:MEDIUM
service_account_granted_sensitive_role_to_member
:HIGH
policy_modified_by_default_compute_service_account
:HIGH
Os campos JSON que uma descoberta inclui podem variar de uma categoria de descobertas para outra. Por exemplo, o JSON a seguir inclui campos para uma conta de segurança. Se uma categoria de descoberta não estiver relacionada a uma conta de serviço, esses campos não serão incluídos no JSON.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: IAM Anomalous Grant", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "IAM_ROLE", "member": "serviceAccount:ACCOUNT_NAME" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_grant", "subRuleName": "TYPE_OF_ANOMALOUS_GRANT" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": { "sensitiveRoleGrant": { "principalEmail": "PRINCIPAL_EMAIL", "bindingDeltas": [ { "action": "ADD", "role": "roles/GRANTED_ROLE", "member": "serviceAccount:SERVICE_ACCOUNT_NAME", } ], "members": [ "serviceAccount:SERVICE_ACCOUNT_NAME" ] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": { "displayName": "Related Anomalous Grant Findings", "url": "LINK_TO_RELATED_FINDING" } } } }
Persistência: papel de representação concedido a uma conta de serviço inativa
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.SetIAMPolicy" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: Impersonation Role Granted for Dormant Service Account", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "roles/iam.serviceAccountTokenCreator", "member": "IAM_Account_Who_Received_Impersonation_Role" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.iam.ServiceAccount", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "impersonation_role_granted_over_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Persistência: novo método de API
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: New API Method", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "resourceContainer": "projects/PROJECT_NUMBER" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Persistência: nova região geográfica
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h", "state": "ACTIVE", "category": "Persistence: New Geography", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "ip_geolocation" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "RESOURCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1617994703", "nanos": 5.08853E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousLocation": { "anomalousLocation": "BE", "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "notSeenInLast": "2592000s", "typicalGeolocations": [{ "country": { "identifier": "US" } }] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T18:59:43.860Z", "createTime": "2021-04-09T18:59:44.440Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "RESOURCE_NAME" } }
Persistência: novo user agent
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9", "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID", "state": "ACTIVE", "category": "Persistence: New User Agent", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "iam_anomalous_behavior", "subRuleName": "user_agent" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1614736482", "nanos": 9.76209552E8 }, "insertId": "INSERT_ID" } }], "properties": { "anomalousSoftware": { "anomalousSoftwareClassification": ["USER_AGENT"], "behaviorPeriod": "2592000s", "callerUserAgent": "USER_AGENT", "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com" } }, "findingId": "FINDING_ID", "contextUris": { "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-03-03T01:54:47.681Z", "createTime": "2021-03-03T01:54:49.154Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//monitoring.googleapis.com/projects/PROJECT_ID" } }
Escalonamento de privilégios: papel confidencial concedido a conta de serviço inativa
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_3" }, { "email": "EMAIL_ADDRESS_4 } ] } }, "createTime": "CREATE_TIMESTAMP", "database": {}, "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "iamBindings": [ { "action": "ADD", "role": "SENSITIVE_IAM_ROLE", "member": "serviceAccount:DORMANT_SERVICE_ACCOUNT" } ], "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "RESOURCE_FULL_NAME", "severity": "SEVERITY_CLASSIFICATION", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_FULL_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//RESOURCE/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "RESOURCE_PARENT_NAME", "parent_display_name": "PARENT_DISPLAY_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME", "resourceFolder": "RESOURCE_FOLDER_ID" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_role_added_to_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1678897327", "nanos": 26483000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ] } } }
Encaminhamento de privilégio: mudanças em objetos confidenciais do RBAC do Kubernetes
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-07T07:42:36.536Z", "database": {}, "eventTime": "2022-10-07T07:42:06.044Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" }, "subjects": [ { "kind": "USER", "name": "testUser-1665153212" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "edit_sensitive_rbac_object" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665128526", "nanos": 44146000 }, "insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a" } } ], "properties": {}, "findingId": "05b52fe8267d44bdb33c89367f0dd11a", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Encaminhamento de privilégio: crie uma CSR do Kubernetes para o certificado mestre
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "category": "Privilege Escalation: Create Kubernetes CSR for master cert", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T14:38:12.501Z", "database": {}, "eventTime": "2022-10-08T14:37:46.944Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "csr_for_master_cert" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665239866", "nanos": 944045000 }, "insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101" } } ], "properties": {}, "findingId": "0562169c2e3b44879030a7369dbf839c", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalonamento de privilégios: criação de vinculações confidenciais do Kubernetes
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "category": "Privilege Escalation: Creation of sensitive Kubernetes bindings", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-11T09:29:44.425Z", "database": {}, "eventTime": "2022-10-11T09:29:26.309Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "bindings": [ { "name": "cluster-admin", "role": { "kind": "CLUSTER_ROLE", "name": "cluster-admin" } } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "create_sensitive_binding" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665480566", "nanos": 309136000 }, "insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321" } } ], "properties": {}, "findingId": "02dcbf565d9d4972a126ac3c38fd4295", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalonamento de privilégios: receba a CSR do Kubernetes com credenciais de bootstrap comprometidas
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.certificates.v1.certificatesigningrequests.list" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-12T12:28:11.480Z", "database": {}, "eventTime": "2022-10-12T12:28:08.597Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "get_csr_with_compromised_bootstrap_credentials" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665577688", "nanos": 597107000 }, "insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993" } } ], "properties": {}, "findingId": "025e0ba774da4d678883257cd125fc43", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalonamento de privilégios: lançamento do contêiner com privilégios do Kubernetes
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "k8s.io", "methodName": "io.k8s.core.v1.pods.create" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "category": "Privilege Escalation: Launch of privileged Kubernetes container", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2022-10-08T21:43:41.145Z", "database": {}, "eventTime": "2022-10-08T21:43:09.188Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kubernetes": { "pods": [ { "ns": "default", "name": "POD_NAME", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI" } ] } ] }, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME", "display_name": "CLUSTER_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "gke_control_plane", "subRuleName": "launch_privileged_container" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1665265389", "nanos": 188357000 }, "insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c" } } ], "properties": {}, "findingId": "04206668443b45078d5b51c908ad87da", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Escalonamento de privilégios: falsificação de identidade anômala de conta de serviço para atividade de administrador
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Escalonamento de privilégios: delegação anômala de conta de serviço em várias etapas para atividade de administrador
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Escalonamento de privilégios: delegação anômala de conta de serviço em várias etapas para acesso aos dados
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_multistep_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Escalonamento de privilégios: falsificador de identidade anômalo de conta de serviço para atividade de administrador
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_admin_activity" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Escalonamento de privilégios: falsificador de identidade anômalo de conta de serviço para acesso aos dados
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "storage.googleapis.com", "methodName": "storage.buckets.list", "serviceAccountDelegationInfo": [ { "principalEmail": "PRINCIPAL_EMAIL" }, { "principalEmail": "PRINCIPAL_EMAIL" } ] }, "assetDisplayName": "PROJECT_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access", "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-02-09T03:26:04.611Z", "database": {}, "eventTime": "2023-02-09T03:26:05.403Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "ORGANIZATION", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "anomalous_sa_delegation_impersonator_data_access" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//storage.googleapis.com/" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1675913160", "nanos": 929341814 }, "insertId": "o5ii7hddddd" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" } } } }
Inibir recuperação do sistema: host de backup e DR do Google Cloud excluído
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteHost", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Deleted Google Cloud Backup and DR host", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_hosts_delete_host" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ] } } }
Destruição de dados: imagem de expiração de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Data Destruction: Google Cloud Backup and DR expire image", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_image" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "policies": [ "POLICY_NAME" ], "profile": "PROFILE_NAME" } } }
Inibir recuperação do sistema: plano de remoção de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSla", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_remove_plan" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.", "backupDisasterRecovery": { "applications": [ "HOST_NAME" ] } } }
Destruição de dados: expiração de todas as imagens de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": {}, "serviceName": "backupdr.googleapis.com", "methodName": "expireBackups", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Data Destruction: Google Cloud Backup and DR expire all images", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_expire_images_all" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups." } }
Inibir recuperação do sistema: modelo de exclusão de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlt", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete template", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_template" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.", "backupDisasterRecovery": { "backupTemplate": "TEMPLATE_NAME" } } }
Inibir recuperação do sistema: política de exclusão de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deletePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "policies": [ "DeleteMe" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete policy", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.", "backupDisasterRecovery": { "policies": [ "POLICY_NAME" ] } } }
Inibir recuperação do sistema: exclusão de perfil de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteSlp", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "profile": "PROFILE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete profile", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_template_delete_profile" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.", "backupDisasterRecovery": { "profile": "PROFILE_NAME" } } }
Destruição de dados: remoção de dispositivo de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteCluster", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Data Destruction: Google Cloud Backup and DR remove appliance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_appliances_remove_appliance" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.", "backupDisasterRecovery": { "appliance": "APPLIANCE_NAME" } } }
Inibir recuperação do sistema: pool de armazenamento de exclusão de backup e DR do Google Cloud
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteDiskPool", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME", "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Inhibit System Recovery: Google Cloud Backup and DR delete storage pool", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_storage_pools_delete" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.", "backupDisasterRecovery": { "storagePool": "STORAGE_POOL_NAME" } } }
Impacto: o Backup e DR do Google Cloud reduziram a frequência de backup
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updatePolicy", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup frequency", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The backup schedule has been modified to reduce backup frequency.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_frequency" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The backup schedule has been modified to reduce backup frequency.", } }
Impacto: o Backup e DR do Google Cloud reduziram a expiração do tempo de backup
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "updateBackup", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Google Cloud Backup and DR reduced backup expiration", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "The expiration date for a backup has been reduced.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_reduce_backup_expiration" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "The expiration date for a backup has been reduced." } }
Acesso inicial: conta desativada
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Account Disabled Hijacked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "account_disabled_hijacked" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624034293", "nanos": 6.78E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledHijacked", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-18T16:38:13.678Z", "createTime": "2021-06-18T16:38:16.508Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Acesso inicial: vazamento de senha desativado
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Disabled Password Leak", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "disabled_password_leak" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626462896", "nanos": 6.81E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-16T19:14:56.681Z", "createTime": "2021-07-16T19:15:00.430Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Acesso inicial: ataque baseado no governo
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Government Based Attack", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "government_based_attack" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1624061458", "nanos": 7.4E7 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.govAttackWarning", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-19T00:10:58.074Z", "createTime": "2021-06-19T00:11:01.760Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Acesso inicial: tentativa de comprometimento de Log4j
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "state": "ACTIVE", "category": "Initial Access: Log4j Compromise Attempt", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "log4j_compromise_attempt" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1639690492", "nanos": 9.13836E8 }, "insertId": "INSERT_ID" } }], "properties": { "loadBalancerName": "LOAD_BALANCER_NAME", "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}" }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1190/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID" }], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-12-16T21:34:52.913Z", "createTime": "2021-12-16T21:34:55.022Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "THREAT" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "parentDisplayName": "FOLDER_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER", "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME" }], "displayName": "PROJECT_ID" } }
Acesso inicial: login suspeito bloqueado
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Initial Access: Suspicious Login Blocked", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "valid_accounts", "indicator": "audit_log", "ruleName": "suspicious_login" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621637767", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLogin", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T22:56:07Z", "createTime": "2021-05-27T02:36:07.382Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Acesso inicial: gravações de superusuário do Database em tabelas do usuário
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Initial Access: Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloudsql_superuser_writes_to_user_tables", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1567/002/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }], "relatedFindingUri": { "displayName": "Related CloudSQL Exfiltration findings", "url": "RELATED_FINDINGS_LINK" } } }, "eventTime": "2022-01-19T21:36:07.901Z", "createTime": "2022-01-19T21:36:08.695Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": ["DEFAULT_ACCOUNTS"] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.query" } }, "resource": { "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.cloud.sql.Instance", "folders": [{ "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" }], "displayName": "INSTANCE_NAME" } }
Acesso inicial: permissões negadas em excesso
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Excessive Permission Denied Actions", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "failedActions": [ { "methodName": "SetIamPolicy", "serviceName": "iam.googleapis.com", "attemptTimes": "7", "lastOccurredTime": "2023-03-15T17:35:18.771219Z" }, { "methodName": "iam.googleapis.com", "serviceName": "google.iam.admin.v1.CreateServiceAccountKey", "attemptTimes": "3", "lastOccurredTime": "2023-03-15T05:36:14.954701Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } } }
Acesso inicial: ação de uma conta de serviço inativa
{ "findings": { "access": { "principalEmail": "DORMANT_SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Action", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "dormant_sa_used_in_action", }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Acesso inicial: criação de chave em uma conta de serviço inativa
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.CreateServiceAccountKey" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Dormant Service Account Key Created", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID", "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID", "parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL", "type": "google.iam.ServiceAccountKey", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "key_created_on_dormant_sa" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
Acesso inicial: chave da conta de serviço vazada usada
{ "findings": { "access": { "principalEmail": "SERVICE_ACCOUNT", "callerIp": "IP_ADDRESS, "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" "serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Initial Access: Leaked Service Account Key Used", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-07-18T10:35:47.381Z", "database": {}, "eventTime": "2023-07-18T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "INITIAL_ACCESS", "primaryTechniques": [ "VALID_ACCOUNTS", "CLOUD_ACCOUNTS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "AFFECTED_RESOURCE", "severity": "HIGH", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "leaked_sa_key_used" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "GOOGLE_RESOURCE" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/004/" } } }, "description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL" }
Defesa por danos: autenticação forte desativada
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings", "state": "ACTIVE", "category": "Impair Defenses: Strong Authentication Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "enforce_strong_authentication" }, "detectionPriority": "MEDIUM", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1623952110", "nanos": 6.51337E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.enforceStrongAuthentication", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-17T17:48:30.651Z", "createTime": "2021-06-17T17:48:33.574Z", "severity": "MEDIUM", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings" } }
Defesa de danos: verificação em duas etapas desativada
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID", "state": "ACTIVE", "category": "Impair Defenses: Two Step Verification Disabled", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "impair_defenses", "indicator": "audit_log", "ruleName": "two_step_verification_disabled" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1626391356", "nanos": 5.96E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svDisable", "ssoState": "UNKNOWN", "principalEmail": "PRINCIPAL_EMAIL" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-07-15T23:22:36.596Z", "createTime": "2021-07-15T23:22:40.079Z", "severity": "LOW", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT", "indicator": { } }, "resource": { "name": "//login.googleapis.com/organizations/ORGANIZATION_ID" } }
Persistência: alternância de SSO
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Enablement Toggle", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_enablement_toggle" }, "detectionPriority": "HIGH", "affectedResources": [{ "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1622829313", "nanos": 3.42104E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.toggleSsoEnabled", "ssoState": "ENABLED", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-06-04T17:55:13.342Z", "createTime": "2021-06-04T17:55:15.900Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Persistência: script de inicialização adicionado pelo administrador do GCE
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added Startup Script", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_startup_script" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "GCE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", } }
Persistência: chave SSH adicionada pelo administrador do GCE
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", "category": "Persistence: GCE Admin Added SSH Key", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "gce_admin" "subRuleName": "instance_add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [{ "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "callerIp": "IP_ADDRESS", "principalEmail": "PRINCIPAL_EMAIL", "gceInstanceId": "GCE_INSTANCE_ID", "projectId": "PROJECT_ID", "metadataKeyOperation": "ADDED", "callerUserAgent": "USER_AGENT", }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1543/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }] } }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME", } }
Persistência: configurações de SSO alteradas
Essa descoberta não está disponível para ativações no nível do projeto.
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings", "state": "ACTIVE", "category": "Persistence: SSO Settings Changed", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "account_manipulation", "indicator": "audit_log", "ruleName": "sso_settings_changed" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [{ "sourceLogId": { "projectId": "0", "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1621624109", "nanos": 3.73721E8 }, "insertId": "INSERT_ID" } }], "properties": { "serviceName": "admin.googleapis.com", "methodName": "google.admin.AdminService.changeSsoSettings", "domainName": "ORGANIZATION_NAME" }, "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0" }], "workspacesUri": { "displayName": "Workspaces Link", "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS" } } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-05-21T19:08:29.373Z", "createTime": "2021-05-27T11:36:24.429Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings" } }
Cloud IDS
{ "finding": { "access": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Cloud IDS: THREAT_ID", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "connections": [ { "destinationIp": "IP_ADDRESS", "destinationPort": PORT, "sourceIp": "IP_ADDRESS", "sourcePort": PORT, "protocol": "PROTOCOL" } ], "createTime": "TIMESTAMP", "database": {}, "description": "This signature detects a payload in HTTP traffic which could possibly be malicious.", "eventTime": "TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_DISPLAY_NAME", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "ctd-engprod-project", "parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER", "parent_display_name": "PARENT_DISPLAY_NAME", "folders": [ { "resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resource_folder_display_name": "FOLDER_DISPLAY_NAME" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_ids_threat_activity" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "TIMESTAMP", "nanos": TIMESTAMP }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LOGGING_QUERY_URI" } ], "relatedFindingUri": {} }, "description": "THREAT_DESCRIPTION" } }
Movimentação lateral: disco de inicialização modificado anexado à instância
{ "finding": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.attachDisk", }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Lateral Movement: Modify Boot Disk Attaching to Instance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2024-02-01T23:55:17.589Z", "database": {}, "eventTime": "2024-02-01T23:55:17.396Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2024-02-01T23:55:15.017887Z" } } ], "mitreAttack": { "primaryTactic": "TACTIC_UNSPECIFIED" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION", "parentDisplayName": "Event Threat Detection", "resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "displayName": "INSTANCE_ID", "type": "google.compute.Instance", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_NUMBER", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_NUMBER, "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NUMBER" } ], "organization": "organizations/ORGANIZATION_NUMBER" } }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "modify_boot_disk", "subRuleName": "attach_to_instance" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID" }, { "gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_NUMBER", "resourceContainer": "PROJECT_NUMBER", "timestamp": { "seconds": "1706831715", "nanos": 17887000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": { "diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID", "targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "workerInstances": [ "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID" ], "bootDiskPayloads": [ { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_ATTACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:06.706640Z" }, { "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID", "operation": "MODIFY_BOOT_DISK_DETACH", "principalEmail": "PRINCIPAL_EMAIL", "eventTime": "2024-02-01T23:55:05.608631Z" } ] }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1570/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Escalonamento de privilégios: concessão de privilégios excessivos do AlloyDB
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Over-Privileged Grant", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", "grantees": [GRANTEE], }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
Escalonamento de privilégios: o superusuário do banco de dados AlloyDB grava nas tabelas do usuário
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "state": "ACTIVE", "category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables", "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "alloydb_user_granted_all_permissions", }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME" } ], "evidence": [{ "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } }], "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1078/001/" }, "cloudLoggingQueryUri": [{ "displayName": "Cloud Logging Query Link", "url": "LOGGING_LINK" }] } }, "eventTime": "EVENT_TIMESTAMP",, "createTime": "CREATE_TIMESTAMP",, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "mute": "UNDEFINED", "findingClass": "THREAT", "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "VALID_ACCOUNTS" ], "additionalTactics": [ "PERSISTENCE" ], "additionalTechniques": [ "ACCOUNT_MANIPULATION" ] }, "database": { "displayName": "DATABASE_NAME", "userName": "USER_NAME", "query": QUERY", }, "access": { "serviceName": "alloydb.googleapis.com", "methodName": "alloydb.instances.query" } }, "resource": { "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME", "type": "google.alloydb.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "alloydb.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": FOLDER_NAME } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" } }
A seguir
- Saiba mais sobre como o Event Threat Detection funciona.
- Saiba como investigar e desenvolver planos de resposta para ameaças.