En esta página, se muestra cómo revisar los hallazgos de Event Threat Detection en la consola de Google Cloud e incluye ejemplos de hallazgos de Event Threat Detection.
Event Threat Detection es un servicio integrado para el nivel Premium de Security Command Center. que supervisa Cloud Logging de registro para tu organización o tus proyectos y detecta amenazas casi en tiempo real. Si activas Nivel Premium de Security Command Center a nivel de la organización, Event Threat Detection también puede supervisar las transmisiones de registros de Google Workspace de tu organización. Para aprender más, consulta Descripción general de Event Threat Detection.
Revisa los resultados
Para ver los resultados de Event Threat Detection, el servicio debe estar habilitado en la configuración de Servicios del Security Command Center. Después de habilitar Event Threat Detection, Event Threat Detection genera hallazgos mediante el análisis registros específicos. Algunos de los registros que Event Threat Detection puede analizar están desactivados por de forma predeterminada, por lo que quizás debas activarlos.
Para obtener más información sobre las reglas de detección integradas que Event Threat Detection y los registros que analiza Event Threat Detection, consulta los siguientes temas:
Puedes ver los hallazgos de Event Threat Detection en Security Command Center. Si configuraste las exportaciones continuas para escribir registros, también puedes ver los resultados en Cloud Logging. Exportaciones continuas a Cloud Logging solo está disponible cuando activas el nivel Premium de Security Command Center a nivel de la organización. Para generar un resultado y verificar tu configuración, puedes activar intencionalmente un detector y Prueba Event Threat Detection.
La activación de Event Threat Detection se produce en segundos. Las latencias de detección suelen ser inferiores a 15 minutos desde el momento en que se escribe un registro cuando un resultado está disponible en Security Command Center. Para obtener más información sobre la latencia, consulta Descripción general de la latencia de Security Command Center.
Revisa resultados en Security Command Center
Los roles de IAM para Security Command Center se pueden otorgar a nivel de la organización, a nivel de carpeta o proyecto. Tu capacidad para ver, editar, crear o actualizar resultados, recursos, y las fuentes de seguridad dependen del nivel al que se te otorgue acceso. Para obtener más información Para los roles de Security Command Center, consulta Control de acceso.
Usa el siguiente procedimiento para revisar los resultados en la consola de Google Cloud:
En la consola de Google Cloud, ve a la página Findings (Resultados) de Security Command Center.
Si es necesario, selecciona tu organización o proyecto de Google Cloud.
En la sección Filtros rápidos, en la subsección Nombre visible de la fuente, selecciona una de estas opciones o ambas:
- Event Threat Detection: para filtrar los hallazgos generados por funciones integradas Event Threat Detection detectores
- Módulos personalizados de Event Threat Detection: para filtrar los hallazgos generados. con módulos personalizados para Event Threat Detection
La tabla se propaga con los resultados de Event Threat Detection.
Para ver los detalles de un resultado específico, haz clic en el nombre del resultado en
Category. El panel de detalles de resultados se expande para mostrar información que incluye lo siguiente:- Los Resumen generado por IAVista previa del problema
- Cuándo ocurrió el evento
- La fuente de los datos de los resultados
- La gravedad de la detección, por ejemplo Alta
- Las acciones realizadas, como agregar una función de administración de identidades y accesos (IAM) a un usuario de Gmail
- El usuario que realizó la acción, que se encuentra junto a Correo electrónico principal
Para mostrar todos los resultados que generaron las mismas acciones del usuario, haz lo siguiente:
- En el panel de detalles de los resultados, copia la dirección de correo electrónico junto a Correo electrónico principal
- Cerrar el panel
En el compilador de consultas, ingresa la siguiente consulta:
access.principal_email="USER_EMAIL"Reemplaza USER_EMAIL con la dirección de correo electrónico que copiaste antes.
Security Command Center muestra todos los resultados asociados con las acciones que realizó el usuario que especificaste.
Visualiza los resultados en Cloud Logging
Si configuras Exportaciones continuas para escribir registros puede ver los hallazgos de Event Threat Detection en Cloud Logging. Esta función solo está disponible si activas el nivel Premium de Security Command Center a nivel de la organización.
Para ver los resultados de Event Threat Detection en Cloud Logging, haz lo siguiente:
Ve al Explorador de registros en la consola de Google Cloud.
En el Selector de proyectos en la parte superior de la página, selecciona el proyecto en el que almacenas los registros de Event Threat Detection.
Haz clic en la pestaña Compilador de consultas.
En la lista desplegable de recursos, selecciona Threat Detector.
- Para ver los resultados de todos los detectores, selecciona all detection_name.
- Para ver los resultados de un detector específico, selecciona su nombre.
Haz clic en Agregar. La consulta aparece en el cuadro de texto del compilador de consultas.
O bien, ingresa la siguiente consulta en el cuadro de texto:
resource.type="threat_detector"
Haga clic en Ejecutar consulta. La tabla Resultados de la consulta se actualiza con los registros que seleccionaste.
Para ver un registro, haz clic en una fila de la tabla y, luego, en Expandir campos anidados.
Puedes crear consultas de registros avanzadas para especificar un conjunto de entradas de cualquier cantidad de registros.
Ejemplos de formatos de resultados
Esta sección incluye los formatos de salida JSON para los resultados de Event Threat Detection como aparecerán cuando crees exportaciones desde la consola de Google Cloud o ejecutes listas en la API de Security Command Center.
Los ejemplos de salida contienen los campos más comunes a todos los resultados. Sin embargo, es posible que no aparezcan todos los campos en todos los hallazgos. El resultado real que verás depende de la configuración de un recurso y del tipo y estado de los resultados.
Para ver hallazgos de ejemplo, expande uno o más de los siguientes nodos.
Análisis activo: Log4j es vulnerable a RCE
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"state": "ACTIVE",
"category": "Active Scan: Log4j Vulnerable to RCE",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "log4j_scan_success"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}, {
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1639701222",
"nanos": 7.22988344E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"scannerDomain": "SCANNER_DOMAIN",
"sourceIp": "SOURCE_IP_ADDRESS",
"vpcName": "default"
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1210/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-12-17T00:33:42.722Z",
"createTime": "2021-12-17T00:33:44.633Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
"resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
}],
"displayName": "INSTANCE_ID"
}
}
Ataques de fuerza bruta: SSH
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Brute Force: SSH",
"sourceProperties": {
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"timestamp": {
"nanos": 0.0,
"seconds": "65"
},
"insertId": "INSERT_ID",
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"projectId": "PROJECT_ID",
"zone": "us-west1-a",
"instanceId": "INSTANCE_ID",
"attempts": [
{
"sourceIp": "SOURCE_IP_ADDRESS",
"username": "PROJECT_ID",
"vmName": "INSTANCE_ID",
"authResult": "SUCCESS"
},
{
"sourceIp": "SOURCE_IP_ADDRESS",
"username": "PROJECT_ID",
"vmName": "INSTANCE_ID",
"authResult": "FAIL"
},
{
"sourceIp": "SOURCE_IP_ADDRESS",
"username": "PROJECT_ID",
"vmName": "INSTANCE_ID",
"authResult": "FAIL"
}
]
},
"detectionPriority": "HIGH",
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/003/"
}
},
"detectionCategory": {
"technique": "brute_force",
"indicator": "flow_log",
"ruleName": "ssh_brute_force"
},
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
]
},
"severity": "HIGH",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
Acceso a la credencial: Se agregó un miembro externo al grupo con privilegios
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME",
"state": "ACTIVE",
"category": "Credential Access: External Member Added To Privileged Group",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "external_member_added_to_privileged_group"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1633622881",
"nanos": 6.73869E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"externalMemberAddedToPrivilegedGroup": {
"principalEmail": "PRINCIPAL_EMAIL",
"groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
"externalMember": "user:EXTERNAL_EMAIL",
"sensitiveRoles": [{
"resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"roleName": ["ROLES"]
}]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": " https://attack.mitre.org/techniques/T1078"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-07T16:08:03.888Z",
"createTime": "2021-10-07T16:08:04.516Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
}
}
Acceso a las credenciales: Grupo privilegiado abierto al público
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings",
"state": "ACTIVE",
"category": "Credential Access: Privileged Group Opened To Public",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "privileged_group_opened_to_public"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1634774534",
"nanos": 7.12E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"privilegedGroupOpenedToPublic": {
"principalEmail": "PRINCIPAL_EMAIL",
"groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
"sensitiveRoles": [{
"resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"roleName": ["ROLES"]
}],
"whoCanJoin": "ALLOW_EXTERNAL_MEMBERS"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": " https://attack.mitre.org/techniques/T1078"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-21T00:02:19.173Z",
"createTime": "2021-10-21T00:02:20.099Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
}
}
Acceso a las credenciales: Función sensible otorgada al grupo híbrido
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
},
"assetDisplayName": "PROJECT_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Credential Access: Sensitive Role Granted To Hybrid Group",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-12-22T00:31:58.242Z",
"database": {},
"eventTime": "2022-12-22T00:31:58.151Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "roles/iam.securityAdmin",
"member": "group:GROUP_NAME@ORGANIZATION_NAME",
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_ID",
"type": "google.cloud.resourcemanager.Project",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_ID",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "sensitive_role_to_group_with_external_member"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1671669114",
"nanos": 715318000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"sensitiveRoleToHybridGroup": {
"principalEmail": "PRINCIPAL_EMAIL",
"groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/iam.securityAdmin",
"member": "group:GROUP_NAME@ORGANIZATION_NAME",
}
],
"resourceName": "projects/PROJECT_ID"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
}
}
}
}
Evasión de defensa: Se creó la implementación de la carga de trabajo de anulación de emergencia
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "k8s.io",
"methodName": "io.k8s.core.v1.pods.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Breakglass Workload Deployment Created",
"cloudDlpInspection": {},
"containers": [
{
"name": "test-container",
"uri": "test-image"
}
],
"createTime": "2023-03-24T17:38:45.756Z",
"database": {},
"eventTime": "2023-03-24T17:38:45.709Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"ns": "NAMESPACE",
"name": "POD_NAME",
"labels": [
{
"name": "image-policy.k8s.io/break-glass",
"value": "true"
}
],
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"ABUSE_ELEVATION_CONTROL_MECHANISM"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"display_name": "default",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"parent_display_name": "CLUSTER_NAME",
"type": "k8s.io.Namespace",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1548/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
},
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "binary_authorization_breakglass_workload",
"subRuleName": "create"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1679679521",
"nanos": 141571000
},
"insertId": "INSERT_ID"
}
}
]
}
}
Evasión de defensa: Se actualizó la implementación de la carga de trabajo de anulación de emergencia
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "k8s.io",
"methodName": "io.k8s.core.v1.pods.update"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Breakglass Workload Deployment Updated",
"cloudDlpInspection": {},
"containers": [
{
"name": "test-container",
"uri": "test-image"
}
],
"createTime": "2023-03-24T17:38:45.756Z",
"database": {},
"eventTime": "2023-03-24T17:38:45.709Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"ns": "NAMESPACE",
"name": "POD_NAME",
"labels": [
{
"name": "image-policy.k8s.io/break-glass",
"value": "true"
}
],
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"ABUSE_ELEVATION_CONTROL_MECHANISM"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"display_name": "default",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"parent_display_name": "CLUSTER_NAME",
"type": "k8s.io.Namespace",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1548/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
},
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "binary_authorization_breakglass_workload",
"subRuleName": "update"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1679679521",
"nanos": 141571000
},
"insertId": "INSERT_ID"
}
}
]
}
}
Defense Evasion: Modifica el Control de servicios de VPC
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
"state": "ACTIVE",
"category": "Defense Evasion: Modify VPC Service Control",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "modify_auth_process",
"indicator": "audit_log",
"ruleName": "vpcsc_changes",
"subRuleName": "reduce_perimeter_protection"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1633625631",
"nanos": 1.78978E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
"policyLink": "LINK_TO_VPC_SERVICE_CONTROLS",
"delta": {
"restrictedResources": [{
"resourceName": "PROJECT_NAME",
"action": "REMOVE"
}],
"restrictedServices": [{
"serviceName": "SERVICE_NAME",
"action": "REMOVE"
}],
"allowedServices": [{
"serviceName": "SERVICE_NAME",
"action": "ADD"
}],
"accessLevels": [{
"policyName": "ACCESS_LEVEL_POLICY",
"action": "ADD"
}]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": ""https://attack.mitre.org/techniques/T1556/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-07T16:53:53.875Z",
"createTime": "2021-10-07T16:53:54.411Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {},
"serviceName": "accesscontextmanager.googleapis.com",
"methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter"
}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"type": "google.cloud.resourcemanager.Organization",
"displayName": "RESOURCE_DISPLAY_NAME"
}
}
Descubrimiento: Puede obtener la comprobación de objetos Kubernetes sensibles
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
"category": "Discovery: Can get sensitive Kubernetes object check",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-08T01:39:42.957Z",
"database": {},
"eventTime": "2022-10-08T01:39:40.632Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"accessReviews": [
{
"name": "secrets-1665218000",
"resource": "secrets",
"verb": "get"
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "can_get_sensitive_object"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665193180",
"nanos": 632000000
},
"insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf"
}
}
],
"properties": {},
"findingId": "03f466dc25a8496693b7482304fb2e7f",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0007/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Descubrimiento: Autoinvestigación de cuentas de servicio
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Discovery: Service Account Self-Investigation",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "discovery",
"indicator": "audit_log",
"ruleName": "iam_anomalous_behavior",
"subRuleName": "service_account_gets_own_iam_policy"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1619200104",
"nanos": 9.08E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceAccountGetsOwnIamPolicy": {
"principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
"projectId": "PROJECT_ID",
"callerIp": "IP_ADDRESS",
"callerUserAgent": "CALLER_USER_AGENT",
"rawUserAgent": "RAW_USER_AGENT"
}
},
"contextUris": {
"mitreUri": {
"displayName": "Permission Groups Discovery: Cloud Groups",
"url": "https://attack.mitre.org/techniques/T1069/003/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-23T17:48:24.908Z",
"createTime": "2021-04-23T17:48:26.922Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "ORGANIZATION_NAME",
"type": "google.cloud.resourcemanager.Project"
}
}
Evasión: Acceso desde un proxy de anonimización
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Evasion: Access from Anonymizing Proxy",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "proxy_access"
},
"detectionPriority": "MEDIUM",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1633625631",
"nanos": 1.78978E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"changeFromBadIp": {
"principalEmail": "PRINCIPAL_EMAIL",
"ip": "SOURCE_IP_ADDRESS"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1090/003/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-07T16:53:53.875Z",
"createTime": "2021-10-07T16:53:54.411Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "PARENT_NAME",
"type": "google.cloud.resourcemanager.Project",
"displayName": "PROJECT_ID"
}
}
Robo de datos: Robo de datos de BigQuery
Este hallazgo puede incluir una de dos subreglas posibles:
exfil_to_external_table, con una gravedad deHIGHvpc_perimeter_violation, con una gravedad deLOW
En el siguiente ejemplo, se muestra el JSON de la subregla exfil_to_external_table.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "bigquery.googleapis.com",
"methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Exfiltration: BigQuery Data Exfiltration",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "2023-05-30T15:49:59.709Z",
"database": {},
"eventTime": "2023-05-30T15:49:59.432Z",
"exfiltration": {
"sources": [
{
"name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
}
],
"targets": [
{
"name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID"
}
]
},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": [
"EXFILTRATION_OVER_WEB_SERVICE",
"EXFILTRATION_TO_CLOUD_STORAGE"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
"parent_display_name": "FOLDER_NAME",
"type": "google.cloud.resourcemanager.Project",
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
"resourceFolderDisplayName": "FOLDER_NAME"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "org_exfiltration",
"indicator": "audit_log",
"ruleName": "big_query_exfil",
"subRuleName": "exfil_to_external_table"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1685461795",
"nanos": 341527000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"dataExfiltrationAttempt": {
"jobState": "SUCCEEDED",
"jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults",
"job": {
"projectId": "PROJECT_ID",
"jobId": "BIGQUERY_JOB_ID",
"location": "BIGQUERY_JOB_LOCATION"
},
"query": "QUERY",
"sourceTables": [
{
"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
"projectId": "PROJECT_ID",
"datasetId": "DATASET_ID",
"tableId": "TABLE_ID"
}
],
"destinationTables": [
{
"resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table",
"projectId": "TARGET_PROJECT_ID",
"datasetId": "TARGET_DATASET_ID",
"tableId": "TARGET_TABLE_ID"
}
],
"userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com"
},
"principalEmail": "PRINCIPAL_EMAIL"
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Robo de datos: Extracción de datos de BigQuery
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"state": "ACTIVE",
"category": "Exfiltration: BigQuery Data Extraction",
"sourceProperties": {
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"detectionCategory": {
"technique": "storage_bucket_exfiltration",
"indicator": "audit_log",
"ruleName": "big_query_exfil",
"subRuleName": "exfil_to_cloud_storage"
},
"detectionPriority": "LOW",
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related BigQuery Exfiltration Extraction findings",
"url": "RELATED_FINDINGS_LINK"
}
},
"evidence": [{
"sourceLogId": {
"projectId": PROJECT_ID,
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"extractionAttempt": {
"jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
"job": {
"projectId": "SOURCE_PROJECT_ID",
"jobId": "JOB_ID",
"location": "US"
},
"sourceTable": {
"projectId": "DESTINATION_PROJECT_ID",
"datasetId": "DATASET_ID",
"tableId": "TABLE_ID",
"resourceUri": "FULL_URI"
},
"destinations": [
{
"originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
"collectionType": "GCS_BUCKET",
"collectionName": "TARGET_GCS_BUCKET_NAME",
"objectName": "TARGET_FILE_NAME"
}
]
},
"principalEmail": "PRINCIPAL_EMAIL"
},
"findingId": "FINDING_ID"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2022-03-31T21:22:11.359Z",
"createTime": "2022-03-31T21:22:12.689Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "bigquery.googleapis.com",
"methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
},
"exfiltration": {
"sources": [
{
"name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
}
],
"targets": [
{
"name": "TARGET_GCS_URI"
}
]
}
},
"resource": {
"name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
"parentDisplayName": "PROJECT_ID:DATASET_ID",
"type": "google.cloud.bigquery.Table",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NAME"
}],
"displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
}
}
Robo de datos: datos de BigQuery en Google Drive
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"state": "ACTIVE",
"category": "Exfiltration: BigQuery Data to Google Drive",
"sourceProperties": {
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"detectionCategory": {
"technique": "google_drive_exfiltration",
"indicator": "audit_log",
"ruleName": "big_query_exfil",
"subRuleName": "exfil_to_google_drive"
},
"detectionPriority": "LOW",
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related BigQuery Exfiltration to Google Drive findings",
"url": "RELATED_FINDINGS_LINK"
}
},
"evidence": [{
"sourceLogId": {
"projectId": PROJECT_ID,
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID" }
}],
"properties": {
"extractionAttempt": {
"jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
"job": {
"projectId": "SOURCE_PROJECT_ID",
"jobId": "JOB_ID",
"location": "US"
},
"sourceTable": {
"projectId": "DESTINATION_PROJECT_ID",
"datasetId": "DATASET_ID",
"tableId": "TABLE_ID",
"resourceUri": "FULL_URI"
},
"destinations": [
{
"originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME",
"collectionType": "GDRIVE",
"collectionName": "TARGET_GOOGLE_DRIVE_FOLDER",
"objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME"
}
]
},
"principalEmail": "PRINCIPAL_EMAIL"
},
"findingId": "FINDING_ID"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2022-03-31T21:20:18.408Z",
"createTime": "2022-03-31T21:20:18.715Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "bigquery.googleapis.com",
"methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
},
"exfiltration": {
"sources": [
{
"name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
}
],
"targets": [
{
"name": "TARGET_GOOGLE_DRIVE_URI"
}
]
}
},
"resource": {
"name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
"parentDisplayName": "PROJECT_ID:DATASET_ID",
"type": "google.cloud.bigquery.Table",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NAME"
}],
"displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
}
}
Robo de datos: Robo de datos de Cloud SQL
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Exfiltration: CloudSQL Data Exfiltration",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "storage_bucket_exfiltration",
"indicator": "audit_log",
"ruleName": "cloudsql_exfil",
"subRuleName": "export_to_public_gcs"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": PROJECT_ID,
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"exportToGcs": {
"principalEmail": "PRINCIPAL_EMAIL",
"cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
"bucketAccess": "PUBLICLY_ACCESSIBLE",
"bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
"exportScope": "WHOLE_INSTANCE"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-11T16:32:59.828Z",
"createTime": "2021-10-11T16:33:00.229Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.export"
},
"exfiltration": {
"sources": [
{
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"components": []
}
],
"targets": [
{
"name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
"components": [
"TARGET_FILE_NAME"
]
}
]
},
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NAME"
}],
"displayName": "INSTANCE_NAME"
}
}
Robo de datos: copia de seguridad de restablecimiento de Cloud SQL a una organización externa
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
"state": "ACTIVE",
"category": "Exfiltration: CloudSQL Restore Backup to External Organization",
"sourceProperties": {
"sourceId": {
"projectNumber": "SOURCE_PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "backup_exfiltration",
"indicator": "audit_log",
"ruleName": "cloudsql_exfil",
"subRuleName": "restore_to_external_instance"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
},
],
"evidence": [{
"sourceLogId": {
"projectId": "SOURCE_PROJECT_ID",
"resourceContainer": "projects/SOURCE_PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"restoreToExternalInstance": {
"principalEmail": "PRINCIPAL_EMAIL",
"sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
"backupId": "BACKUP_ID",
"targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2022-01-19T21:36:07.901Z",
"createTime": "2022-01-19T21:36:08.695Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.restoreBackup"
},
"exfiltration": {
"sources": [
{
"name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
}
],
"targets": [
{
"name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
}
]
}
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER",
"projectDisplayName": "SOURCE_PROJECT_ID",
"parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
"parentDisplayName": "SOURCE_INSTANCE_NAME",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_ID"
}],
"displayName": "mysql-backup-restore-instance"
}
}
Exfiltración: otorgamiento demasiado privilegiado de Cloud SQL
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Exfiltration: CloudSQL Over-Privileged Grant",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "cloudsql_exfil",
"subRuleName": "user_granted_all_permissions"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"eventTime": "2022-01-19T21:36:07.901Z",
"createTime": "2022-01-19T21:36:08.695Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
"grantees": [GRANTEE],
},
"access": {
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.query"
}
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_ID"
}],
"displayName": "INSTANCE_NAME"
}
}
Software malicioso: error de dominio
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Bad Domain",
"sourceProperties": {
"sourceId": {
"customerOrganizationNumber": "ORGANIZATION_ID",
"projectNumber": "PROJECT_NUMBER"
},
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1568/"
}, "virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal Domain Link",
"url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
}
]
},
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"timestamp": {
"nanos": 0.0,
"seconds": "0"
},
"insertId": "INSERT_ID",
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"domains": [
"DOMAIN"
],
"network": {
"location": "REGION",
"project": "PROJECT_ID"
},
"dnsContexts": [
{
"authAnswer": true,
"sourceIp": "IP_ADDRESS",
"queryName": "DOMAIN",
"queryType": "AAAA",
"responseCode": "NOERROR",
"responseData": [
{
"domainName": "DOMAIN.",
"ttl": 299,
"responseClass": "IN",
"responseType": "AAAA",
"responseValue": "IP_ADDRESS"
}
]
}
]
},
"detectionPriority": "HIGH",
"detectionCategory": {
"technique": "C2",
"indicator": "domain",
"subRuleName": "google_intel",
"ruleName": "bad_domain"
}
},
"severity": "HIGH",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
Software malicioso: error de IP
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Bad IP",
"sourceProperties": {
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"timestamp": {
"nanos": 0.0,
"seconds": "0"
},
"insertId": "INSERT_ID",
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"ips": [
"SOURCE_IP_ADDRESS",
"DESTINATION_IP_ADDRESS"
],
"ipConnection": {
"srcIp": "SOURCE_IP_ADDRESS",
"srcPort": SOURCE_PORT,
"destIp": "DESTINATION_IP_ADDRESS",
"destPort": DESTINATION_PORT,
"protocol": 6
},
"network": {
"project": "PROJECT_ID",
"location": "ZONE",
"subnetworkId": "SUBNETWORK_ID",
"subnetworkName": "default"
},
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
},
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0011/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
},
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
}
]
},
"detectionCategory": {
"technique": "C2",
"indicator": "ip",
"ruleName": "bad_ip",
"subRuleName": "google_intel"
},
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
]
},
"severity": "LOW",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
Software malicioso: Error de criptominería en un dominio
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Cryptomining Bad Domain",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "cryptomining",
"indicator": "domain",
"ruleName": "bad_domain",
"subRuleName": "cryptomining"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1636566099",
"nanos": 5.41483849E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"domains": ["DOMAIN"],
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"network": {
"project": "PROJECT_ID",
"location": "ZONE"
},
"dnsContexts": [{
"authAnswer": true,
"sourceIp": "SOURCE_IP_ADDRESS",
"queryName": "DOMAIN",
"queryType": "A",
"responseCode": "NXDOMAIN"
}],
"vpc": {
"vpcName": "default"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"virustotalIndicatorQueryUri": [{
"displayName": "VirusTotal Domain Link",
"url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
}],
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-11-10T17:41:41.594Z",
"createTime": "2021-11-10T17:41:42.014Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"indicator": {
"domains": ["DOMAIN"]
}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "PARENT_NAME",
"type": "google.cloud.resourcemanager.Project",
"displayName": "PROJECT_ID"
}
}
Software malicioso: Criptominería de IP incorrecta
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Cryptomining Bad IP",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "cryptomining",
"indicator": "ip",
"ruleName": "bad_ip",
"subRuleName": "cryptomining"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1636566005",
"nanos": 9.74622832E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"ips": ["DESTINATION_IP_ADDRESS"],
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"network": {
"project": "PROJECT_ID",
"location": "ZONE",
"subnetworkId": "SUBNETWORK_ID",
"subnetworkName": "default"
},
"ipConnection": {
"srcIp": "SOURCE_IP_ADDRESS",
"destIp": "DESTINATION_IP_ADDRESS",
"protocol": 1.0
},
"indicatorContext": [{
"ipAddress": "DESTINATION_IP_ADDRESS",
"countryCode": "FR",
"reverseDnsDomain": "REVERSE_DNS_DOMAIN",
"carrierName": "CARRIER_NAME",
"organizationName": "ORGANIZATION_NAME",
"asn": "AUTONOMOUS_SYSTEM_NUMBERS"
}],
"srcVpc": {
},
"destVpc": {
"projectId": "PROJECT_ID",
"vpcName": "default",
"subnetworkName": "default"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"virustotalIndicatorQueryUri": [{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
}],
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-11-10T17:40:38.048Z",
"createTime": "2021-11-10T17:40:38.472Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"indicator": {
"ipAddresses": ["DESTINATION_IP_ADDRESS"]
}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "PARENT_NAME",
"type": "google.cloud.resourcemanager.Project",
"displayName": "PROJECT_ID"
}
}
Software malicioso: DoS salientes
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Malware: Outgoing DoS",
"sourceProperties": {
"evidence": [
{
"sourceLogId": {
"timestamp": {
"nanos": 0.0,
"seconds": "0"
},
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"ipConnection": {
"srcIp": "SOURCE_IP_ADDRESS",
"srcPort": SOURCE_PORT,
"destIp": "DESTINATION_IP_ADDRESS",
"destPort": DESTINATION_PORT,
"protocol": 17
}
},
"detectionPriority": "HIGH",
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1498/"
}
},
"detectionCategory": {
"technique": "malware",
"indicator": "flow_log",
"ruleName": "outgoing_dos"
}
},
"severity": "HIGH",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
Persistencia: Otorgamiento anómalo de IAM
El hallazgo IAM Anomalous Grant es único porque incluye
subreglas que proporcionan información más específica sobre cada instancia
de este hallazgo. La clasificación de gravedad de este hallazgo depende
en la subregla, y cada subregla podría requerir una respuesta diferente.
En la siguiente lista, se muestran todas las subreglas posibles y su gravedad:
external_service_account_added_to_policy:HIGHHIGH, si se otorgó un rol muy sensible o si se otorgó un rol de sensibilidad media a nivel de la organización. Para Para obtener más información, consulta Roles muy sensibles.MEDIUM, si se otorgó un rol de sensibilidad media Para para obtener más información, consulta Roles de sensibilidad media.external_member_invited_to_policy:HIGHexternal_member_added_to_policyHIGH, si se otorgó un rol muy sensible o si se otorgó un rol de sensibilidad media a nivel de la organización. Para Para obtener más información, consulta Roles muy sensibles.MEDIUM, si se otorgó un rol de sensibilidad media Para para obtener más información, consulta Roles de sensibilidad media.
custom_role_given_sensitive_permissions:MEDIUMservice_account_granted_sensitive_role_to_member:HIGHpolicy_modified_by_default_compute_service_account:HIGH
Los campos JSON que incluye un resultado pueden diferir de un resultado categoría a otra. Por ejemplo, el siguiente JSON incluye campos para una cuenta de seguridad. Si la categoría de un hallazgo no se relaciona con un cuenta de servicio, esos campos no se incluyen en el archivo JSON.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME",
"principalSubject": "PRINCIPAL_SUBJECT",
"serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: IAM Anomalous Grant",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_3"
},
{
"email": "EMAIL_ADDRESS_4
}
]
}
},
"createTime": "CREATE_TIMESTAMP",
"database": {},
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "IAM_ROLE",
"member": "serviceAccount:ACCOUNT_NAME"
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "RESOURCE_FULL_NAME",
"severity": "SEVERITY_CLASSIFICATION",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_FULL_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//RESOURCE/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "RESOURCE_PARENT_NAME",
"parent_display_name": "PARENT_DISPLAY_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
"resourceFolder": "RESOURCE_FOLDER_ID"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "iam_anomalous_grant",
"subRuleName": "TYPE_OF_ANOMALOUS_GRANT"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1678897327",
"nanos": 26483000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"sensitiveRoleGrant": {
"principalEmail": "PRINCIPAL_EMAIL",
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/GRANTED_ROLE",
"member": "serviceAccount:SERVICE_ACCOUNT_NAME",
}
],
"members": [
"serviceAccount:SERVICE_ACCOUNT_NAME"
]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {
"displayName": "Related Anomalous Grant Findings",
"url": "LINK_TO_RELATED_FINDING"
}
}
}
}
Persistencia: Rol de suplantación de identidad otorgado para una cuenta de servicio inactiva
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.SetIAMPolicy"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: Impersonation Role Granted for Dormant Service Account",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_3"
},
{
"email": "EMAIL_ADDRESS_4
}
]
}
},
"createTime": "CREATE_TIMESTAMP",
"database": {},
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "roles/iam.serviceAccountTokenCreator",
"member": "IAM_Account_Who_Received_Impersonation_Role"
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
"display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.iam.ServiceAccount",
"folders": [
{
"resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
"resourceFolder": "RESOURCE_FOLDER_ID"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "impersonation_role_granted_over_dormant_sa"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1678897327",
"nanos": 26483000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
]
}
}
}
Persistencia: nuevo método de la API
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME",
"principalSubject": "PRINCIPAL_SUBJECT",
"serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: New API Method",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "anomalous_behavior",
"subRuleName": "new_api_method"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"newApiMethod": {
"newApiMethod": {
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME"
},
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerUserAgent": "CALLER_USER_AGENT",
"resourceContainer": "projects/PROJECT_NUMBER"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0003/"
}
}
}
}
Persistencia: Nueva geografía
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",
"state": "ACTIVE",
"category": "Persistence: New Geography",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "iam_anomalous_behavior",
"subRuleName": "ip_geolocation"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "RESOURCE_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1617994703",
"nanos": 5.08853E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"anomalousLocation": {
"anomalousLocation": "BE",
"callerIp": "IP_ADDRESS",
"principalEmail": "PRINCIPAL_EMAIL",
"notSeenInLast": "2592000s",
"typicalGeolocations": [{
"country": {
"identifier": "US"
}
}]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T18:59:43.860Z",
"createTime": "2021-04-09T18:59:44.440Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "RESOURCE_NAME"
}
}
Persistencia: Usuario-agente nuevo
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",
"resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",
"state": "ACTIVE",
"category": "Persistence: New User Agent",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "iam_anomalous_behavior",
"subRuleName": "user_agent"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1614736482",
"nanos": 9.76209552E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"anomalousSoftware": {
"anomalousSoftwareClassification": ["USER_AGENT"],
"behaviorPeriod": "2592000s",
"callerUserAgent": "USER_AGENT",
"principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-03-03T01:54:47.681Z",
"createTime": "2021-03-03T01:54:49.154Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//monitoring.googleapis.com/projects/PROJECT_ID"
}
}
Elevación de privilegios: cuenta de servicio inactiva otorgada como rol sensible
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_3"
},
{
"email": "EMAIL_ADDRESS_4
}
]
}
},
"createTime": "CREATE_TIMESTAMP",
"database": {},
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "SENSITIVE_IAM_ROLE",
"member": "serviceAccount:DORMANT_SERVICE_ACCOUNT"
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "RESOURCE_FULL_NAME",
"severity": "SEVERITY_CLASSIFICATION",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_FULL_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//RESOURCE/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "RESOURCE_PARENT_NAME",
"parent_display_name": "PARENT_DISPLAY_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
"resourceFolder": "RESOURCE_FOLDER_ID"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_role_added_to_dormant_sa"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1678897327",
"nanos": 26483000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
]
}
}
}
Elevación de privilegios: Cambios en los objetos sensibles del RBAC de Kubernetes
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
"category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-07T07:42:36.536Z",
"database": {},
"eventTime": "2022-10-07T07:42:06.044Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"bindings": [
{
"name": "cluster-admin",
"role": {
"kind": "CLUSTER_ROLE",
"name": "cluster-admin"
},
"subjects": [
{
"kind": "USER",
"name": "testUser-1665153212"
}
]
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "edit_sensitive_rbac_object"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665128526",
"nanos": 44146000
},
"insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a"
}
}
],
"properties": {},
"findingId": "05b52fe8267d44bdb33c89367f0dd11a",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Elevación de privilegios: Creación de una CSR de Kubernetes para el certificado principal
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.certificates.v1.certificatesigningrequests.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
"category": "Privilege Escalation: Create Kubernetes CSR for master cert",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-08T14:38:12.501Z",
"database": {},
"eventTime": "2022-10-08T14:37:46.944Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "csr_for_master_cert"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665239866",
"nanos": 944045000
},
"insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101"
}
}
],
"properties": {},
"findingId": "0562169c2e3b44879030a7369dbf839c",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Elevación de privilegios: Creación de vinculaciones de Kubernetes sensibles
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
"category": "Privilege Escalation: Creation of sensitive Kubernetes bindings",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-11T09:29:44.425Z",
"database": {},
"eventTime": "2022-10-11T09:29:26.309Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"bindings": [
{
"name": "cluster-admin",
"role": {
"kind": "CLUSTER_ROLE",
"name": "cluster-admin"
}
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "create_sensitive_binding"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665480566",
"nanos": 309136000
},
"insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321"
}
}
],
"properties": {},
"findingId": "02dcbf565d9d4972a126ac3c38fd4295",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Elevación de privilegios: Obtención de CSR de Kubernetes con credenciales de arranque comprometidas
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.certificates.v1.certificatesigningrequests.list"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
"category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-12T12:28:11.480Z",
"database": {},
"eventTime": "2022-10-12T12:28:08.597Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "get_csr_with_compromised_bootstrap_credentials"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665577688",
"nanos": 597107000
},
"insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993"
}
}
],
"properties": {},
"findingId": "025e0ba774da4d678883257cd125fc43",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Elevación de privilegios: Lanzamiento de un contenedor Kubernetes privilegiado
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.core.v1.pods.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
"category": "Privilege Escalation: Launch of privileged Kubernetes container",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-08T21:43:41.145Z",
"database": {},
"eventTime": "2022-10-08T21:43:09.188Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"pods": [
{
"ns": "default",
"name": "POD_NAME",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI"
}
]
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "launch_privileged_container"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665265389",
"nanos": 188357000
},
"insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c"
}
}
],
"properties": {},
"findingId": "04206668443b45078d5b51c908ad87da",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Elevación de privilegios: Suplantación de identidad anómala de una cuenta de servicio en una actividad de administrador
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
Elevación de privilegios: Delegación anómala de cuentas de servicio de varios pasos para actividades de administrador
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_multistep_admin_activity"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
Elevación de privilegios: Delegación anómala de cuentas de servicio de varios pasos para el acceso a los datos
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_multistep_data_access"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
Elevación de privilegios: Suplantación de identidad de cuenta de servicio anómala para actividad de administrador
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_impersonator_admin_activity"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
Elevación de privilegios: Suplantación de identidad de cuenta de servicio anómala para acceso a datos
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_impersonator_data_access"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
Inhibición de la recuperación del sistema: Se borró la copia de seguridad y el host de DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteHost",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"host": "HOST_NAME",
"applications": [
"HOST_NAME"
],
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Deleted Google Cloud Backup and DR host",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_hosts_delete_host"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
"backupDisasterRecovery": {
"host": "HOST_NAME",
"applications": [
"HOST_NAME"
]
}
}
}
Destrucción de datos: imagen de vencimiento de la copia de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "expireBackup",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME",
"policies": [
"POLICY_NAME"
],
"profile": "PROFILE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Data Destruction: Google Cloud Backup and DR expire image",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_expire_image"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME",
"policies": [
"POLICY_NAME"
],
"profile": "PROFILE_NAME"
}
}
}
Inhibición de la recuperación del sistema: plan de eliminación de copia de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteSla",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"applications": [
"HOST_NAME"
],
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_remove_plan"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
"backupDisasterRecovery": {
"applications": [
"HOST_NAME"
]
}
}
}
Destrucción de datos: la copia de seguridad y la DR de Google Cloud vencen todas las imágenes
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "backupdr.googleapis.com",
"methodName": "expireBackups",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Data Destruction: Google Cloud Backup and DR expire all images",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_expire_images_all"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups."
}
}
Inhibición de la recuperación del sistema: plantilla de eliminación de la copia de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteSlt",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete template",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_template_delete_template"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME"
}
}
}
Inhibición de la recuperación del sistema: política de eliminación de copias de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deletePolicy",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"policies": [
"DeleteMe"
],
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete policy",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_template_delete_policy"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
"backupDisasterRecovery": {
"policies": [
"POLICY_NAME"
]
}
}
}
Inhibición de la recuperación del sistema: perfil de eliminación de la copia de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteSlp",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"profile": "PROFILE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete profile",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_template_delete_profile"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
"backupDisasterRecovery": {
"profile": "PROFILE_NAME"
}
}
}
Destrucción de datos: Quitar dispositivo de copia de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteCluster",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"appliance": "APPLIANCE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Data Destruction: Google Cloud Backup and DR remove appliance",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_appliances_remove_appliance"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
"backupDisasterRecovery": {
"appliance": "APPLIANCE_NAME"
}
}
}
Inhibición de la recuperación del sistema: Borra el grupo de almacenamiento de la copia de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteDiskPool",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"storagePool": "STORAGE_POOL_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete storage pool",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_storage_pools_delete"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
"backupDisasterRecovery": {
"storagePool": "STORAGE_POOL_NAME"
}
}
}
Impacto: Google Cloud Backup and DR reduce la frecuencia de las copias de seguridad
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "updatePolicy",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Impact: Google Cloud Backup and DR reduced backup frequency",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "The backup schedule has been modified to reduce backup frequency.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_reduce_backup_frequency"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "The backup schedule has been modified to reduce backup frequency.",
}
}
Impacto: Reducción del vencimiento de las copias de seguridad de copias de seguridad y DR de Google Cloud
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "updateBackup",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Impact: Google Cloud Backup and DR reduced backup expiration",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "The expiration date for a backup has been reduced.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_reduce_backup_expiration"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "The expiration date for a backup has been reduced."
}
}
Acceso inicial: Usurpación de cuenta inhabilitada
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Account Disabled Hijacked",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "account_disabled_hijacked"
},
"detectionPriority": "MEDIUM",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1624034293",
"nanos": 6.78E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledHijacked",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-18T16:38:13.678Z",
"createTime": "2021-06-18T16:38:16.508Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
Acceso inicial: Filtrado de contraseña inhabilitada
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Disabled Password Leak",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "disabled_password_leak"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1626462896",
"nanos": 6.81E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledPasswordLeak",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-07-16T19:14:56.681Z",
"createTime": "2021-07-16T19:15:00.430Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT",
"indicator": {
}
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
Acceso inicial: Ataque basado en el Gobierno
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Government Based Attack",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "government_based_attack"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1624061458",
"nanos": 7.4E7
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.govAttackWarning",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-19T00:10:58.074Z",
"createTime": "2021-06-19T00:11:01.760Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
Acceso inicial: Intento de compromiso de Log4j
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Initial Access: Log4j Compromise Attempt",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "log4j_compromise_attempt"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1639690492",
"nanos": 9.13836E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"loadBalancerName": "LOAD_BALANCER_NAME",
"requestUrl": "REQUEST_URL?${jndi:ldap://google.com}"
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1190/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-12-16T21:34:52.913Z",
"createTime": "2021-12-16T21:34:55.022Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
"parentDisplayName": "FOLDER_DISPLAY_NAME",
"type": "google.cloud.resourcemanager.Project",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
"resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
}],
"displayName": "PROJECT_ID"
}
}
Acceso inicial: Acceso sospechoso bloqueado
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Suspicious Login Blocked",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "suspicious_login"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621637767",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLogin",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-05-21T22:56:07Z",
"createTime": "2021-05-27T02:36:07.382Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
Acceso inicial: El superusuario de la base de datos escribe en las tablas de los usuarios
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Initial Access: Database Superuser Writes to User Tables",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "cloudsql_superuser_writes_to_user_tables",
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"eventTime": "2022-01-19T21:36:07.901Z",
"createTime": "2022-01-19T21:36:08.695Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": ["DEFAULT_ACCOUNTS"]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
},
"access": {
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.query"
}
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_ID"
}],
"displayName": "INSTANCE_NAME"
}
}
Acceso inicial: acciones denegadas de permisos excesivos
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME",
"principalSubject": "PRINCIPAL_SUBJECT",
"serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Excessive Permission Denied Actions",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "anomalous_behavior",
"subRuleName": "new_api_method"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"failedActions": [
{
"methodName": "SetIamPolicy",
"serviceName": "iam.googleapis.com",
"attemptTimes": "7",
"lastOccurredTime": "2023-03-15T17:35:18.771219Z"
},
{
"methodName": "iam.googleapis.com",
"serviceName": "google.iam.admin.v1.CreateServiceAccountKey",
"attemptTimes": "3",
"lastOccurredTime": "2023-03-15T05:36:14.954701Z"
}
]
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
}
}
}
}
Acceso inicial: Acción de cuenta de servicio inactiva
{
"findings": {
"access": {
"principalEmail": "DORMANT_SERVICE_ACCOUNT",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Dormant Service Account Action",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "dormant_sa_used_in_action",
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0003/"
}
}
}
}
Acceso inicial: se creó la clave de una cuenta de servicio inactiva
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.CreateServiceAccountKey"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Dormant Service Account Key Created",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
"display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
"parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
"type": "google.iam.ServiceAccountKey",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "key_created_on_dormant_sa"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0003/"
}
}
}
}
Acceso inicial: Se usó una clave de cuenta de servicio filtrada.
{
"findings": {
"access": {
"principalEmail": "SERVICE_ACCOUNT",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME"
"serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Leaked Service Account Key Used",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-07-18T10:35:47.381Z",
"database": {},
"eventTime": "2023-07-18T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "AFFECTED_RESOURCE",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "leaked_sa_key_used"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_RESOURCE"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
}
}
},
"description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL"
}
Inhabilita las defensas: Autenticación segura inhabilitada
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",
"state": "ACTIVE",
"category": "Impair Defenses: Strong Authentication Disabled",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "impair_defenses",
"indicator": "audit_log",
"ruleName": "enforce_strong_authentication"
},
"detectionPriority": "MEDIUM",
"affectedResources": [{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1623952110",
"nanos": 6.51337E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "admin.googleapis.com",
"methodName": "google.admin.AdminService.enforceStrongAuthentication",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-17T17:48:30.651Z",
"createTime": "2021-06-17T17:48:33.574Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
}
}
Inhabilita las defensas: Verificación en dos pasos inhabilitada
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Impair Defenses: Two Step Verification Disabled",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "impair_defenses",
"indicator": "audit_log",
"ruleName": "two_step_verification_disabled"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1626391356",
"nanos": 5.96E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svDisable",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-07-15T23:22:36.596Z",
"createTime": "2021-07-15T23:22:40.079Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT",
"indicator": {
}
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
Persistencia: Activación o desactivación de SSO
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
"state": "ACTIVE",
"category": "Persistence: SSO Enablement Toggle",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "account_manipulation",
"indicator": "audit_log",
"ruleName": "sso_enablement_toggle"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1622829313",
"nanos": 3.42104E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "admin.googleapis.com",
"methodName": "google.admin.AdminService.toggleSsoEnabled",
"ssoState": "ENABLED",
"domainName": "ORGANIZATION_NAME"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-04T17:55:13.342Z",
"createTime": "2021-06-04T17:55:15.900Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
}
}
Persistencia: Se agregó la secuencia de comandos de inicio del administrador de GCE
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
"category": "Persistence: GCE Admin Added Startup Script",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "gce_admin"
"subRuleName": "instance_add_startup_script"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621624109",
"nanos": 3.73721E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"callerIp": "IP_ADDRESS",
"principalEmail": "PRINCIPAL_EMAIL",
"gceInstanceId": "GCE_INSTANCE_ID",
"projectId": "PROJECT_ID",
"metadataKeyOperation": "ADDED",
"callerUserAgent": "USER_AGENT",
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1543/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}]
}
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
}
}
Persistencia: Clave SSH agregada por el administrador de GCE
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
"category": "Persistence: GCE Admin Added SSH Key",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "gce_admin"
"subRuleName": "instance_add_ssh_key"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621624109",
"nanos": 3.73721E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"callerIp": "IP_ADDRESS",
"principalEmail": "PRINCIPAL_EMAIL",
"gceInstanceId": "GCE_INSTANCE_ID",
"projectId": "PROJECT_ID",
"metadataKeyOperation": "ADDED",
"callerUserAgent": "USER_AGENT",
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1543/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}]
}
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
}
}
Persistencia: Configuración de SSO cambiada
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
"state": "ACTIVE",
"category": "Persistence: SSO Settings Changed",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "account_manipulation",
"indicator": "audit_log",
"ruleName": "sso_settings_changed"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621624109",
"nanos": 3.73721E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "admin.googleapis.com",
"methodName": "google.admin.AdminService.changeSsoSettings",
"domainName": "ORGANIZATION_NAME"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-05-21T19:08:29.373Z",
"createTime": "2021-05-27T11:36:24.429Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
}
}
IDS de Cloud
{
"finding": {
"access": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
"category": "Cloud IDS: THREAT_ID",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"connections": [
{
"destinationIp": "IP_ADDRESS",
"destinationPort": PORT,
"sourceIp": "IP_ADDRESS",
"sourcePort": PORT,
"protocol": "PROTOCOL"
}
],
"createTime": "TIMESTAMP",
"database": {},
"description": "This signature detects a payload in HTTP traffic which could possibly be malicious.",
"eventTime": "TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_DISPLAY_NAME",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "ctd-engprod-project",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER",
"parent_display_name": "PARENT_DISPLAY_NAME",
"folders": [
{
"resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resource_folder_display_name": "FOLDER_DISPLAY_NAME"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "cloud_ids_threat_activity"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "TIMESTAMP",
"nanos": TIMESTAMP
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_QUERY_URI"
}
],
"relatedFindingUri": {}
},
"description": "THREAT_DESCRIPTION"
}
}
Desplazamiento lateral: disco de arranque modificado conectado a la instancia
{
"finding": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.attachDisk",
},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
"category": "Lateral Movement: Modify Boot Disk Attaching to Instance",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "2024-02-01T23:55:17.589Z",
"database": {},
"eventTime": "2024-02-01T23:55:17.396Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"logEntries": [
{
"cloudLoggingEntry": {
"insertId": "INSERT_ID",
"logId": "cloudaudit.googleapis.com/activity",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": "2024-02-01T23:55:15.017887Z"
}
}
],
"mitreAttack": {
"primaryTactic": "TACTIC_UNSPECIFIED"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"securityPosture": {},
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"displayName": "INSTANCE_ID",
"type": "google.compute.Instance",
"gcpMetadata": {
"project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_NUMBER",
"parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_NUMBER,
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NUMBER"
}
],
"organization": "organizations/ORGANIZATION_NUMBER"
}
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "modify_boot_disk",
"subRuleName": "attach_to_instance"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID"
},
{
"gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_NUMBER",
"resourceContainer": "PROJECT_NUMBER",
"timestamp": {
"seconds": "1706831715",
"nanos": 17887000
},
"insertId": "INSERT_ID",
"logId": "cloudaudit.googleapis.com/activity"
}
}
],
"properties": {
"diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID",
"targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"workerInstances": [
"projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
],
"bootDiskPayloads": [
{
"instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"operation": "MODIFY_BOOT_DISK_ATTACH",
"principalEmail": "PRINCIPAL_EMAIL",
"eventTime": "2024-02-01T23:55:06.706640Z"
},
{
"instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"operation": "MODIFY_BOOT_DISK_DETACH",
"principalEmail": "PRINCIPAL_EMAIL",
"eventTime": "2024-02-01T23:55:05.608631Z"
}
]
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1570/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Elevación de privilegios: Otorgamiento de privilegios excesivos
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Privilege Escalation: AlloyDB Over-Privileged Grant",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "alloydb_user_granted_all_permissions",
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/001/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}]
}
},
"eventTime": "EVENT_TIMESTAMP",,
"createTime": "CREATE_TIMESTAMP",,
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "PRIVILEGE_ESCALATION",
"primaryTechniques": [
"VALID_ACCOUNTS"
],
"additionalTactics": [
"PERSISTENCE"
],
"additionalTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
"grantees": [GRANTEE],
},
"access": {
"serviceName": "alloydb.googleapis.com",
"methodName": "alloydb.instances.query"
}
},
"resource": {
"name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"type": "google.alloydb.Instance",
"cloudProvider": "GOOGLE_CLOUD_PLATFORM",
"service": "alloydb.googleapis.com",
"location": "REGION",
"gcpMetadata": {
"project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": FOLDER_NAME
}
],
"organization": "organizations/ORGANIZATION_ID"
},
"resourcePath": {
"nodes": [
{
"nodeType": "GCP_PROJECT",
"id": "projects/PROJECT_NUMBER",
"displayName": "PROJECT_ID"
},
{
"nodeType": "GCP_FOLDER",
"id": "folders/FOLDER_NUMBER",
"displayName": "FOLDER_NAME"
},
{
"nodeType": "GCP_ORGANIZATION",
"id": "organizations/ORGANIZATION_ID"
}
]
},
"resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
}
}
Elevación de privilegios: El superusuario de la base de datos de AlloyDB escribe en las tablas de usuarios
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "alloydb_user_granted_all_permissions",
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/001/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}]
}
},
"eventTime": "EVENT_TIMESTAMP",,
"createTime": "CREATE_TIMESTAMP",,
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "PRIVILEGE_ESCALATION",
"primaryTechniques": [
"VALID_ACCOUNTS"
],
"additionalTactics": [
"PERSISTENCE"
],
"additionalTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
},
"access": {
"serviceName": "alloydb.googleapis.com",
"methodName": "alloydb.instances.query"
}
},
"resource": {
"name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"type": "google.alloydb.Instance",
"cloudProvider": "GOOGLE_CLOUD_PLATFORM",
"service": "alloydb.googleapis.com",
"location": "REGION",
"gcpMetadata": {
"project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": FOLDER_NAME
}
],
"organization": "organizations/ORGANIZATION_ID"
},
"resourcePath": {
"nodes": [
{
"nodeType": "GCP_PROJECT",
"id": "projects/PROJECT_NUMBER",
"displayName": "PROJECT_ID"
},
{
"nodeType": "GCP_FOLDER",
"id": "folders/FOLDER_NUMBER",
"displayName": "FOLDER_NAME"
},
{
"nodeType": "GCP_ORGANIZATION",
"id": "organizations/ORGANIZATION_ID"
}
]
},
"resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
}
}
¿Qué sigue?
- Obtén más información sobre cómo funciona Event Threat Detection.
- Obtén información a fin de investigar y desarrollar planes de respuesta para las amenazas.