Usa Event Threat Detection

>

En esta página, se muestra cómo revisar los resultados de Event Threat Detection en el panel de Security Command Center y se incluyen ejemplos de los resultados de Event Threat Detection.

Event Threat Detection es un servicio integrado para el nivel Premium de Security Command Center que supervisa las transmisiones de registros de Cloud Logging y Google Workspace de tu organización y detecta amenazas casi en tiempo real. Para obtener más información, consulta Descripción general de Event Threat Detection.

En el siguiente video, se muestran los pasos para configurar Event Threat Detection y se proporciona información sobre cómo usar el panel. Obtén más información para ver y administrar los resultados de Event Threat Detection en Revisa los resultados en esta página.

Revisa los resultados

Para ver los resultados de Event Threat Detection, el servicio debe estar habilitado en la configuración de Servicios del Security Command Center. Después de habilitar Event Threat Detection y activar los registros para tu organización, carpetas y proyectos, Event Threat Detection genera resultados. Para obtener más información sobre los tipos de resultados de Event Threat Detection, consulta Reglas.

Puedes ver los hallazgos de Event Threat Detection en Security Command Center. Si configuraste las exportaciones continuas para escribir registros, también puedes ver los resultados en Cloud Logging. Para generar un resultado y verificar la configuración, puedes activar de forma intencional un detector y probar Event Threat Detection.

La activación de Event Threat Detection se produce en segundos. Las latencias de detección suelen ser inferiores a 15 minutos desde el momento en que se escribe un registro cuando un resultado está disponible en Security Command Center. Para obtener más información sobre la latencia, consulta Descripción general de la latencia de Security Command Center.

Revisa resultados en Security Command Center

Las funciones de Security Command Center se otorgan a nivel de organización, carpeta o proyecto. Tu capacidad para ver, editar, crear o actualizar hallazgos, elementos, fuentes de seguridad y marcas de seguridad depende del nivel para el que se te otorga acceso. Para obtener más información sobre las funciones de Security Command Center, consulta Control de acceso.

Para revisar los resultados de Event Threat Detection en Security Command Center, haz lo siguiente:

  1. Ve a la pestaña Resultados de Security Command Center en Google Cloud Console.

    Ir a hallazgos

  2. Junto a Ver por, haz clic en Tipo de fuente.

  3. En la lista Tipo de fuente, selecciona Event Threat Detection.

  4. Para ver los detalles de un resultado específico, haz clic en el nombre del resultado en category. El panel de detalles de resultados se expande para mostrar información que incluye lo siguiente:

    • Cuál fue el evento
    • Cuándo ocurrió el evento
    • La fuente de los datos de los resultados
    • La gravedad de la detección, por ejemplo Alta
    • Las acciones realizadas, como agregar una función de administración de identidades y accesos (IAM) a un usuario de Gmail
    • El usuario que realizó la acción, que se encuentra junto a properties_principalEmail
  5. Para mostrar todos los resultados que generaron las mismas acciones del usuario, haz lo siguiente:

    1. En el panel de detalles de los resultados, copia la dirección de correo electrónico junto a properties_principalEmail.
    2. Cierra el panel de detalles de los resultados.
    3. En el cuadro Filtro de la pestaña Resultados, ingresa sourceProperties.properties_principalEmail:USER_EMAIL, en el que USER_EMAIL es la dirección de correo electrónico que copiaste antes.

Security Command Center muestra todos los resultados asociados con las acciones que realizó el usuario que especificaste.

Visualiza los resultados en Cloud Logging

Para ver los resultados de Event Threat Detection en Cloud Logging, haz lo siguiente:

  1. Ve al Explorador de registros en Cloud Console.

    Ir al Explorador de registros

  2. En el Selector de proyectos en la parte superior de la página, selecciona el proyecto en el que almacenas los registros de Event Threat Detection.

  3. Haz clic en la pestaña Compilador de consultas.

  4. En la lista desplegable de recursos, selecciona Threat Detector.

    • Para ver los resultados de todos los detectores, selecciona all detection_name.
    • Para ver los resultados de un detector específico, selecciona su nombre.
  5. Haga clic en Add. La consulta aparece en el cuadro de texto del compilador de consultas.

  6. También puedes ingresar la siguiente consulta en el cuadro de texto:

    resource.type="threat_detector"
    

  7. Haga clic en Ejecutar consulta. La tabla Resultados de la consulta se actualiza con los registros que seleccionaste.

  8. Para ver un registro, haz clic en una fila de la tabla y, luego, en Expandir campos anidados.

Puedes crear consultas de registro avanzadas para especificar un conjunto de entradas de registro de la cantidad de registros que sea necesario.

Ejemplos de formatos de resultados

En esta sección, se incluyen los formatos de salida JSON para los resultados de Container Threat Detection individuales a medida que aparecen cuando creas exportaciones desde el panel de Security Command Center o ejecutas métodos de listas en la API de Security Command Center.

Los ejemplos de salida contienen los campos más comunes a todos los resultados. Sin embargo, es posible que no aparezcan todos los campos en todos los resultados. El resultado real que verás depende de la configuración de un recurso y del tipo y estado de los resultados.

Ataques de fuerza bruta: SSH

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Brute Force: SSH",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "65"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "projectId": "PROJECT_ID",
          "zone": "us-west1-a",
          "instanceId": "INSTANCE_ID",
          "attempts": [
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "SUCCESS"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            }
          ]
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/003/"
          }
        },
        "detectionCategory": {
          "technique": "brute_force",
          "indicator": "flow_log",
          "ruleName": "ssh_brute_force"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Descubrimiento: Autoinvestigación de cuentas de servicio


{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Discovery: Service Account Self-Investigation",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "discovery",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "service_account_gets_own_iam_policy"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1619200104",
            "nanos": 9.08E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceAccountGetsOwnIamPolicy": {
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
          "projectId": "PROJECT_ID",
          "callerIp": "IP_ADDRESS",
          "callerUserAgent": "CALLER_USER_AGENT",
          "rawUserAgent": "RAW_USER_AGENT"
        }
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "Permission Groups Discovery: Cloud Groups",
          "url": "https://attack.mitre.org/techniques/T1069/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-23T17:48:24.908Z",
    "createTime": "2021-04-23T17:48:26.922Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceAccountGetsOwnIamPolicy": {
              "structValue": {
                "fields": {
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "projectId": {
                    "primitiveDataType": "STRING"
                  },
                  "callerIp": {
                    "primitiveDataType": "STRING"
                  },
                  "callerUserAgent": {
                    "primitiveDataType": "STRING"
                  },
                  "rawUserAgent": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "ORGANIZATION_NAME",
    "type": "google.cloud.resourcemanager.Project"
  }
}

    

Robo de datos: Robo de datos de BigQuery

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Exfiltration: BigQuery Data Exfiltration",
      "sourceProperties": {
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"
          }
        ],
        "detectionCategory": {
          "technique": "org_exfiltration",
          "indicator": "audit_log",
          "ruleName": "big_query_exfil",
          "subRuleName": "exfil_to_external_table"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          }
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "dataExfiltrationAttempt": {
            "jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults",
            "jobState": "SUCCEEDED",
            "query": "SQL_QUERY",
            "userEmail": "PROJECT_ID@PROJECT_ID.iam.gserviceaccount.com",
            "job": {
              "projectId": "SOURCE_PROJECT_ID",
              "jobId": "JOB_ID",
              "location": "US"
            },
            "sourceTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "SOURCE_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ],
            "destinationTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "DESTINATION_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ]
          }
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Software malicioso: error de dominio

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad Domain",
      "sourceProperties": {
        "sourceId": {
          "customerOrganizationNumber": "ORGANIZATION_ID",
          "projectNumber": "PROJECT_NUMBER"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1568/"
          },          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal Domain Link",
              "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
            }
          ]
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "domains": [
            "DOMAIN"
          ],
          "network": {
            "location": "REGION",
            "project": "PROJECT_ID"
          },
          "dnsContexts": [
            {
              "authAnswer": true,
              "sourceIp": "IP_ADDRESS",
              "queryName": "DOMAIN",
              "queryType": "AAAA",
              "responseCode": "NOERROR",
              "responseData": [
                {
                  "domainName": "DOMAIN.",
                  "ttl": 299,
                  "responseClass": "IN",
                  "responseType": "AAAA",
                  "responseValue": "IP_ADDRESS"
                }
              ]
            }
          ]
        },
        "detectionPriority": "HIGH",
        "detectionCategory": {
          "technique": "C2",
          "indicator": "domain",
          "subRuleName": "google_intel",
          "ruleName": "bad_domain"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Software malicioso: error de IP

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad IP",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "ips": [
            "SOURCE_IP_ADDRESS",
            "DESTINATION_IP_ADDRESS"
          ],
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 6
          },
          "network": {
            "project": "PROJECT_ID",
            "location": "ZONE",
            "subnetworkId": "SUBNETWORK_ID",
            "subnetworkName": "default"
          },
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/tactics/TA0011/"
          },
          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
            },
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
            }
          ]
        },
        "detectionCategory": {
          "technique": "C2",
          "indicator": "ip",
          "ruleName": "bad_ip",
          "subRuleName": "google_intel"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Software malicioso: DoS salientes

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "state": "ACTIVE",
      "category": "Malware: Outgoing DoS",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 17
          }
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1498/"
          }
        },
        "detectionCategory": {
          "technique": "malware",
          "indicator": "flow_log",
          "ruleName": "outgoing_dos"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Persistencia: Otorgamiento anómalo de IAM

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Persistence: IAM Anomalous Grant",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1611833917",
            "nanos": 8.71508E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "detectionPriority": "HIGH",
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-01-28T11:38:37.871508Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
          "displayName": "Related Anomalous Grant Findings",
          "url": "https://console.cloud.google.com/security/command-center/findings?organizationId\u003dORGANIZATION_ID\u0026pageState\u003d(%22cscc-inventory%22:(%22f%22:%22%255B%257B_22k_22_3A_22sourceProperties.detectionCategory.ruleName_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22iam_anomalous_grant_5C_22_22%257D_2C%257B_22k_22_3A_22_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22%2528sourceProperties.properties.sensitiveRoleGrant.principalEmail_3A_5C_5C_5C_22PRINCIPAL_EMAIL_5C_5C_5C_22%2529_5C_22_22%257D%255D%22))"
        }
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_grant",
        "subRuleName": "external_member_invited_to_policy"
      },
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "properties": {
        "sensitiveRoleGrant": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "members": ["user:USER_EMAIL"]
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-01-28T11:38:41.301Z",
    "createTime": "2021-01-28T11:38:42.198Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "findingId": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "relatedFindingUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "sensitiveRoleGrant": {
              "structValue": {
                "fields": {
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "members": {
                    "listValues": {
                      "propertyDataTypes": [{
                        "primitiveDataType": "STRING"
                      }]
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
      "resourceFolderDisplayName": "PARENT_NAME"
    }]
  }
}
    

Persistencia: Nueva geografía

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",
    "state": "ACTIVE",
    "category": "Persistence: New Geography",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "ip_geolocation"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "RESOURCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1617994703",
            "nanos": 5.08853E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousLocation": {
          "anomalousLocation": "BE",
          "callerIp": "IP_ADDRESS",
          "principalEmail": "PRINCIPAL_EMAIL",
          "notSeenInLast": "2592000s",
          "typicalGeolocations": [{
            "country": {
              "identifier": "US"
            }
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T18:59:43.860Z",
    "createTime": "2021-04-09T18:59:44.440Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "findingId": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "anomalousLocation": {
              "structValue": {
                "fields": {
                  "anomalousLocation": {
                    "primitiveDataType": "STRING"
                  },
                  "callerIp": {
                    "primitiveDataType": "STRING"
                  },
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "notSeenInLast": {
                    "primitiveDataType": "STRING"
                  },
                  "typicalGeolocations": {
                    "listValues": {
                      "propertyDataTypes": [{
                        "structValue": {
                          "fields": {
                            "country": {
                              "structValue": {
                                "fields": {
                                  "identifier": {
                                    "primitiveDataType": "STRING"
                                  }
                                }
                              }
                            }
                          }
                        }
                      }]
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "RESOURCE_NAME"
  }
}
    

Persistencia: Usuario-agente nuevo

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",
    "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",
    "state": "ACTIVE",
    "category": "Persistence: New User Agent",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "user_agent"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1614736482",
            "nanos": 9.76209552E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousSoftware": {
          "anomalousSoftwareClassification": ["USER_AGENT"],
          "behaviorPeriod": "2592000s",
          "callerUserAgent": "USER_AGENT",
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-03-03T01:54:47.681Z",
    "createTime": "2021-03-03T01:54:49.154Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "findingId": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "anomalousSoftware": {
              "structValue": {
                "fields": {
                  "anomalousSoftwareClassification": {
                    "listValues": {
                      "propertyDataTypes": [{
                        "primitiveDataType": "STRING"
                      }]
                    }
                  },
                  "behaviorPeriod": {
                    "primitiveDataType": "STRING"
                  },
                  "callerUserAgent": {
                    "primitiveDataType": "STRING"
                  },
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//monitoring.googleapis.com/projects/PROJECT_ID"
  }
}
    

Resultados de Google Workspace

Acceso inicial: Usurpación de cuenta inhabilitada

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Account Disabled Hijacked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "account_disabled_hijacked"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624034293",
            "nanos": 6.78E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledHijacked",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-18T16:38:13.678Z",
    "createTime": "2021-06-18T16:38:16.508Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Acceso inicial: Filtración de contraseñas inhabilitada


{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Disabled Password Leak",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "disabled_password_leak"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626462896",
            "nanos": 6.81E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-16T19:14:56.681Z",
    "createTime": "2021-07-16T19:15:00.430Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Acceso inicial: Ataque basado en el Gobierno

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Government Based Attack",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "government_based_attack"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624061458",
            "nanos": 7.4E7
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.govAttackWarning",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-19T00:10:58.074Z",
    "createTime": "2021-06-19T00:11:01.760Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Acceso inicial: Acceso sospechoso bloqueado

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Suspicious Login Blocked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "suspicious_login"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621637767",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousLogin",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
       "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T22:56:07Z",
    "createTime": "2021-05-27T02:36:07.382Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Inhabilita las defensas: Autenticación segura inhabilitada

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",
    "state": "ACTIVE",
    "category": "Impair Defenses: Strong Authentication Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "enforce_strong_authentication"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1623952110",
            "nanos": 6.51337E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.enforceStrongAuthentication",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
"workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-17T17:48:30.651Z",
    "createTime": "2021-06-17T17:48:33.574Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
  }
}

    

Inhabilita las defensas: Verificación de dos pasos inhabilitada

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Impair Defenses: Two Step Verification Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "two_step_verification_disabled"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626391356",
            "nanos": 5.96E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svDisable",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-15T23:22:36.596Z",
    "createTime": "2021-07-15T23:22:40.079Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Persistencia: Activación o desactivación de SSO

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Enablement Toggle",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_enablement_toggle"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1622829313",
            "nanos": 3.42104E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.toggleSsoEnabled",
        "ssoState": "ENABLED",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-04T17:55:13.342Z",
    "createTime": "2021-06-04T17:55:15.900Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "domainName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

Persistencia: Configuración de SSO cambiada

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Settings Changed",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_settings_changed"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.changeSsoSettings",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T19:08:29.373Z",
    "createTime": "2021-05-27T11:36:24.429Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "domainName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

¿Qué sigue?