Verify that Sensitive Actions Service is working by intentionally triggering the
Persistence: project SSH key added
detector and checking for findings.
To learn more about the Sensitive Actions Service service, see Sensitive Actions Service overview.
Before you begin
To complete this guide, you must have an Identity and Access Management (IAM) role with
the compute.projects.setCommonInstanceMetadata
and iam.serviceAccounts.actAs
permissions in the project where you will perform the test, such as the Compute
Admin role (roles/compute.admin
).
Testing Sensitive Actions Service
To test Sensitive Actions Service, you add a project-level SSH key, which may grant SSH key access to all instances in the project.
This detector doesn't generate a finding if there is already a project-level SSH key set on the project. Choose a project that doesn't already have any project-level SSH keys.
Step 1: Triggering a Sensitive Actions Service detector
To trigger the detector, you need a test user account. You can create a test user account with a gmail.com email address or use an existing user account in your organization. You add the test user account to your organization and grant it excessive permissions.
For more instructions on how to add the project-level SSH key, see Add SSH keys to project metadata. For instructions on how to generate an SSH key, see Create SSH keys.
Go to the Compute Engine Metadata page in the Google Cloud console.
Click the SSH Keys tab.
Verify that there aren't currently any SSH keys set on the project. If SSH keys are set, you will see the existing keys in a table, and the test won't work. Choose a project that doesn't have any existing project-level SSH keys for the test.
Click Add SSH Key.
Add a public key into the text box. For more details on how to generate an SSH key, see Create SSH keys.
Click Save.
Next, verify that the Persistence: project SSH key added
detector has written findings.
Step 2: Viewing the finding in Security Command Center
To review Sensitive Actions Service findings in the console, follow these steps:
Google Cloud console
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
- In the Quick filters section, in the Source display name subsection, select Sensitive Actions Service. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name under Category. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
Security Operations console
-
In the Security Operations console, go to the Findings page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier. - In the Aggregations section, click to expand the Source Display Name subsection.
- Select Sensitive Actions Service. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name under Category. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
Step 3: Viewing the finding in Cloud Logging
You can view sensitive action log entries by using Cloud Logging.
Go to Logs Explorer in the Google Cloud console.
If required, change to the organization view by using the Organization selector at the top of the page.
Click the Query builder tab.
In the Resource drop-down list, select sensitiveaction.googleapis.com/Location".
Click Run Query. The Query results table is updated with the logs you selected.
To view a log, click a table row, and then click Expand nested fields.
Clean up
When you're finished testing, remove the project-level SSH key.
Go to the Compute Engine Metadata page in the Google Cloud console.
Click Edit.
Click
Delete item next to the SSH key.Click Save.
What's next
- Learn more about using Sensitive Actions Service.
- Read a high-level overview of Sensitive Actions Service concepts.
- Learn how to investigate and develop response plans for threats.