Halaman ini diterjemahkan oleh Cloud Translation API.

Menggunakan Event Threat Detection

Halaman ini menunjukkan cara meninjau temuan Deteksi Ancaman Peristiwa di Konsol Google Cloud dan menyertakan contoh temuan Deteksi Ancaman Peristiwa.

Event Threat Detection adalah layanan bawaan untuk paket Security Command Center Premium yang memantau aliran logging Cloud Logging untuk organisasi atau project Anda dan mendeteksi ancaman secara hampir real time. Jika Anda mengaktifkan paket Premium Security Command Center di tingkat organisasi, Event Threat Detection juga dapat memantau aliran logging Google Workspace organisasi Anda. Untuk mempelajari lebih lanjut, lihat Ringkasan Event Threat Detection.

Meninjau temuan

Untuk melihat temuan Event Threat Detection, layanan harus diaktifkan di setelan Layanan Security Command Center. Setelah Anda mengaktifkan Event Threat Detection, Event Threat Detection akan menghasilkan temuan dengan memindai log tertentu. Beberapa log yang dapat dipindai Event Threat Detection dinonaktifkan secara default, jadi Anda mungkin perlu mengaktifkannya.

Untuk informasi selengkapnya tentang aturan deteksi bawaan yang digunakan Event Threat Detection dan log yang dipindai Event Threat Detection, lihat topik berikut:

Anda dapat melihat temuan Event Threat Detection di Security Command Center. Jika mengonfigurasi Ekspor Berkelanjutan untuk menulis log, Anda juga dapat melihat temuan di Cloud Logging. Ekspor Berkelanjutan ke Cloud Logging hanya tersedia jika Anda mengaktifkan paket Premium Security Command Center di tingkat organisasi. Untuk membuat temuan dan memverifikasi konfigurasi, Anda dapat memicu pendeteksi secara sengaja dan menguji Event Threat Detection.

Aktivasi Event Threat Detection terjadi dalam hitungan detik. Latensi deteksi umumnya kurang dari 15 menit sejak log ditulis hingga temuan tersedia di Security Command Center. Untuk informasi selengkapnya tentang latensi, lihat Ringkasan latensi Security Command Center.

Meninjau temuan di Security Command Center

Peran IAM untuk Security Command Center dapat diberikan di tingkat organisasi, folder, atau project. Kemampuan Anda untuk melihat, mengedit, membuat, atau memperbarui temuan, aset, dan sumber keamanan bergantung pada tingkat akses yang Anda terima. Untuk mempelajari peran Security Command Center lebih lanjut, lihat Kontrol akses.

Gunakan prosedur berikut untuk meninjau temuan di konsol Google Cloud:

Di konsol Google Cloud, buka halaman Temuan Security Command Center.
Buka Temuan
Jika perlu, pilih project atau organisasi Google Cloud Anda.
Di bagian Quick filters, di subbagian Source display name, pilih salah satu atau kedua opsi berikut:
- Event Threat Detection: untuk memfilter temuan yang dihasilkan oleh detektor Event Threat Detection bawaan
- Modul Kustom Event Threat Detection: untuk memfilter temuan yang dihasilkan oleh modul kustom untuk Event Threat Detection
Tabel diisi dengan temuan Event Threat Detection.
Untuk melihat detail temuan tertentu, klik nama temuan di bagian Category. Panel detail temuan akan diperluas untuk menampilkan informasi termasuk hal berikut:
- Ringkasan yang dibuat AI^Pratinjau masalah
- Kapan peristiwa terjadi
- Sumber data temuan
- Tingkat keparahan deteksi, misalnya Tinggi
- Tindakan yang dilakukan, seperti menambahkan peran Identity and Access Management (IAM) ke pengguna Gmail
- Pengguna yang melakukan tindakan, tercantum di samping Email utama
Untuk menampilkan semua temuan yang disebabkan oleh tindakan pengguna yang sama:
1. Di panel detail penemuan, salin alamat email di samping Email utama.
2. Tutup panel.
3. Di editor kueri, masukkan kueri berikut:
```
access.principal_email="USER_EMAIL"
```
  Ganti USER_EMAIL dengan alamat email yang sebelumnya Anda salin.
  
  Security Command Center menampilkan semua temuan yang terkait dengan tindakan yang dilakukan oleh pengguna yang Anda tentukan.

Melihat temuan di Cloud Logging

Jika mengonfigurasi Ekspor Berkelanjutan untuk menulis log, Anda dapat melihat temuan Event Threat Detection di Cloud Logging. Fitur ini hanya tersedia jika Anda mengaktifkan paket Premium Security Command Center di tingkat organisasi.

Untuk melihat temuan Event Threat Detection di Cloud Logging, lakukan hal berikut:

Buka Logs Explorer di konsol Google Cloud.

Buka Logs Explorer
Pilih project Google Cloud atau resource Google Cloud lainnya tempat Anda menyimpan log Event Threat Detection.
Gunakan panel Kueri untuk membuat kueri dengan salah satu cara berikut:
- Dalam daftar Semua resource, lakukan tindakan berikut:
  1. Pilih Pendeteksi Ancaman untuk menampilkan daftar semua pendeteksi.
  2. Untuk melihat temuan dari semua detektor, pilih all detector_name. Untuk melihat temuan dari pendeteksi tertentu, pilih namanya.
  3. Klik Terapkan. Tabel Hasil kueri diperbarui dengan log yang Anda pilih.
- Masukkan kueri berikut di editor kueri, lalu klik Run query:
```
resource.type="threat_detector"
```
  Tabel Hasil kueri diperbarui dengan log yang Anda pilih.
Untuk melihat log, pilih baris tabel, lalu klik Luaskan kolom bertingkat.

Anda dapat membuat kueri log lanjutan untuk menentukan kumpulan entri log dari sejumlah log.

Contoh format temuan

Bagian ini mencakup format output JSON untuk temuan Deteksi Ancaman Peristiwa seperti yang muncul saat Anda membuat ekspor dari Konsol Google Cloud atau menjalankan metode daftar di Security Command Center API.

Contoh output berisi kolom yang paling umum untuk semua temuan. Namun, semua kolom mungkin tidak muncul di setiap temuan. Output sebenarnya yang Anda lihat bergantung pada konfigurasi resource serta jenis dan status temuan.

Untuk melihat contoh temuan, luaskan satu atau beberapa node berikut.

Pemindaian Aktif: Log4j Rentan terhadap RCE

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "state": "ACTIVE",
    "category": "Active Scan: Log4j Vulnerable to RCE",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "ruleName": "log4j_scan_success"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }, {
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1639701222",
            "nanos": 7.22988344E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "scannerDomain": "SCANNER_DOMAIN",
        "sourceIp": "SOURCE_IP_ADDRESS",
        "vpcName": "default"
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1210/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-12-17T00:33:42.722Z",
    "createTime": "2021-12-17T00:33:44.633Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.compute.Instance",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
      "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
    }],
    "displayName": "INSTANCE_ID"
  }
}

Brute Force: SSH

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Brute Force: SSH",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "65"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "projectId": "PROJECT_ID",
          "zone": "us-west1-a",
          "instanceId": "INSTANCE_ID",
          "attempts": [
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "SUCCESS"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            }
          ]
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/003/"
          }
        },
        "detectionCategory": {
          "technique": "brute_force",
          "indicator": "flow_log",
          "ruleName": "ssh_brute_force"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }

Akses Kredensial: Anggota Eksternal Ditambahkan ke Grup dengan Hak Istimewa

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME",
    "state": "ACTIVE",
    "category": "Credential Access: External Member Added To Privileged Group",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "external_member_added_to_privileged_group"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633622881",
            "nanos": 6.73869E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "externalMemberAddedToPrivilegedGroup": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
          "externalMember": "user:EXTERNAL_EMAIL",
          "sensitiveRoles": [{
            "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
            "roleName": ["ROLES"]
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": " https://attack.mitre.org/techniques/T1078"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:08:03.888Z",
    "createTime": "2021-10-07T16:08:04.516Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
  }
}

Akses Kredensial: Grup dengan Hak Istimewa Dibuka untuk Publik

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings",
    "state": "ACTIVE",
    "category": "Credential Access: Privileged Group Opened To Public",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "privileged_group_opened_to_public"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1634774534",
            "nanos": 7.12E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "privilegedGroupOpenedToPublic": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
          "sensitiveRoles": [{
            "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
            "roleName": ["ROLES"]
          }],
          "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": " https://attack.mitre.org/techniques/T1078"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-21T00:02:19.173Z",
    "createTime": "2021-10-21T00:02:20.099Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
  }
}

Akses Kredensial: Peran Sensitif Diberikan ke Grup Hybrid

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "cloudresourcemanager.googleapis.com",
      "methodName": "SetIamPolicy",
    },
    "assetDisplayName": "PROJECT_NAME",
    "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Credential Access: Sensitive Role Granted To Hybrid Group",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-12-22T00:31:58.242Z",
    "database": {},
    "eventTime": "2022-12-22T00:31:58.151Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "roles/iam.securityAdmin",
        "member": "group:GROUP_NAME@ORGANIZATION_NAME",
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
    "parent_display_name": "FOLDER_ID",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_ID",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "technique": "persistence",
      "indicator": "audit_log",
      "ruleName": "sensitive_role_to_group_with_external_member"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1671669114",
            "nanos": 715318000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {
      "sensitiveRoleToHybridGroup": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
        "bindingDeltas": [
          {
            "action": "ADD",
            "role": "roles/iam.securityAdmin",
            "member": "group:GROUP_NAME@ORGANIZATION_NAME",
          }
        ],
        "resourceName": "projects/PROJECT_ID"
      }
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      }
    }
  }
}

Penghindaran Pertahanan: Deployment Workload Breakglass Dibuat

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "k8s.io",
      "methodName": "io.k8s.core.v1.pods.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Defense Evasion: Breakglass Workload Deployment Created",
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "test-container",
        "uri": "test-image"
      }
    ],
    "createTime": "2023-03-24T17:38:45.756Z",
    "database": {},
    "eventTime": "2023-03-24T17:38:45.709Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "NAMESPACE",
          "name": "POD_NAME",
          "labels": [
            {
              "name": "image-policy.k8s.io/break-glass",
              "value": "true"
            }
          ],
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "DEFENSE_EVASION",
      "primaryTechniques": [
        "ABUSE_ELEVATION_CONTROL_MECHANISM"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "display_name": "default",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "parent_display_name": "CLUSTER_NAME",
    "type": "k8s.io.Namespace",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1548/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    },
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "binary_authorization_breakglass_workload",
      "subRuleName": "create"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1679679521",
            "nanos": 141571000
          },
          "insertId": "INSERT_ID"
        }
      }
    ]
  }
}

Defense Evasion: Deployment Workload Breakglass Diperbarui

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "k8s.io",
      "methodName": "io.k8s.core.v1.pods.update"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Defense Evasion: Breakglass Workload Deployment Updated",
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "test-container",
        "uri": "test-image"
      }
    ],
    "createTime": "2023-03-24T17:38:45.756Z",
    "database": {},
    "eventTime": "2023-03-24T17:38:45.709Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "NAMESPACE",
          "name": "POD_NAME",
          "labels": [
            {
              "name": "image-policy.k8s.io/break-glass",
              "value": "true"
            }
          ],
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "DEFENSE_EVASION",
      "primaryTechniques": [
        "ABUSE_ELEVATION_CONTROL_MECHANISM"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "display_name": "default",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "parent_display_name": "CLUSTER_NAME",
    "type": "k8s.io.Namespace",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1548/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    },
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "binary_authorization_breakglass_workload",
      "subRuleName": "update"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1679679521",
            "nanos": 141571000
          },
          "insertId": "INSERT_ID"
        }
      }
    ]
  }
}

Defense Evasion: Mengubah Kontrol Layanan VPC

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
    "state": "ACTIVE",
    "category": "Defense Evasion: Modify VPC Service Control",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "modify_auth_process",
        "indicator": "audit_log",
        "ruleName": "vpcsc_changes",
        "subRuleName": "reduce_perimeter_protection"
      },
      "detectionPriority": "LOW",
      "affectedResources": [
        {
          "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER"
        },
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }
      ],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633625631",
            "nanos": 1.78978E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
        "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS",
        "delta": {
          "restrictedResources": [{
            "resourceName": "PROJECT_NAME",
            "action": "REMOVE"
          }],
          "restrictedServices": [{
            "serviceName": "SERVICE_NAME",
            "action": "REMOVE"
          }],
          "allowedServices": [{
            "serviceName": "SERVICE_NAME",
            "action": "ADD"
          }],
          "accessLevels": [{
            "policyName": "ACCESS_LEVEL_POLICY",
            "action": "ADD"
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": ""https://attack.mitre.org/techniques/T1556/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:53:53.875Z",
    "createTime": "2021-10-07T16:53:54.411Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {},
      "serviceName": "accesscontextmanager.googleapis.com",
      "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter"
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "type": "google.cloud.resourcemanager.Organization",
    "displayName": "RESOURCE_DISPLAY_NAME"
  }
}

Penemuan: Dapat mendapatkan pemeriksaan objek Kubernetes sensitif

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
    "category": "Discovery: Can get sensitive Kubernetes object check",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-08T01:39:42.957Z",
    "database": {},
    "eventTime": "2022-10-08T01:39:40.632Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "accessReviews": [
        {
          "name": "secrets-1665218000",
          "resource": "secrets",
          "verb": "get"
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "can_get_sensitive_object"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665193180",
            "nanos": 632000000
          },
          "insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf"
        }
      }
    ],
    "properties": {},
    "findingId": "03f466dc25a8496693b7482304fb2e7f",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0007/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Penemuan: Investigasi Mandiri Akun Layanan

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Discovery: Service Account Self-Investigation",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "discovery",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "service_account_gets_own_iam_policy"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1619200104",
            "nanos": 9.08E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceAccountGetsOwnIamPolicy": {
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
          "projectId": "PROJECT_ID",
          "callerIp": "IP_ADDRESS",
          "callerUserAgent": "CALLER_USER_AGENT",
          "rawUserAgent": "RAW_USER_AGENT"
        }
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "Permission Groups Discovery: Cloud Groups",
          "url": "https://attack.mitre.org/techniques/T1069/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-23T17:48:24.908Z",
    "createTime": "2021-04-23T17:48:26.922Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "ORGANIZATION_NAME",
    "type": "google.cloud.resourcemanager.Project"
  }
}

Penghindaran: Akses dari Anonymizing Proxy

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Evasion: Access from Anonymizing Proxy",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "proxy_access"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1633625631",
            "nanos": 1.78978E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "changeFromBadIp": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "ip": "SOURCE_IP_ADDRESS"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1090/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:53:53.875Z",
    "createTime": "2021-10-07T16:53:54.411Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}

Pemindahan Tidak Sah: Pemindahan Tidak Sah Data BigQuery

Temuan ini dapat mencakup salah satu dari dua kemungkinan subaturan:

exfil_to_external_table, dengan tingkat keparahan HIGH.
vpc_perimeter_violation, dengan tingkat keparahan LOW.

Contoh berikut menunjukkan JSON untuk subaturan exfil_to_external_table.

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Exfiltration: BigQuery Data Exfiltration",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "2023-05-30T15:49:59.709Z",
    "database": {},
    "eventTime": "2023-05-30T15:49:59.432Z",
    "exfiltration": {
      "sources": [
        {
          "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
        }
      ],
      "targets": [
        {
          "name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID"
        }
      ]
    },
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": [
        "EXFILTRATION_OVER_WEB_SERVICE",
        "EXFILTRATION_TO_CLOUD_STORAGE"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
    "parent_display_name": "FOLDER_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [
      {
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
        "resourceFolderDisplayName": "FOLDER_NAME"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "technique": "org_exfiltration",
      "indicator": "audit_log",
      "ruleName": "big_query_exfil",
      "subRuleName": "exfil_to_external_table"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1685461795",
            "nanos": 341527000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {
      "dataExfiltrationAttempt": {
        "jobState": "SUCCEEDED",
        "jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults",
        "job": {
          "projectId": "PROJECT_ID",
          "jobId": "BIGQUERY_JOB_ID",
          "location": "BIGQUERY_JOB_LOCATION"
        },
        "query": "QUERY",
        "sourceTables": [
          {
            "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
            "projectId": "PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID"
          }
        ],
        "destinationTables": [
          {
            "resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table",
            "projectId": "TARGET_PROJECT_ID",
            "datasetId": "TARGET_DATASET_ID",
            "tableId": "TARGET_TABLE_ID"
          }
        ],
        "userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com"
      },
      "principalEmail": "PRINCIPAL_EMAIL"
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1567/002/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Pemindahan Tidak Sah: Ekstraksi Data BigQuery

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "state": "ACTIVE",
    "category": "Exfiltration: BigQuery Data Extraction",
    "sourceProperties": {
      "affectedResources": [
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }
      ],
      "detectionCategory": {
        "technique": "storage_bucket_exfiltration",
        "indicator": "audit_log",
        "ruleName": "big_query_exfil",
        "subRuleName": "exfil_to_cloud_storage"
      },
      "detectionPriority": "LOW",
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1567/002/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }],
        "relatedFindingUri": {
          "displayName": "Related BigQuery Exfiltration Extraction findings",
          "url": "RELATED_FINDINGS_LINK"
        }
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": PROJECT_ID,
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "extractionAttempt": {
          "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
          "job": {
            "projectId": "SOURCE_PROJECT_ID",
            "jobId": "JOB_ID",
            "location": "US"
          },
          "sourceTable": {
            "projectId": "DESTINATION_PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID",
            "resourceUri": "FULL_URI"
          },
          "destinations": [
            {
              "originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
              "collectionType": "GCS_BUCKET",
              "collectionName": "TARGET_GCS_BUCKET_NAME",
              "objectName": "TARGET_FILE_NAME"
            }
          ]
        },
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2022-03-31T21:22:11.359Z",
    "createTime": "2022-03-31T21:22:12.689Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
    },
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    },
    "exfiltration": {
      "sources": [
        {
          "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
        }
      ],
      "targets": [
        {
          "name": "TARGET_GCS_URI"
        }
      ]
    }
  },
  "resource": {
    "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
    "parentDisplayName": "PROJECT_ID:DATASET_ID",
    "type": "google.cloud.bigquery.Table",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
      "resourceFolderDisplayName": "FOLDER_NAME"
    }],
    "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
  }
}

Pemindahan Tidak Sah: Data BigQuery ke Google Drive

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "state": "ACTIVE",
    "category": "Exfiltration: BigQuery Data to Google Drive",
    "sourceProperties": {
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "detectionCategory": {
        "technique": "google_drive_exfiltration",
        "indicator": "audit_log",
        "ruleName": "big_query_exfil",
        "subRuleName": "exfil_to_google_drive"
      },
      "detectionPriority": "LOW",
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1567/002/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }],
        "relatedFindingUri": {
          "displayName": "Related BigQuery Exfiltration to Google Drive findings",
          "url": "RELATED_FINDINGS_LINK"
        }
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": PROJECT_ID,
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"        }
      }],
      "properties": {
        "extractionAttempt": {
          "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
          "job": {
            "projectId": "SOURCE_PROJECT_ID",
            "jobId": "JOB_ID",
            "location": "US"
          },
          "sourceTable": {
            "projectId": "DESTINATION_PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID",
            "resourceUri": "FULL_URI"
          },
          "destinations": [
            {
              "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME",
              "collectionType": "GDRIVE",
              "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER",
              "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME"
            }
          ]
        },
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2022-03-31T21:20:18.408Z",
    "createTime": "2022-03-31T21:20:18.715Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
    },
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    },
    "exfiltration": {
      "sources": [
        {
          "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
        }
      ],
      "targets": [
        {
          "name": "TARGET_GOOGLE_DRIVE_URI"
        }
      ]
    }
  },
  "resource": {
    "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
    "parentDisplayName": "PROJECT_ID:DATASET_ID",
    "type": "google.cloud.bigquery.Table",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
      "resourceFolderDisplayName": "FOLDER_NAME"
    }],
    "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
  }
}

Eksfiltrasi: Pemindahan Data CloudSQL yang Tidak Sah

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Data Exfiltration",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "technique": "storage_bucket_exfiltration",
          "indicator": "audit_log",
          "ruleName": "cloudsql_exfil",
          "subRuleName": "export_to_public_gcs"
        },
        "detectionPriority": "HIGH",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": PROJECT_ID,
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "properties": {
          "exportToGcs": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
            "gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
            "bucketAccess": "PUBLICLY_ACCESSIBLE",
            "bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
            "exportScope": "WHOLE_INSTANCE"
          }
        },
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "eventTime": "2021-10-11T16:32:59.828Z",
      "createTime": "2021-10-11T16:33:00.229Z",
      "severity": "HIGH",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
      },
      "access": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "callerIp": "IP",
        "callerIpGeo": {
        },
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.export"
      },
      "exfiltration": {
        "sources": [
          {
            "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
            "components": []
          }
        ],
        "targets": [
          {
            "name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
            "components": [
              "TARGET_FILE_NAME"
            ]
          }
        ]
      },
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_ID",
      "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_ID",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_NAME"
      }],
      "displayName": "INSTANCE_NAME"
    }
}

Eksfiltrasi: Pencadangan Pemulihan CloudSQL ke Organisasi Eksternal

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Restore Backup to External Organization",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "SOURCE_PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "technique": "backup_exfiltration",
          "indicator": "audit_log",
          "ruleName": "cloudsql_exfil",
          "subRuleName": "restore_to_external_instance"
        },
        "detectionPriority": "HIGH",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          },
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "SOURCE_PROJECT_ID",
            "resourceContainer": "projects/SOURCE_PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "properties": {
          "restoreToExternalInstance": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
            "backupId": "BACKUP_ID",
            "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          }
        },
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "eventTime": "2022-01-19T21:36:07.901Z",
      "createTime": "2022-01-19T21:36:08.695Z",
      "severity": "HIGH",
      "workflowState": "NEW",
      "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
      },
      "access": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "callerIp": "IP",
        "callerIpGeo": {
        },
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.restoreBackup"
      },
      "exfiltration": {
        "sources": [
          {
            "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
          }
        ],
        "targets": [
          {
            "name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          }
        ]
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER",
      "projectDisplayName": "SOURCE_PROJECT_ID",
      "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
      "parentDisplayName": "SOURCE_INSTANCE_NAME",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_ID"
      }],
      "displayName": "mysql-backup-restore-instance"
    }
}

Pemindahan Tidak Sah: Pemberian Hak Istimewa Berlebihan CloudSQL

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Over-Privileged Grant",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "cloudsql_exfil",
          "subRuleName": "user_granted_all_permissions"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "eventTime": "2022-01-19T21:36:07.901Z",
      "createTime": "2022-01-19T21:36:08.695Z",
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"]
      },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
        "grantees": [GRANTEE],
      },
      "access": {
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.query"
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_ID",
      "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_ID",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_ID"
      }],
      "displayName": "INSTANCE_NAME"
    }
}

Malware: Domain Buruk

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad Domain",
      "sourceProperties": {
        "sourceId": {
          "customerOrganizationNumber": "ORGANIZATION_ID",
          "projectNumber": "PROJECT_NUMBER"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1568/"
          },          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal Domain Link",
              "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
            }
          ]
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "domains": [
            "DOMAIN"
          ],
          "network": {
            "location": "REGION",
            "project": "PROJECT_ID"
          },
          "dnsContexts": [
            {
              "authAnswer": true,
              "sourceIp": "IP_ADDRESS",
              "queryName": "DOMAIN",
              "queryType": "AAAA",
              "responseCode": "NOERROR",
              "responseData": [
                {
                  "domainName": "DOMAIN.",
                  "ttl": 299,
                  "responseClass": "IN",
                  "responseType": "AAAA",
                  "responseValue": "IP_ADDRESS"
                }
              ]
            }
          ]
        },
        "detectionPriority": "HIGH",
        "detectionCategory": {
          "technique": "C2",
          "indicator": "domain",
          "subRuleName": "google_intel",
          "ruleName": "bad_domain"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }

Malware: IP Buruk

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad IP",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "ips": [
            "SOURCE_IP_ADDRESS",
            "DESTINATION_IP_ADDRESS"
          ],
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 6
          },
          "network": {
            "project": "PROJECT_ID",
            "location": "ZONE",
            "subnetworkId": "SUBNETWORK_ID",
            "subnetworkName": "default"
          },
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        },
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/tactics/TA0011/"
          },
          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
            },
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
            }
          ]
        },
        "detectionCategory": {
          "technique": "C2",
          "indicator": "ip",
          "ruleName": "bad_ip",
          "subRuleName": "google_intel"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "LOW",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}

Malware: Domain Buruk Cryptomining

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Malware: Cryptomining Bad Domain",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "cryptomining",
        "indicator": "domain",
        "ruleName": "bad_domain",
        "subRuleName": "cryptomining"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1636566099",
            "nanos": 5.41483849E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "domains": ["DOMAIN"],
        "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
        "network": {
          "project": "PROJECT_ID",
          "location": "ZONE"
        },
        "dnsContexts": [{
          "authAnswer": true,
          "sourceIp": "SOURCE_IP_ADDRESS",
          "queryName": "DOMAIN",
          "queryType": "A",
          "responseCode": "NXDOMAIN"
        }],
        "vpc": {
          "vpcName": "default"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1496/"
        },
        "virustotalIndicatorQueryUri": [{
          "displayName": "VirusTotal Domain Link",
          "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
        }],
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-11-10T17:41:41.594Z",
    "createTime": "2021-11-10T17:41:42.014Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "indicator": {
      "domains": ["DOMAIN"]
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}

Malware: IP Buruk Cryptomining

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Malware: Cryptomining Bad IP",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "cryptomining",
        "indicator": "ip",
        "ruleName": "bad_ip",
        "subRuleName": "cryptomining"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1636566005",
            "nanos": 9.74622832E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "ips": ["DESTINATION_IP_ADDRESS"],
        "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
        "network": {
          "project": "PROJECT_ID",
          "location": "ZONE",
          "subnetworkId": "SUBNETWORK_ID",
          "subnetworkName": "default"
        },
        "ipConnection": {
          "srcIp": "SOURCE_IP_ADDRESS",
          "destIp": "DESTINATION_IP_ADDRESS",
          "protocol": 1.0
        },
        "indicatorContext": [{
          "ipAddress": "DESTINATION_IP_ADDRESS",
          "countryCode": "FR",
          "reverseDnsDomain": "REVERSE_DNS_DOMAIN",
          "carrierName": "CARRIER_NAME",
          "organizationName": "ORGANIZATION_NAME",
          "asn": "AUTONOMOUS_SYSTEM_NUMBERS"
        }],
        "srcVpc": {
        },
        "destVpc": {
          "projectId": "PROJECT_ID",
          "vpcName": "default",
          "subnetworkName": "default"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1496/"
        },
        "virustotalIndicatorQueryUri": [{
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
        }],
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-11-10T17:40:38.048Z",
    "createTime": "2021-11-10T17:40:38.472Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "indicator": {
      "ipAddresses": ["DESTINATION_IP_ADDRESS"]
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}

Malware: DoS Keluar

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "state": "ACTIVE",
      "category": "Malware: Outgoing DoS",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 17
          }
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1498/"
          }
        },
        "detectionCategory": {
          "technique": "malware",
          "indicator": "flow_log",
          "ruleName": "outgoing_dos"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}

Persistensi: Pemberian IAM Tidak Wajar

Penemuan IAM Anomalous Grant bersifat unik karena menyertakan sub-aturan yang memberikan informasi lebih spesifik tentang setiap instance penemuan ini. Klasifikasi tingkat keparahan temuan ini bergantung pada sub-aturan dan setiap sub-aturan mungkin memerlukan respons yang berbeda.

Daftar berikut menunjukkan semua kemungkinan sub-aturan dan tingkat keparahannya:

external_service_account_added_to_policy: HIGH

HIGH, jika peran yang sangat sensitif diberikan atau jika peran dengan sensitivitas sedang diberikan di tingkat organisasi. Untuk mengetahui informasi selengkapnya, lihat Peran yang sangat sensitif.
MEDIUM, jika peran dengan sensitivitas sedang diberikan. Untuk mengetahui informasi selengkapnya, lihat Peran dengan sensitivitas sedang.

external_member_invited_to_policy: HIGH
external_member_added_to_policy:
- HIGH, jika peran yang sangat sensitif diberikan atau jika peran dengan sensitivitas sedang diberikan di tingkat organisasi. Untuk mengetahui informasi selengkapnya, lihat Peran yang sangat sensitif.
- MEDIUM, jika peran dengan sensitivitas sedang diberikan. Untuk mengetahui informasi selengkapnya, lihat Peran dengan sensitivitas sedang.
custom_role_given_sensitive_permissions: MEDIUM
service_account_granted_sensitive_role_to_member: HIGH
policy_modified_by_default_compute_service_account: HIGH

Kolom JSON yang disertakan dalam temuan dapat berbeda dari satu kategori temuan ke kategori lainnya. Misalnya, JSON berikut menyertakan kolom untuk akun keamanan. Jika kategori temuan tidak terkait dengan akun layanan, kolom tersebut tidak akan disertakan dalam JSON.

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "SERVICE_NAME",
      "methodName": "METHOD_NAME",
      "principalSubject": "PRINCIPAL_SUBJECT",
      "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
    },
    "assetDisplayName": "ASSET_DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Persistence: IAM Anomalous Grant",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_1"
          },
          {
            "email": "EMAIL_ADDRESS_2"
          }
        ]
      },
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_3"
          },
          {
            "email": "EMAIL_ADDRESS_4
          }
        ]
      }
    },
    "createTime": "CREATE_TIMESTAMP",
    "database": {},
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "IAM_ROLE",
        "member": "serviceAccount:ACCOUNT_NAME"
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "RESOURCE_FULL_NAME",
    "severity": "SEVERITY_CLASSIFICATION",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "RESOURCE_FULL_NAME",
    "display_name": "RESOURCE_DISPLAY_NAME",
    "project_name": "//RESOURCE/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "RESOURCE_PARENT_NAME",
    "parent_display_name": "PARENT_DISPLAY_NAME",
    "type": "RESOURCE_TYPE",
    "folders": [
      {
        "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
        "resourceFolder": "RESOURCE_FOLDER_ID"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "technique": "persistence",
      "indicator": "audit_log",
      "ruleName": "iam_anomalous_grant",
      "subRuleName": "TYPE_OF_ANOMALOUS_GRANT"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1678897327",
            "nanos": 26483000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {
      "sensitiveRoleGrant": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "bindingDeltas": [
          {
            "action": "ADD",
            "role": "roles/GRANTED_ROLE",
            "member": "serviceAccount:SERVICE_ACCOUNT_NAME",
          }
        ],
        "members": [
          "serviceAccount:SERVICE_ACCOUNT_NAME"
        ]
      }
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {
        "displayName": "Related Anomalous Grant Findings",
        "url": "LINK_TO_RELATED_FINDING"
      }
    }
  }
}

Persistensi: Peran Peniruan Identitas Diberikan untuk Akun Layanan yang Tidak Aktif

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "iam.googleapis.com",
      "methodName": "google.iam.admin.v1.SetIAMPolicy"
    },
    "assetDisplayName": "ASSET_DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Persistence: Impersonation Role Granted for Dormant Service Account",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_1"
          },
          {
            "email": "EMAIL_ADDRESS_2"
          }
        ]
      },
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_3"
          },
          {
            "email": "EMAIL_ADDRESS_4
          }
        ]
      }
    },
    "createTime": "CREATE_TIMESTAMP",
    "database": {},
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "roles/iam.serviceAccountTokenCreator",
        "member": "IAM_Account_Who_Received_Impersonation_Role"
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
    "severity": "MEDIUM",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
    "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.iam.ServiceAccount",
    "folders": [
      {
        "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
        "resourceFolder": "RESOURCE_FOLDER_ID"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "impersonation_role_granted_over_dormant_sa"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1678897327",
            "nanos": 26483000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ]
    }
  }
}

Persistensi: Metode API Baru

{
 "findings": {
   "access": {
     "principalEmail": "PRINCIPAL_EMAIL",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME",
     "principalSubject": "PRINCIPAL_SUBJECT",
     "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Persistence: New API Method",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {},
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "severity": "LOW",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
   "parent_display_name": "FOLDER_NAME",
   "type": "RESOURCE_TYPE",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "technique": "persistence",
     "indicator": "audit_log",
     "ruleName": "anomalous_behavior",
     "subRuleName": "new_api_method"
   },
   "detectionPriority": "LOW",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {
     "newApiMethod": {
       "newApiMethod": {
         "serviceName": "SERVICE_NAME",
         "methodName": "METHOD_NAME"
       },
       "principalEmail": "PRINCIPAL_EMAIL",
       "callerIp": "IP_ADDRESS",
       "callerUserAgent": "CALLER_USER_AGENT",
       "resourceContainer": "projects/PROJECT_NUMBER"
     }
   },
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/tactics/TA0003/"
     }
   }
 }
}

Persistensi: Geografi Baru

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",
    "state": "ACTIVE",
    "category": "Persistence: New Geography",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "ip_geolocation"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "RESOURCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1617994703",
            "nanos": 5.08853E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousLocation": {
          "anomalousLocation": "BE",
          "callerIp": "IP_ADDRESS",
          "principalEmail": "PRINCIPAL_EMAIL",
          "notSeenInLast": "2592000s",
          "typicalGeolocations": [{
            "country": {
              "identifier": "US"
            }
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T18:59:43.860Z",
    "createTime": "2021-04-09T18:59:44.440Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "RESOURCE_NAME"
  }
}

Persistensi: Agen Pengguna Baru

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",
    "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",
    "state": "ACTIVE",
    "category": "Persistence: New User Agent",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "user_agent"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1614736482",
            "nanos": 9.76209552E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousSoftware": {
          "anomalousSoftwareClassification": ["USER_AGENT"],
          "behaviorPeriod": "2592000s",
          "callerUserAgent": "USER_AGENT",
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-03-03T01:54:47.681Z",
    "createTime": "2021-03-03T01:54:49.154Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//monitoring.googleapis.com/projects/PROJECT_ID"
  }
}

Eskalasi Hak Istimewa: Akun Layanan Tidak Aktif Diberi Peran Sensitif

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "cloudresourcemanager.googleapis.com",
      "methodName": "SetIamPolicy",
    },
    "assetDisplayName": "ASSET_DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_1"
          },
          {
            "email": "EMAIL_ADDRESS_2"
          }
        ]
      },
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_3"
          },
          {
            "email": "EMAIL_ADDRESS_4
          }
        ]
      }
    },
    "createTime": "CREATE_TIMESTAMP",
    "database": {},
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "SENSITIVE_IAM_ROLE",
        "member": "serviceAccount:DORMANT_SERVICE_ACCOUNT"
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "RESOURCE_FULL_NAME",
    "severity": "SEVERITY_CLASSIFICATION",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "RESOURCE_FULL_NAME",
    "display_name": "RESOURCE_DISPLAY_NAME",
    "project_name": "//RESOURCE/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "RESOURCE_PARENT_NAME",
    "parent_display_name": "PARENT_DISPLAY_NAME",
    "type": "RESOURCE_TYPE",
    "folders": [
      {
        "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
        "resourceFolder": "RESOURCE_FOLDER_ID"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "sensitive_role_added_to_dormant_sa"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1678897327",
            "nanos": 26483000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ]
    }
  }
}

Eskalasi hak istimewa: Perubahan pada objek RBAC Kubernetes sensitif

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
    "category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-07T07:42:36.536Z",
    "database": {},
    "eventTime": "2022-10-07T07:42:06.044Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "bindings": [
        {
          "name": "cluster-admin",
          "role": {
            "kind": "CLUSTER_ROLE",
            "name": "cluster-admin"
          },
          "subjects": [
            {
              "kind": "USER",
              "name": "testUser-1665153212"
            }
          ]
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "edit_sensitive_rbac_object"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665128526",
            "nanos": 44146000
          },
          "insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a"
        }
      }
    ],
    "properties": {},
    "findingId": "05b52fe8267d44bdb33c89367f0dd11a",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Eskalasi hak istimewa: Membuat CSR kubernetes untuk sertifikat master

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.certificates.v1.certificatesigningrequests.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
    "category": "Privilege Escalation: Create Kubernetes CSR for master cert",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-08T14:38:12.501Z",
    "database": {},
    "eventTime": "2022-10-08T14:37:46.944Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {},
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "HIGH",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "csr_for_master_cert"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665239866",
            "nanos": 944045000
          },
          "insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101"
        }
      }
    ],
    "properties": {},
    "findingId": "0562169c2e3b44879030a7369dbf839c",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Eskalasi akses: Pembuatan binding kubernetes sensitif

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
    "category": "Privilege Escalation: Creation of sensitive Kubernetes bindings",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-11T09:29:44.425Z",
    "database": {},
    "eventTime": "2022-10-11T09:29:26.309Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "bindings": [
        {
          "name": "cluster-admin",
          "role": {
            "kind": "CLUSTER_ROLE",
            "name": "cluster-admin"
          }
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "create_sensitive_binding"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665480566",
            "nanos": 309136000
          },
          "insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321"
        }
      }
    ],
    "properties": {},
    "findingId": "02dcbf565d9d4972a126ac3c38fd4295",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Eskalasi Hak Istimewa: Mendapatkan CSR Kubernetes dengan kredensial bootstrap yang disusupi

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.certificates.v1.certificatesigningrequests.list"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
    "category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-12T12:28:11.480Z",
    "database": {},
    "eventTime": "2022-10-12T12:28:08.597Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {},
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "HIGH",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "get_csr_with_compromised_bootstrap_credentials"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665577688",
            "nanos": 597107000
          },
          "insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993"
        }
      }
    ],
    "properties": {},
    "findingId": "025e0ba774da4d678883257cd125fc43",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Eskalasi Hak Istimewa: Peluncuran penampung Kubernetes dengan hak istimewa

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.core.v1.pods.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
    "category": "Privilege Escalation: Launch of privileged Kubernetes container",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-08T21:43:41.145Z",
    "database": {},
    "eventTime": "2022-10-08T21:43:09.188Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "default",
          "name": "POD_NAME",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI"
            }
          ]
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "launch_privileged_container"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665265389",
            "nanos": 188357000
          },
          "insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c"
        }
      }
    ],
    "properties": {},
    "findingId": "04206668443b45078d5b51c908ad87da",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Eskalasi Hak Istimewa: Peniruan Akun Layanan yang Tidak Normal untuk Aktivitas Admin

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}

Eskalasi Hak Istimewa: Delegasi Akun Layanan Multilangkah yang Tidak Normal untuk Aktivitas Admin

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_multistep_admin_activity"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}

Eskalasi Hak Istimewa: Delegasi Akun Layanan Multilangkah yang Tidak Normal untuk Akses Data

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_multistep_data_access"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}

Eskalasi Hak Istimewa: Peniruan Identitas Akun Layanan yang Tidak Normal untuk Aktivitas Admin

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_impersonator_admin_activity"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}

Eskalasi Hak Istimewa: Peniru Identitas Akun Layanan Anomal untuk Akses Data

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_impersonator_data_access"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}

Menghambat Pemulihan Sistem: Menghapus host Pencadangan dan DR Google Cloud

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteHost",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "host": "HOST_NAME",
      "applications": [
        "HOST_NAME"
      ],
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Deleted Google Cloud Backup and DR host",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_hosts_delete_host"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
    "backupDisasterRecovery": {
      "host": "HOST_NAME",
      "applications": [
        "HOST_NAME"
      ]
    }
  }
}

Penghancuran Data: Gambar masa berlaku Pencadangan dan DR Google Cloud berakhir

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "expireBackup",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME",
      "policies": [
        "POLICY_NAME"
      ],
      "profile": "PROFILE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Data Destruction: Google Cloud Backup and DR expire image",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "DATA_DESTRUCTION"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_expire_image"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1485/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME",
      "policies": [
        "POLICY_NAME"
      ],
      "profile": "PROFILE_NAME"
    }
  }
}

Menghambat Pemulihan Sistem: Pencadangan dan DR Google Cloud menghapus rencana

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteSla",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "applications": [
        "HOST_NAME"
      ],
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_remove_plan"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
    "backupDisasterRecovery": {
      "applications": [
        "HOST_NAME"
      ]
    }
  }
}

Penghancuran Data: Pencadangan dan DR Google Cloud akan menghapus semua gambar

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "backupdr.googleapis.com",
      "methodName": "expireBackups",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Data Destruction: Google Cloud Backup and DR expire all images",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "DATA_DESTRUCTION"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_expire_images_all"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1485/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups."
  }
}

Menghambat Pemulihan Sistem: Template penghapusan Pencadangan dan DR Google Cloud

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteSlt",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete template",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_template_delete_template"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME"
    }
  }
}

Menghambat Pemulihan Sistem: Kebijakan penghapusan Pencadangan dan DR Google Cloud

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deletePolicy",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "policies": [
        "DeleteMe"
      ],
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete policy",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_template_delete_policy"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
    "backupDisasterRecovery": {
      "policies": [
        "POLICY_NAME"
      ]
    }
  }
}

Menghambat Pemulihan Sistem: Profil penghapusan Pencadangan dan DR Google Cloud

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteSlp",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "profile": "PROFILE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete profile",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_template_delete_profile"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
    "backupDisasterRecovery": {
      "profile": "PROFILE_NAME"
    }
  }
}

Pemusnahan Data: Pencadangan dan DR Google Cloud menghapus perangkat

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteCluster",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "appliance": "APPLIANCE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Data Destruction: Google Cloud Backup and DR remove appliance",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "DATA_DESTRUCTION"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_appliances_remove_appliance"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1485/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
    "backupDisasterRecovery": {
      "appliance": "APPLIANCE_NAME"
    }
  }
}

Menghambat Pemulihan Sistem: Pencadangan dan DR Google Cloud menghapus kumpulan penyimpanan

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteDiskPool",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "storagePool": "STORAGE_POOL_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete storage pool",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_storage_pools_delete"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
    "backupDisasterRecovery": {
      "storagePool": "STORAGE_POOL_NAME"
    }
  }
}

Dampak: Pencadangan dan DR Google Cloud mengurangi frekuensi pencadangan

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "updatePolicy",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Impact: Google Cloud Backup and DR reduced backup frequency",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "The backup schedule has been modified to reduce backup frequency.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_reduce_backup_frequency"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "The backup schedule has been modified to reduce backup frequency.",
  }
}

Dampak: Pencadangan dan DR Google Cloud mengurangi masa berlaku pencadangan

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "updateBackup",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Impact: Google Cloud Backup and DR reduced backup expiration",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "The expiration date for a backup has been reduced.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_reduce_backup_expiration"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "The expiration date for a backup has been reduced."
  }
}

Akses Awal: Akun Dinonaktifkan karena Dibajak

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Account Disabled Hijacked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "account_disabled_hijacked"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624034293",
            "nanos": 6.78E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledHijacked",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-18T16:38:13.678Z",
    "createTime": "2021-06-18T16:38:16.508Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}

Akses Awal: Kebocoran Sandi Dinonaktifkan

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Disabled Password Leak",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "disabled_password_leak"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626462896",
            "nanos": 6.81E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-16T19:14:56.681Z",
    "createTime": "2021-07-16T19:15:00.430Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}

Akses Awal: Serangan yang Didukung Pemerintah

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Government Based Attack",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "government_based_attack"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624061458",
            "nanos": 7.4E7
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.govAttackWarning",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-19T00:10:58.074Z",
    "createTime": "2021-06-19T00:11:01.760Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}

Akses Awal: Upaya Penyusupan Log4j

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Initial Access: Log4j Compromise Attempt",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "ruleName": "log4j_compromise_attempt"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1639690492",
            "nanos": 9.13836E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "loadBalancerName": "LOAD_BALANCER_NAME",
        "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}"
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1190/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-12-16T21:34:52.913Z",
    "createTime": "2021-12-16T21:34:55.022Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
    "parentDisplayName": "FOLDER_DISPLAY_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
      "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
    }],
    "displayName": "PROJECT_ID"
  }
}

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Suspicious Login Blocked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "suspicious_login"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621637767",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousLogin",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
       "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T22:56:07Z",
    "createTime": "2021-05-27T02:36:07.382Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}

Akses Awal: Pengguna Super Database Menulis ke Tabel Pengguna

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Initial Access: Database Superuser Writes to User Tables",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "cloudsql_superuser_writes_to_user_tables",
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "eventTime": "2022-01-19T21:36:07.901Z",
      "createTime": "2022-01-19T21:36:08.695Z",
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "INITIAL_ACCESS",
        "primaryTechniques": ["DEFAULT_ACCOUNTS"]
      },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
      },
      "access": {
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.query"
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_ID",
      "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_ID",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_ID"
      }],
      "displayName": "INSTANCE_NAME"
    }
}

Akses Awal: Tindakan Izin yang Ditolak Berlebihan

{
 "findings": {
   "access": {
     "principalEmail": "PRINCIPAL_EMAIL",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME",
     "principalSubject": "PRINCIPAL_SUBJECT",
     "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Excessive Permission Denied Actions",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {},
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "severity": "LOW",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
   "parent_display_name": "FOLDER_NAME",
   "type": "RESOURCE_TYPE",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "technique": "persistence",
     "indicator": "audit_log",
     "ruleName": "anomalous_behavior",
     "subRuleName": "new_api_method"
   },
   "detectionPriority": "LOW",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {
     "failedActions": [
        {
          "methodName": "SetIamPolicy",
          "serviceName": "iam.googleapis.com",
          "attemptTimes": "7",
          "lastOccurredTime": "2023-03-15T17:35:18.771219Z"
        },
        {
          "methodName": "iam.googleapis.com",
          "serviceName": "google.iam.admin.v1.CreateServiceAccountKey",
          "attemptTimes": "3",
          "lastOccurredTime": "2023-03-15T05:36:14.954701Z"
        }
      ]
   },
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/techniques/T1078/004/"
     }
   }
 }
}

Akses Awal: Tindakan Akun Layanan Yang Tidak Aktif

{
 "findings": {
   "access": {
     "principalEmail": "DORMANT_SERVICE_ACCOUNT",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Dormant Service Account Action",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {
    "primaryTactic": "INITIAL_ACCESS",
    "primaryTechniques": [
      "VALID_ACCOUNTS",
      "CLOUD_ACCOUNTS"
      ]
   },
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "severity": "HIGH",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
   "parent_display_name": "FOLDER_NAME",
   "type": "RESOURCE_TYPE",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "technique": "persistence",
     "indicator": "audit_log",
     "ruleName": "dormant_sa_used_in_action",
   },
   "detectionPriority": "HIGH",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {},
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/tactics/TA0003/"
     }
   }
 }
}

Akses Awal: Kunci Akun Layanan yang Tidak Aktif Dibuat

{
 "findings": {
   "access": {
     "principalEmail": "PRINCIPAL_EMAIL",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "iam.googleapis.com",
     "methodName": "google.iam.admin.v1.CreateServiceAccountKey"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Dormant Service Account Key Created",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {
    "primaryTactic": "INITIAL_ACCESS",
    "primaryTechniques": [
      "VALID_ACCOUNTS",
      "CLOUD_ACCOUNTS"
      ]
   },
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
   "severity": "HIGH",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
   "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
   "parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
   "type": "google.iam.ServiceAccountKey",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "ruleName": "key_created_on_dormant_sa"
   },
   "detectionPriority": "HIGH",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {},
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/tactics/TA0003/"
     }
   }
 }
}

Akses Awal: Kunci Akun Layanan yang Dibocorkan Digunakan

{
 "findings": {
   "access": {
     "principalEmail": "SERVICE_ACCOUNT",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME"
     "serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Leaked Service Account Key Used",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-07-18T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-07-18T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {
    "primaryTactic": "INITIAL_ACCESS",
    "primaryTechniques": [
      "VALID_ACCOUNTS",
      "CLOUD_ACCOUNTS"
      ]
   },
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "AFFECTED_RESOURCE",
   "severity": "HIGH",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "ruleName": "leaked_sa_key_used"
   },
   "detectionPriority": "HIGH",
   "affectedResources": [
     {
       "gcpResourceName": "GOOGLE_RESOURCE"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {},
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/techniques/T1078/004/"
     }
   }
 },
 "description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL"
}

Menghambat Pertahanan: Autentikasi Kuat Dinonaktifkan

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",
    "state": "ACTIVE",
    "category": "Impair Defenses: Strong Authentication Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "enforce_strong_authentication"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1623952110",
            "nanos": 6.51337E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.enforceStrongAuthentication",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
"workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-17T17:48:30.651Z",
    "createTime": "2021-06-17T17:48:33.574Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
  }
}

Merusak Pertahanan: Verifikasi 2 Langkah Dinonaktifkan

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Impair Defenses: Two Step Verification Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "two_step_verification_disabled"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626391356",
            "nanos": 5.96E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svDisable",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-15T23:22:36.596Z",
    "createTime": "2021-07-15T23:22:40.079Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}

Persistensi: Tombol Pengaktifan SSO

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Enablement Toggle",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_enablement_toggle"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1622829313",
            "nanos": 3.42104E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.toggleSsoEnabled",
        "ssoState": "ENABLED",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-04T17:55:13.342Z",
    "createTime": "2021-06-04T17:55:15.900Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}

Persistensi: Admin GCE Menambahkan Skrip Startup

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
    "category": "Persistence: GCE Admin Added Startup Script",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "gce_admin"
        "subRuleName": "instance_add_startup_script"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "callerIp": "IP_ADDRESS",
        "principalEmail": "PRINCIPAL_EMAIL",
        "gceInstanceId": "GCE_INSTANCE_ID",
        "projectId": "PROJECT_ID",
        "metadataKeyOperation": "ADDED",
        "callerUserAgent": "USER_AGENT",
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1543/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }]
      }
    },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
  }
}

Persistensi: Admin GCE Menambahkan Kunci SSH

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
    "category": "Persistence: GCE Admin Added SSH Key",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "gce_admin"
        "subRuleName": "instance_add_ssh_key"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "callerIp": "IP_ADDRESS",
        "principalEmail": "PRINCIPAL_EMAIL",
        "gceInstanceId": "GCE_INSTANCE_ID",
        "projectId": "PROJECT_ID",
        "metadataKeyOperation": "ADDED",
        "callerUserAgent": "USER_AGENT",
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1543/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }]
      }
    },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
  }
}

Persisten: Setelan SSO Diubah

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Settings Changed",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_settings_changed"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [
        {
          "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
        },
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }
      ],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.changeSsoSettings",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T19:08:29.373Z",
    "createTime": "2021-05-27T11:36:24.429Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}

Cloud IDS

{
  "finding": {
    "access": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Cloud IDS: THREAT_ID",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "connections": [
      {
        "destinationIp": "IP_ADDRESS",
        "destinationPort": PORT,
        "sourceIp": "IP_ADDRESS",
        "sourcePort": PORT,
        "protocol": "PROTOCOL"
      }
    ],
    "createTime": "TIMESTAMP",
    "database": {},
    "description": "This signature detects a payload in HTTP traffic which could possibly be malicious.",
    "eventTime": "TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_DISPLAY_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "ctd-engprod-project",
    "parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER",
    "parent_display_name": "PARENT_DISPLAY_NAME",
    "folders": [
      {
        "resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resource_folder_display_name": "FOLDER_DISPLAY_NAME"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "cloud_ids_threat_activity"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "TIMESTAMP",
            "nanos": TIMESTAMP
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_QUERY_URI"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "THREAT_DESCRIPTION"
  }
}

Gerakan Lateral: Boot Disk yang Diubah Dipasang ke Instance

{
  "finding": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIpGeo": {},
      "serviceName": "compute.googleapis.com",
      "methodName": "v1.compute.instances.attachDisk",
    },
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Lateral Movement: Modify Boot Disk Attaching to Instance",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "2024-02-01T23:55:17.589Z",
    "database": {},
    "eventTime": "2024-02-01T23:55:17.396Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "logEntries": [
      {
        "cloudLoggingEntry": {
          "insertId": "INSERT_ID",
          "logId": "cloudaudit.googleapis.com/activity",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": "2024-02-01T23:55:15.017887Z"
        }
      }
    ],
    "mitreAttack": {
      "primaryTactic": "TACTIC_UNSPECIFIED"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
    "securityPosture": {},
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
    "displayName": "INSTANCE_ID",
    "type": "google.compute.Instance",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_NUMBER",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_NUMBER,
      "folders": [
        {
          "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
          "resourceFolderDisplayName": "FOLDER_NUMBER"
        }
      ],
      "organization": "organizations/ORGANIZATION_NUMBER"
    }
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modify_boot_disk",
      "subRuleName": "attach_to_instance"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID"
      },
      {
        "gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_NUMBER",
          "resourceContainer": "PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1706831715",
            "nanos": 17887000
          },
          "insertId": "INSERT_ID",
          "logId": "cloudaudit.googleapis.com/activity"
        }
      }
    ],
    "properties": {
      "diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID",
      "targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
      "workerInstances": [
        "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
      ],
      "bootDiskPayloads": [
        {
          "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
          "operation": "MODIFY_BOOT_DISK_ATTACH",
          "principalEmail": "PRINCIPAL_EMAIL",
          "eventTime": "2024-02-01T23:55:06.706640Z"
        },
        {
          "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
          "operation": "MODIFY_BOOT_DISK_DETACH",
          "principalEmail": "PRINCIPAL_EMAIL",
          "eventTime": "2024-02-01T23:55:05.608631Z"
        }
      ]
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1570/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}

Eskalasi Akses: Pemberian Hak Berlebih AlloyDB

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Privilege Escalation: AlloyDB Over-Privileged Grant",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "alloydb_user_granted_all_permissions",
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/001/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }]
        }
      },
      "eventTime": "EVENT_TIMESTAMP",,
      "createTime": "CREATE_TIMESTAMP",,
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
          "primaryTactic": "PRIVILEGE_ESCALATION",
          "primaryTechniques": [
            "VALID_ACCOUNTS"
          ],
          "additionalTactics": [
            "PERSISTENCE"
          ],
          "additionalTechniques": [
            "ACCOUNT_MANIPULATION"
          ]
        },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
        "grantees": [GRANTEE],
      },
      "access": {
        "serviceName": "alloydb.googleapis.com",
        "methodName": "alloydb.instances.query"
      }
    },
    "resource": {
      "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "type": "google.alloydb.Instance",
      "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
      "service": "alloydb.googleapis.com",
      "location": "REGION",
      "gcpMetadata": {
        "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "projectDisplayName": "PROJECT_ID",
        "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parentDisplayName": "PROJECT_ID",
        "folders": [
          {
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
            "resourceFolderDisplayName": FOLDER_NAME
          }
        ],
        "organization": "organizations/ORGANIZATION_ID"
      },
      "resourcePath": {
        "nodes": [
          {
            "nodeType": "GCP_PROJECT",
            "id": "projects/PROJECT_NUMBER",
            "displayName": "PROJECT_ID"
          },
          {
            "nodeType": "GCP_FOLDER",
            "id": "folders/FOLDER_NUMBER",
            "displayName": "FOLDER_NAME"
          },
          {
            "nodeType": "GCP_ORGANIZATION",
            "id": "organizations/ORGANIZATION_ID"
          }
        ]
      },
      "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
    }
}

Eskalasi Hak Istimewa: Superuser Database AlloyDB Menulis ke Tabel Pengguna

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "alloydb_user_granted_all_permissions",
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/001/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }]
        }
      },
      "eventTime": "EVENT_TIMESTAMP",,
      "createTime": "CREATE_TIMESTAMP",,
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
          "primaryTactic": "PRIVILEGE_ESCALATION",
          "primaryTechniques": [
            "VALID_ACCOUNTS"
          ],
          "additionalTactics": [
            "PERSISTENCE"
          ],
          "additionalTechniques": [
            "ACCOUNT_MANIPULATION"
          ]
        },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
      },
      "access": {
        "serviceName": "alloydb.googleapis.com",
        "methodName": "alloydb.instances.query"
      }
    },
    "resource": {
      "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "type": "google.alloydb.Instance",
      "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
      "service": "alloydb.googleapis.com",
      "location": "REGION",
      "gcpMetadata": {
        "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "projectDisplayName": "PROJECT_ID",
        "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parentDisplayName": "PROJECT_ID",
        "folders": [
          {
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
            "resourceFolderDisplayName": FOLDER_NAME
          }
        ],
        "organization": "organizations/ORGANIZATION_ID"
      },
      "resourcePath": {
        "nodes": [
          {
            "nodeType": "GCP_PROJECT",
            "id": "projects/PROJECT_NUMBER",
            "displayName": "PROJECT_ID"
          },
          {
            "nodeType": "GCP_FOLDER",
            "id": "folders/FOLDER_NUMBER",
            "displayName": "FOLDER_NAME"
          },
          {
            "nodeType": "GCP_ORGANIZATION",
            "id": "organizations/ORGANIZATION_ID"
          }
        ]
      },
      "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
    }
}

Langkah selanjutnya

Pelajari lebih lanjut cara kerja Event Threat Detection.
Pelajari cara menyelidiki dan mengembangkan rencana respons untuk ancaman.

Menggunakan Event Threat Detection

Meninjau temuan

Meninjau temuan di Security Command Center

Melihat temuan di Cloud Logging

Contoh format temuan

Pemindaian Aktif: Log4j Rentan terhadap RCE

Brute Force: SSH

Akses Kredensial: Anggota Eksternal Ditambahkan ke Grup dengan Hak Istimewa

Akses Kredensial: Grup dengan Hak Istimewa Dibuka untuk Publik

Akses Kredensial: Peran Sensitif Diberikan ke Grup Hybrid

Penghindaran Pertahanan: Deployment Workload Breakglass Dibuat

Defense Evasion: Deployment Workload Breakglass Diperbarui

Defense Evasion: Mengubah Kontrol Layanan VPC

Penemuan: Dapat mendapatkan pemeriksaan objek Kubernetes sensitif

Penemuan: Investigasi Mandiri Akun Layanan

Penghindaran: Akses dari Anonymizing Proxy

Pemindahan Tidak Sah: Pemindahan Tidak Sah Data BigQuery

Pemindahan Tidak Sah: Ekstraksi Data BigQuery

Pemindahan Tidak Sah: Data BigQuery ke Google Drive

Eksfiltrasi: Pemindahan Data CloudSQL yang Tidak Sah

Eksfiltrasi: Pencadangan Pemulihan CloudSQL ke Organisasi Eksternal

Pemindahan Tidak Sah: Pemberian Hak Istimewa Berlebihan CloudSQL

Malware: Domain Buruk

Malware: IP Buruk

Malware: Domain Buruk Cryptomining

Malware: IP Buruk Cryptomining

Malware: DoS Keluar

Persistensi: Pemberian IAM Tidak Wajar

Persistensi: Peran Peniruan Identitas Diberikan untuk Akun Layanan yang Tidak Aktif

Persistensi: Metode API Baru

Persistensi: Geografi Baru

Persistensi: Agen Pengguna Baru

Eskalasi Hak Istimewa: Akun Layanan Tidak Aktif Diberi Peran Sensitif

Eskalasi hak istimewa: Perubahan pada objek RBAC Kubernetes sensitif

Eskalasi hak istimewa: Membuat CSR kubernetes untuk sertifikat master

Eskalasi akses: Pembuatan binding kubernetes sensitif

Eskalasi Hak Istimewa: Mendapatkan CSR Kubernetes dengan kredensial bootstrap yang disusupi

Eskalasi Hak Istimewa: Peluncuran penampung Kubernetes dengan hak istimewa

Eskalasi Hak Istimewa: Peniruan Akun Layanan yang Tidak Normal untuk Aktivitas Admin

Eskalasi Hak Istimewa: Delegasi Akun Layanan Multilangkah yang Tidak Normal untuk Aktivitas Admin

Eskalasi Hak Istimewa: Delegasi Akun Layanan Multilangkah yang Tidak Normal untuk Akses Data

Eskalasi Hak Istimewa: Peniruan Identitas Akun Layanan yang Tidak Normal untuk Aktivitas Admin

Eskalasi Hak Istimewa: Peniru Identitas Akun Layanan Anomal untuk Akses Data

Menghambat Pemulihan Sistem: Menghapus host Pencadangan dan DR Google Cloud

Penghancuran Data: Gambar masa berlaku Pencadangan dan DR Google Cloud berakhir

Menghambat Pemulihan Sistem: Pencadangan dan DR Google Cloud menghapus rencana

Penghancuran Data: Pencadangan dan DR Google Cloud akan menghapus semua gambar

Menghambat Pemulihan Sistem: Template penghapusan Pencadangan dan DR Google Cloud

Menghambat Pemulihan Sistem: Kebijakan penghapusan Pencadangan dan DR Google Cloud

Menghambat Pemulihan Sistem: Profil penghapusan Pencadangan dan DR Google Cloud

Pemusnahan Data: Pencadangan dan DR Google Cloud menghapus perangkat

Menghambat Pemulihan Sistem: Pencadangan dan DR Google Cloud menghapus kumpulan penyimpanan

Dampak: Pencadangan dan DR Google Cloud mengurangi frekuensi pencadangan

Dampak: Pencadangan dan DR Google Cloud mengurangi masa berlaku pencadangan

Akses Awal: Akun Dinonaktifkan karena Dibajak

Akses Awal: Kebocoran Sandi Dinonaktifkan

Akses Awal: Serangan yang Didukung Pemerintah

Akses Awal: Upaya Penyusupan Log4j

Akses Awal: Aktivitas Login Mencurigakan Diblokir

Akses Awal: Pengguna Super Database Menulis ke Tabel Pengguna

Akses Awal: Tindakan Izin yang Ditolak Berlebihan

Akses Awal: Tindakan Akun Layanan Yang Tidak Aktif

Akses Awal: Kunci Akun Layanan yang Tidak Aktif Dibuat

Akses Awal: Kunci Akun Layanan yang Dibocorkan Digunakan

Menghambat Pertahanan: Autentikasi Kuat Dinonaktifkan

Merusak Pertahanan: Verifikasi 2 Langkah Dinonaktifkan

Persistensi: Tombol Pengaktifan SSO

Persistensi: Admin GCE Menambahkan Skrip Startup

Persistensi: Admin GCE Menambahkan Kunci SSH

Persisten: Setelan SSO Diubah

Cloud IDS

Gerakan Lateral: Boot Disk yang Diubah Dipasang ke Instance

Eskalasi Akses: Pemberian Hak Berlebih AlloyDB

Eskalasi Hak Istimewa: Superuser Database AlloyDB Menulis ke Tabel Pengguna

Langkah selanjutnya