このページでは、Google Cloud コンソールで Event Threat Detection の検出結果を確認する方法について説明します。また、Event Threat Detection の検出結果の例についても説明します。
Event Threat Detection は、組織またはプロジェクトの Cloud Logging ロギング ストリームをモニタリングし、脅威をほぼリアルタイムで検出する Security Command Center プレミアム ティアの組み込みサービスです。組織レベルで Security Command Center のプレミアム ティアを有効にすると、Event Threat Detection は組織の Google Workspace ロギング ストリームもモニタリングします。詳しくは、Event Threat Detection の概要をご覧ください。
検出結果の確認
Event Threat Detection の検出結果を表示するには、Security Command Center の [サービス] 設定でこのサービスを有効にする必要があります。Event Threat Detection を有効にした後は、Event Threat Detection が特定のログをスキャンして検出結果を生成します。Event Threat Detection がスキャンできるログの一部は、デフォルトでオフになっているため、オンにする必要がある場合があります。
Event Threat Detection が使用する組み込み検出ルールと、Event Threat Detection がスキャンするログの詳細については、次のトピックをご覧ください。
Event Threat Detection の検出結果は Security Command Center で確認できます。ログを書き込むように継続的なエクスポートを構成した場合は、Cloud Logging で検出結果を表示することもできます。Cloud Logging への継続的なエクスポートは、組織レベルで Security Command Center プレミアム ティアを有効にした場合にのみ利用できます。検出結果を生成して構成を検証するには、意図的に検出機能をトリガーし、Event Threat Detection をテストします。
Event Threat Detection の有効化は数秒で実行されます。検出のレイテンシは、ログが書き込まれてから Security Command Center で検出結果が表示されるまで通常 15 分以内です。レイテンシの詳細については、Security Command Center のレイテンシの概要をご覧ください。
Security Command Center で検出結果を確認する
Security Command Center の IAM ロールは、組織レベル、フォルダレベル、またはプロジェクト レベルで付与できます。検出結果、アセット、セキュリティ ソースを表示、編集、作成、更新する権限は、アクセス権が付与されているレベルによって異なります。Security Command Center のロールの詳細については、アクセス制御をご覧ください。
Google Cloud コンソールで検出結果を確認するには、次の操作を行います。
Google Cloud コンソールで、Security Command Center の [検出結果] ページに移動します。
必要に応じて、Google Cloud プロジェクトまたは組織を選択します。
[クイック フィルタ] セクションの [ソースの表示名] で、次のいずれかまたは両方を選択します。
- Event Threat Detection: 組み込みの Event Threat Detection 検出機能によって生成された検出結果をフィルタします。
- Event Threat Detection のカスタム モジュール: Event Threat Detection 用のカスタム モジュールによって生成された検出結果をフィルタします。
このテーブルには、Event Threat Detection の検出結果が表示されます。
特定の検出の詳細を表示するには、[
Category] の下にある検出結果の名前をクリックします。[検出の詳細] ペインが開き、次の情報が表示されます。- 問題の AI 生成のサマリープレビュー
- イベントの発生時間
- 検出結果データのソース
- 検出結果の重大度(例: 高)
- Gmail ユーザーへの Identity and Access Management(IAM)ロールの追加などの操作
- 操作を行ったユーザーが [プリンシパルのメール] の横に表示されます。
同じユーザーの操作によって発生した検出結果をすべて表示するには:
- [検出の詳細] ペインで、[プリンシパルのメール] の横にあるメールアドレスをコピーします。
- ペインを閉じます。
クエリビルダーに、次のクエリを入力します。
access.principal_email="USER_EMAIL"USER_EMAIL は、以前にコピーしたメールアドレスに置き換えます。
Security Command Center には、指定したユーザーが行った操作に関連するすべての検出結果が表示されます。
Cloud Logging での検出結果の表示
ログを書き込むように継続的エクスポートを構成すると、Cloud Logging で Event Threat Detection の検出結果を表示できます。この機能は、組織レベルで Security Command Center のプレミアム ティアを有効にした場合にのみ使用できます。
Cloud Logging で Event Threat Detection の検出結果を表示する手順は次のとおりです。
Google Cloud コンソールの [ログ エクスプローラ] に移動します。
ページの上部にあるプロジェクト セレクタで、Event Threat Detection ログを保存するプロジェクトを選択します。
[Query builder] タブをクリックします。
[リソース] プルダウン リストで、[Threat Detector] を選択します。
- すべての検出機能の検出結果を表示するには、[all detector_name] を選択します。
- 特定の検出機能の検出結果を表示するには、その名前を選択します。
[追加] をクリックします。クエリビルダーのテキスト ボックスにクエリが表示されます。
また、テキスト ボックスに次のクエリを入力します。
resource.type="threat_detector"
[クエリを実行] をクリックします。[クエリ結果] テーブルが選択したログで更新されます。
ログを表示するには、テーブル行をクリックし、[ネストされたフィールドを開く] をクリックします。
高度なログクエリを作成して、任意の数のログから一連のログエントリを指定できます。
検出結果のフォーマット例
このセクションでは、Google Cloud コンソールからエクスポートを作成したり、Security Command Center API で list メソッドを実行する場合に表示される Event Threat Detection の検出結果の JSON 出力形式について説明します。
この出力例には、検出結果で最も一般的なフィールドが含まれます。ただし、すべてのフィールドがすべての検出結果に表示されるとは限りません。実際に表示される出力は、リソースの構成と検出結果の種類と状態によって異なります。
検出結果の例を表示するには、次のノードを 1 つ以上開きます。
アクティブ スキャン: RCE に対して脆弱な Log4j
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"state": "ACTIVE",
"category": "Active Scan: Log4j Vulnerable to RCE",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "log4j_scan_success"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}, {
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1639701222",
"nanos": 7.22988344E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"scannerDomain": "SCANNER_DOMAIN",
"sourceIp": "SOURCE_IP_ADDRESS",
"vpcName": "default"
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1210/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-12-17T00:33:42.722Z",
"createTime": "2021-12-17T00:33:44.633Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
"resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
}],
"displayName": "INSTANCE_ID"
}
}
ブルート フォース: SSH
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Brute Force: SSH",
"sourceProperties": {
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"timestamp": {
"nanos": 0.0,
"seconds": "65"
},
"insertId": "INSERT_ID",
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"projectId": "PROJECT_ID",
"zone": "us-west1-a",
"instanceId": "INSTANCE_ID",
"attempts": [
{
"sourceIp": "SOURCE_IP_ADDRESS",
"username": "PROJECT_ID",
"vmName": "INSTANCE_ID",
"authResult": "SUCCESS"
},
{
"sourceIp": "SOURCE_IP_ADDRESS",
"username": "PROJECT_ID",
"vmName": "INSTANCE_ID",
"authResult": "FAIL"
},
{
"sourceIp": "SOURCE_IP_ADDRESS",
"username": "PROJECT_ID",
"vmName": "INSTANCE_ID",
"authResult": "FAIL"
}
]
},
"detectionPriority": "HIGH",
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/003/"
}
},
"detectionCategory": {
"technique": "brute_force",
"indicator": "flow_log",
"ruleName": "ssh_brute_force"
},
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
]
},
"severity": "HIGH",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
認証情報アクセス: 特権グループに追加された外部メンバー
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME",
"state": "ACTIVE",
"category": "Credential Access: External Member Added To Privileged Group",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "external_member_added_to_privileged_group"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1633622881",
"nanos": 6.73869E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"externalMemberAddedToPrivilegedGroup": {
"principalEmail": "PRINCIPAL_EMAIL",
"groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
"externalMember": "user:EXTERNAL_EMAIL",
"sensitiveRoles": [{
"resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"roleName": ["ROLES"]
}]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": " https://attack.mitre.org/techniques/T1078"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-07T16:08:03.888Z",
"createTime": "2021-10-07T16:08:04.516Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
}
}
認証情報アクセス: 一般公開された特権グループ
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings",
"state": "ACTIVE",
"category": "Credential Access: Privileged Group Opened To Public",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "privileged_group_opened_to_public"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1634774534",
"nanos": 7.12E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"privilegedGroupOpenedToPublic": {
"principalEmail": "PRINCIPAL_EMAIL",
"groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
"sensitiveRoles": [{
"resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"roleName": ["ROLES"]
}],
"whoCanJoin": "ALLOW_EXTERNAL_MEMBERS"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": " https://attack.mitre.org/techniques/T1078"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-21T00:02:19.173Z",
"createTime": "2021-10-21T00:02:20.099Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
}
}
認証情報アクセス: ハイブリッド グループに付与される機密性の高いロール
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
},
"assetDisplayName": "PROJECT_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Credential Access: Sensitive Role Granted To Hybrid Group",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-12-22T00:31:58.242Z",
"database": {},
"eventTime": "2022-12-22T00:31:58.151Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "roles/iam.securityAdmin",
"member": "group:GROUP_NAME@ORGANIZATION_NAME",
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_ID",
"type": "google.cloud.resourcemanager.Project",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_ID",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "sensitive_role_to_group_with_external_member"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1671669114",
"nanos": 715318000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"sensitiveRoleToHybridGroup": {
"principalEmail": "PRINCIPAL_EMAIL",
"groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/iam.securityAdmin",
"member": "group:GROUP_NAME@ORGANIZATION_NAME",
}
],
"resourceName": "projects/PROJECT_ID"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
}
}
}
}
防御回避: ブレークグラス ワークロードのデプロイの作成
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "k8s.io",
"methodName": "io.k8s.core.v1.pods.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Breakglass Workload Deployment Created",
"cloudDlpInspection": {},
"containers": [
{
"name": "test-container",
"uri": "test-image"
}
],
"createTime": "2023-03-24T17:38:45.756Z",
"database": {},
"eventTime": "2023-03-24T17:38:45.709Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"ns": "NAMESPACE",
"name": "POD_NAME",
"labels": [
{
"name": "image-policy.k8s.io/break-glass",
"value": "true"
}
],
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"ABUSE_ELEVATION_CONTROL_MECHANISM"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"display_name": "default",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"parent_display_name": "CLUSTER_NAME",
"type": "k8s.io.Namespace",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1548/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
},
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "binary_authorization_breakglass_workload",
"subRuleName": "create"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1679679521",
"nanos": 141571000
},
"insertId": "INSERT_ID"
}
}
]
}
}
防御回避: ブレークグラス ワークロードのデプロイの更新
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "k8s.io",
"methodName": "io.k8s.core.v1.pods.update"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Breakglass Workload Deployment Updated",
"cloudDlpInspection": {},
"containers": [
{
"name": "test-container",
"uri": "test-image"
}
],
"createTime": "2023-03-24T17:38:45.756Z",
"database": {},
"eventTime": "2023-03-24T17:38:45.709Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"ns": "NAMESPACE",
"name": "POD_NAME",
"labels": [
{
"name": "image-policy.k8s.io/break-glass",
"value": "true"
}
],
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"ABUSE_ELEVATION_CONTROL_MECHANISM"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
"display_name": "default",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"parent_display_name": "CLUSTER_NAME",
"type": "k8s.io.Namespace",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1548/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
},
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "binary_authorization_breakglass_workload",
"subRuleName": "update"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1679679521",
"nanos": 141571000
},
"insertId": "INSERT_ID"
}
}
]
}
}
防御回避: VPC Service Control の変更
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
"state": "ACTIVE",
"category": "Defense Evasion: Modify VPC Service Control",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "modify_auth_process",
"indicator": "audit_log",
"ruleName": "vpcsc_changes",
"subRuleName": "reduce_perimeter_protection"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1633625631",
"nanos": 1.78978E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
"policyLink": "LINK_TO_VPC_SERVICE_CONTROLS",
"delta": {
"restrictedResources": [{
"resourceName": "PROJECT_NAME",
"action": "REMOVE"
}],
"restrictedServices": [{
"serviceName": "SERVICE_NAME",
"action": "REMOVE"
}],
"allowedServices": [{
"serviceName": "SERVICE_NAME",
"action": "ADD"
}],
"accessLevels": [{
"policyName": "ACCESS_LEVEL_POLICY",
"action": "ADD"
}]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": ""https://attack.mitre.org/techniques/T1556/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-07T16:53:53.875Z",
"createTime": "2021-10-07T16:53:54.411Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {},
"serviceName": "accesscontextmanager.googleapis.com",
"methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter"
}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"type": "google.cloud.resourcemanager.Organization",
"displayName": "RESOURCE_DISPLAY_NAME"
}
}
検出: 機密性の高い Kubernetes オブジェクトのチェック
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
"category": "Discovery: Can get sensitive Kubernetes object check",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-08T01:39:42.957Z",
"database": {},
"eventTime": "2022-10-08T01:39:40.632Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"accessReviews": [
{
"name": "secrets-1665218000",
"resource": "secrets",
"verb": "get"
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "can_get_sensitive_object"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665193180",
"nanos": 632000000
},
"insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf"
}
}
],
"properties": {},
"findingId": "03f466dc25a8496693b7482304fb2e7f",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0007/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
検出: サービス アカウントの自己調査
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Discovery: Service Account Self-Investigation",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "discovery",
"indicator": "audit_log",
"ruleName": "iam_anomalous_behavior",
"subRuleName": "service_account_gets_own_iam_policy"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1619200104",
"nanos": 9.08E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceAccountGetsOwnIamPolicy": {
"principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
"projectId": "PROJECT_ID",
"callerIp": "IP_ADDRESS",
"callerUserAgent": "CALLER_USER_AGENT",
"rawUserAgent": "RAW_USER_AGENT"
}
},
"contextUris": {
"mitreUri": {
"displayName": "Permission Groups Discovery: Cloud Groups",
"url": "https://attack.mitre.org/techniques/T1069/003/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-23T17:48:24.908Z",
"createTime": "2021-04-23T17:48:26.922Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "ORGANIZATION_NAME",
"type": "google.cloud.resourcemanager.Project"
}
}
回避: 匿名化プロキシからのアクセス
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Evasion: Access from Anonymizing Proxy",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "proxy_access"
},
"detectionPriority": "MEDIUM",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1633625631",
"nanos": 1.78978E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"changeFromBadIp": {
"principalEmail": "PRINCIPAL_EMAIL",
"ip": "SOURCE_IP_ADDRESS"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1090/003/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-07T16:53:53.875Z",
"createTime": "2021-10-07T16:53:54.411Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "PARENT_NAME",
"type": "google.cloud.resourcemanager.Project",
"displayName": "PROJECT_ID"
}
}
データ漏洩: BigQuery データの漏洩
この検出結果には、可能性のある次の 2 つのサブルールのいずれかが含まれる可能性があります。
exfil_to_external_table、重大度はHIGH。vpc_perimeter_violation、重大度はLOW。
次の例は、サブルール exfil_to_external_table の JSON を示しています。
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "bigquery.googleapis.com",
"methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Exfiltration: BigQuery Data Exfiltration",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "2023-05-30T15:49:59.709Z",
"database": {},
"eventTime": "2023-05-30T15:49:59.432Z",
"exfiltration": {
"sources": [
{
"name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
}
],
"targets": [
{
"name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID"
}
]
},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": [
"EXFILTRATION_OVER_WEB_SERVICE",
"EXFILTRATION_TO_CLOUD_STORAGE"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
"parent_display_name": "FOLDER_NAME",
"type": "google.cloud.resourcemanager.Project",
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
"resourceFolderDisplayName": "FOLDER_NAME"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "org_exfiltration",
"indicator": "audit_log",
"ruleName": "big_query_exfil",
"subRuleName": "exfil_to_external_table"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1685461795",
"nanos": 341527000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"dataExfiltrationAttempt": {
"jobState": "SUCCEEDED",
"jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults",
"job": {
"projectId": "PROJECT_ID",
"jobId": "BIGQUERY_JOB_ID",
"location": "BIGQUERY_JOB_LOCATION"
},
"query": "QUERY",
"sourceTables": [
{
"resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
"projectId": "PROJECT_ID",
"datasetId": "DATASET_ID",
"tableId": "TABLE_ID"
}
],
"destinationTables": [
{
"resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table",
"projectId": "TARGET_PROJECT_ID",
"datasetId": "TARGET_DATASET_ID",
"tableId": "TARGET_TABLE_ID"
}
],
"userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com"
},
"principalEmail": "PRINCIPAL_EMAIL"
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
データ漏洩: BigQuery データの抽出
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"state": "ACTIVE",
"category": "Exfiltration: BigQuery Data Extraction",
"sourceProperties": {
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"detectionCategory": {
"technique": "storage_bucket_exfiltration",
"indicator": "audit_log",
"ruleName": "big_query_exfil",
"subRuleName": "exfil_to_cloud_storage"
},
"detectionPriority": "LOW",
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related BigQuery Exfiltration Extraction findings",
"url": "RELATED_FINDINGS_LINK"
}
},
"evidence": [{
"sourceLogId": {
"projectId": PROJECT_ID,
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"extractionAttempt": {
"jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
"job": {
"projectId": "SOURCE_PROJECT_ID",
"jobId": "JOB_ID",
"location": "US"
},
"sourceTable": {
"projectId": "DESTINATION_PROJECT_ID",
"datasetId": "DATASET_ID",
"tableId": "TABLE_ID",
"resourceUri": "FULL_URI"
},
"destinations": [
{
"originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
"collectionType": "GCS_BUCKET",
"collectionName": "TARGET_GCS_BUCKET_NAME",
"objectName": "TARGET_FILE_NAME"
}
]
},
"principalEmail": "PRINCIPAL_EMAIL"
},
"findingId": "FINDING_ID"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2022-03-31T21:22:11.359Z",
"createTime": "2022-03-31T21:22:12.689Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "bigquery.googleapis.com",
"methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
},
"exfiltration": {
"sources": [
{
"name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
}
],
"targets": [
{
"name": "TARGET_GCS_URI"
}
]
}
},
"resource": {
"name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
"parentDisplayName": "PROJECT_ID:DATASET_ID",
"type": "google.cloud.bigquery.Table",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NAME"
}],
"displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
}
}
データ漏洩: Google ドライブへの BigQuery データ
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"state": "ACTIVE",
"category": "Exfiltration: BigQuery Data to Google Drive",
"sourceProperties": {
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"detectionCategory": {
"technique": "google_drive_exfiltration",
"indicator": "audit_log",
"ruleName": "big_query_exfil",
"subRuleName": "exfil_to_google_drive"
},
"detectionPriority": "LOW",
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related BigQuery Exfiltration to Google Drive findings",
"url": "RELATED_FINDINGS_LINK"
}
},
"evidence": [{
"sourceLogId": {
"projectId": PROJECT_ID,
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID" }
}],
"properties": {
"extractionAttempt": {
"jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
"job": {
"projectId": "SOURCE_PROJECT_ID",
"jobId": "JOB_ID",
"location": "US"
},
"sourceTable": {
"projectId": "DESTINATION_PROJECT_ID",
"datasetId": "DATASET_ID",
"tableId": "TABLE_ID",
"resourceUri": "FULL_URI"
},
"destinations": [
{
"originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME",
"collectionType": "GDRIVE",
"collectionName": "TARGET_GOOGLE_DRIVE_FOLDER",
"objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME"
}
]
},
"principalEmail": "PRINCIPAL_EMAIL"
},
"findingId": "FINDING_ID"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2022-03-31T21:20:18.408Z",
"createTime": "2022-03-31T21:20:18.715Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "bigquery.googleapis.com",
"methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
},
"exfiltration": {
"sources": [
{
"name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
}
],
"targets": [
{
"name": "TARGET_GOOGLE_DRIVE_URI"
}
]
}
},
"resource": {
"name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
"parentDisplayName": "PROJECT_ID:DATASET_ID",
"type": "google.cloud.bigquery.Table",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NAME"
}],
"displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
}
}
データ漏洩: CloudSQL データの漏洩
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Exfiltration: CloudSQL Data Exfiltration",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "storage_bucket_exfiltration",
"indicator": "audit_log",
"ruleName": "cloudsql_exfil",
"subRuleName": "export_to_public_gcs"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": PROJECT_ID,
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"exportToGcs": {
"principalEmail": "PRINCIPAL_EMAIL",
"cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
"bucketAccess": "PUBLICLY_ACCESSIBLE",
"bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
"exportScope": "WHOLE_INSTANCE"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-10-11T16:32:59.828Z",
"createTime": "2021-10-11T16:33:00.229Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.export"
},
"exfiltration": {
"sources": [
{
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"components": []
}
],
"targets": [
{
"name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
"components": [
"TARGET_FILE_NAME"
]
}
]
},
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NAME"
}],
"displayName": "INSTANCE_NAME"
}
}
データの引き出し: CloudSQL から外部組織へのバックアップの復元
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
"state": "ACTIVE",
"category": "Exfiltration: CloudSQL Restore Backup to External Organization",
"sourceProperties": {
"sourceId": {
"projectNumber": "SOURCE_PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "backup_exfiltration",
"indicator": "audit_log",
"ruleName": "cloudsql_exfil",
"subRuleName": "restore_to_external_instance"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
},
],
"evidence": [{
"sourceLogId": {
"projectId": "SOURCE_PROJECT_ID",
"resourceContainer": "projects/SOURCE_PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"restoreToExternalInstance": {
"principalEmail": "PRINCIPAL_EMAIL",
"sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
"backupId": "BACKUP_ID",
"targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2022-01-19T21:36:07.901Z",
"createTime": "2022-01-19T21:36:08.695Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
},
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP",
"callerIpGeo": {
},
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.restoreBackup"
},
"exfiltration": {
"sources": [
{
"name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
}
],
"targets": [
{
"name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
}
]
}
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER",
"projectDisplayName": "SOURCE_PROJECT_ID",
"parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
"parentDisplayName": "SOURCE_INSTANCE_NAME",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_ID"
}],
"displayName": "mysql-backup-restore-instance"
}
}
データの引き出し: CloudSQL の過剰な権限付与
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Exfiltration: CloudSQL Over-Privileged Grant",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "cloudsql_exfil",
"subRuleName": "user_granted_all_permissions"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"eventTime": "2022-01-19T21:36:07.901Z",
"createTime": "2022-01-19T21:36:08.695Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "EXFILTRATION",
"primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
"grantees": [GRANTEE],
},
"access": {
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.query"
}
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_ID"
}],
"displayName": "INSTANCE_NAME"
}
}
マルウェア: 不正ドメイン
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Bad Domain",
"sourceProperties": {
"sourceId": {
"customerOrganizationNumber": "ORGANIZATION_ID",
"projectNumber": "PROJECT_NUMBER"
},
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1568/"
}, "virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal Domain Link",
"url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
}
]
},
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"timestamp": {
"nanos": 0.0,
"seconds": "0"
},
"insertId": "INSERT_ID",
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"domains": [
"DOMAIN"
],
"network": {
"location": "REGION",
"project": "PROJECT_ID"
},
"dnsContexts": [
{
"authAnswer": true,
"sourceIp": "IP_ADDRESS",
"queryName": "DOMAIN",
"queryType": "AAAA",
"responseCode": "NOERROR",
"responseData": [
{
"domainName": "DOMAIN.",
"ttl": 299,
"responseClass": "IN",
"responseType": "AAAA",
"responseValue": "IP_ADDRESS"
}
]
}
]
},
"detectionPriority": "HIGH",
"detectionCategory": {
"technique": "C2",
"indicator": "domain",
"subRuleName": "google_intel",
"ruleName": "bad_domain"
}
},
"severity": "HIGH",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
マルウェア: 不正 IP
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Bad IP",
"sourceProperties": {
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"timestamp": {
"nanos": 0.0,
"seconds": "0"
},
"insertId": "INSERT_ID",
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"ips": [
"SOURCE_IP_ADDRESS",
"DESTINATION_IP_ADDRESS"
],
"ipConnection": {
"srcIp": "SOURCE_IP_ADDRESS",
"srcPort": SOURCE_PORT,
"destIp": "DESTINATION_IP_ADDRESS",
"destPort": DESTINATION_PORT,
"protocol": 6
},
"network": {
"project": "PROJECT_ID",
"location": "ZONE",
"subnetworkId": "SUBNETWORK_ID",
"subnetworkName": "default"
},
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
},
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0011/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
},
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
}
]
},
"detectionCategory": {
"technique": "C2",
"indicator": "ip",
"ruleName": "bad_ip",
"subRuleName": "google_intel"
},
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
]
},
"severity": "LOW",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
マルウェア: 不正ドメインの暗号化
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Cryptomining Bad Domain",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "cryptomining",
"indicator": "domain",
"ruleName": "bad_domain",
"subRuleName": "cryptomining"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1636566099",
"nanos": 5.41483849E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"domains": ["DOMAIN"],
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"network": {
"project": "PROJECT_ID",
"location": "ZONE"
},
"dnsContexts": [{
"authAnswer": true,
"sourceIp": "SOURCE_IP_ADDRESS",
"queryName": "DOMAIN",
"queryType": "A",
"responseCode": "NXDOMAIN"
}],
"vpc": {
"vpcName": "default"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"virustotalIndicatorQueryUri": [{
"displayName": "VirusTotal Domain Link",
"url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
}],
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-11-10T17:41:41.594Z",
"createTime": "2021-11-10T17:41:42.014Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"indicator": {
"domains": ["DOMAIN"]
}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "PARENT_NAME",
"type": "google.cloud.resourcemanager.Project",
"displayName": "PROJECT_ID"
}
}
マルウェア: 不正 IP の暗号化
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Malware: Cryptomining Bad IP",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "cryptomining",
"indicator": "ip",
"ruleName": "bad_ip",
"subRuleName": "cryptomining"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1636566005",
"nanos": 9.74622832E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"ips": ["DESTINATION_IP_ADDRESS"],
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"network": {
"project": "PROJECT_ID",
"location": "ZONE",
"subnetworkId": "SUBNETWORK_ID",
"subnetworkName": "default"
},
"ipConnection": {
"srcIp": "SOURCE_IP_ADDRESS",
"destIp": "DESTINATION_IP_ADDRESS",
"protocol": 1.0
},
"indicatorContext": [{
"ipAddress": "DESTINATION_IP_ADDRESS",
"countryCode": "FR",
"reverseDnsDomain": "REVERSE_DNS_DOMAIN",
"carrierName": "CARRIER_NAME",
"organizationName": "ORGANIZATION_NAME",
"asn": "AUTONOMOUS_SYSTEM_NUMBERS"
}],
"srcVpc": {
},
"destVpc": {
"projectId": "PROJECT_ID",
"vpcName": "default",
"subnetworkName": "default"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"virustotalIndicatorQueryUri": [{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
}],
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-11-10T17:40:38.048Z",
"createTime": "2021-11-10T17:40:38.472Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"indicator": {
"ipAddresses": ["DESTINATION_IP_ADDRESS"]
}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parentDisplayName": "PARENT_NAME",
"type": "google.cloud.resourcemanager.Project",
"displayName": "PROJECT_ID"
}
}
マルウェア: 送信 DoS
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Malware: Outgoing DoS",
"sourceProperties": {
"evidence": [
{
"sourceLogId": {
"timestamp": {
"nanos": 0.0,
"seconds": "0"
},
"resourceContainer": "projects/PROJECT_ID"
}
}
],
"properties": {
"sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"ipConnection": {
"srcIp": "SOURCE_IP_ADDRESS",
"srcPort": SOURCE_PORT,
"destIp": "DESTINATION_IP_ADDRESS",
"destPort": DESTINATION_PORT,
"protocol": 17
}
},
"detectionPriority": "HIGH",
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1498/"
}
},
"detectionCategory": {
"technique": "malware",
"indicator": "flow_log",
"ruleName": "outgoing_dos"
}
},
"severity": "HIGH",
"eventTime": "1970-01-01T00:00:00Z",
"createTime": "1970-01-01T00:00:00Z"
}
}
永続性: IAM 異常付与
IAM Anomalous Grant の検出結果にはサブルールが含まれ、この検出結果の各インスタンスに関するより具体的な情報が提供されます。これは、この検出結果に特有のものです。この検出結果の重大度の分類はサブルールに依存し、サブルールごとに異なる対応が必要になる場合があります。
次のリストに、可能性のあるすべてのサブルールとその重大度を示します。
external_service_account_added_to_policy:HIGHHIGH: 機密性の高いロールが付与されたか、中程度の機密性のロールが組織レベルで付与されている場合。詳細については、機密性の高いロールをご覧ください。MEDIUM: 中程度の機密性のロールが付与された場合。詳細については、機密性が中程度のロールをご覧ください。external_member_invited_to_policy:HIGHexternal_member_added_to_policy:HIGH: 機密性の高いロールが付与されたか、中程度の機密性のロールが組織レベルで付与されている場合。詳細については、機密性の高いロールをご覧ください。MEDIUM: 中程度の機密性のロールが付与された場合。詳細については、機密性が中程度のロールをご覧ください。
custom_role_given_sensitive_permissions:MEDIUMservice_account_granted_sensitive_role_to_member:HIGHpolicy_modified_by_default_compute_service_account:HIGH
検出結果に含まれる JSON フィールドは、検出結果のカテゴリごとに異なる場合があります。たとえば、次の JSON にはセキュリティ アカウントのフィールドが含まれています。検出結果のカテゴリがサービス アカウントに関連していない場合、これらのフィールドは JSON に含まれません。
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME",
"principalSubject": "PRINCIPAL_SUBJECT",
"serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: IAM Anomalous Grant",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_3"
},
{
"email": "EMAIL_ADDRESS_4
}
]
}
},
"createTime": "CREATE_TIMESTAMP",
"database": {},
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "IAM_ROLE",
"member": "serviceAccount:ACCOUNT_NAME"
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "RESOURCE_FULL_NAME",
"severity": "SEVERITY_CLASSIFICATION",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_FULL_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//RESOURCE/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "RESOURCE_PARENT_NAME",
"parent_display_name": "PARENT_DISPLAY_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
"resourceFolder": "RESOURCE_FOLDER_ID"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "iam_anomalous_grant",
"subRuleName": "TYPE_OF_ANOMALOUS_GRANT"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1678897327",
"nanos": 26483000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"sensitiveRoleGrant": {
"principalEmail": "PRINCIPAL_EMAIL",
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/GRANTED_ROLE",
"member": "serviceAccount:SERVICE_ACCOUNT_NAME",
}
],
"members": [
"serviceAccount:SERVICE_ACCOUNT_NAME"
]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {
"displayName": "Related Anomalous Grant Findings",
"url": "LINK_TO_RELATED_FINDING"
}
}
}
}
永続性: 休眠状態のサービス アカウントに対する権限借用ロールの付与
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.SetIAMPolicy"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: Impersonation Role Granted for Dormant Service Account",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_3"
},
{
"email": "EMAIL_ADDRESS_4
}
]
}
},
"createTime": "CREATE_TIMESTAMP",
"database": {},
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "roles/iam.serviceAccountTokenCreator",
"member": "IAM_Account_Who_Received_Impersonation_Role"
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
"display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.iam.ServiceAccount",
"folders": [
{
"resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
"resourceFolder": "RESOURCE_FOLDER_ID"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "impersonation_role_granted_over_dormant_sa"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1678897327",
"nanos": 26483000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
]
}
}
}
永続性: 新しい API メソッド
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME",
"principalSubject": "PRINCIPAL_SUBJECT",
"serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: New API Method",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "anomalous_behavior",
"subRuleName": "new_api_method"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"newApiMethod": {
"newApiMethod": {
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME"
},
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerUserAgent": "CALLER_USER_AGENT",
"resourceContainer": "projects/PROJECT_NUMBER"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0003/"
}
}
}
}
永続性: 新しい地域
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",
"state": "ACTIVE",
"category": "Persistence: New Geography",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "iam_anomalous_behavior",
"subRuleName": "ip_geolocation"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "RESOURCE_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1617994703",
"nanos": 5.08853E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"anomalousLocation": {
"anomalousLocation": "BE",
"callerIp": "IP_ADDRESS",
"principalEmail": "PRINCIPAL_EMAIL",
"notSeenInLast": "2592000s",
"typicalGeolocations": [{
"country": {
"identifier": "US"
}
}]
}
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T18:59:43.860Z",
"createTime": "2021-04-09T18:59:44.440Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "RESOURCE_NAME"
}
}
永続性: 新しいユーザー エージェント
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",
"resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",
"state": "ACTIVE",
"category": "Persistence: New User Agent",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "iam_anomalous_behavior",
"subRuleName": "user_agent"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1614736482",
"nanos": 9.76209552E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"anomalousSoftware": {
"anomalousSoftwareClassification": ["USER_AGENT"],
"behaviorPeriod": "2592000s",
"callerUserAgent": "USER_AGENT",
"principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"
}
},
"findingId": "FINDING_ID",
"contextUris": {
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}]
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-03-03T01:54:47.681Z",
"createTime": "2021-03-03T01:54:49.154Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//monitoring.googleapis.com/projects/PROJECT_ID"
}
}
権限昇格: 使われていないサービス アカウントに対する機密性の高いロールの付与
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_3"
},
{
"email": "EMAIL_ADDRESS_4
}
]
}
},
"createTime": "CREATE_TIMESTAMP",
"database": {},
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"iamBindings": [
{
"action": "ADD",
"role": "SENSITIVE_IAM_ROLE",
"member": "serviceAccount:DORMANT_SERVICE_ACCOUNT"
}
],
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "RESOURCE_FULL_NAME",
"severity": "SEVERITY_CLASSIFICATION",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_FULL_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//RESOURCE/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "RESOURCE_PARENT_NAME",
"parent_display_name": "PARENT_DISPLAY_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
"resourceFolder": "RESOURCE_FOLDER_ID"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_role_added_to_dormant_sa"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1678897327",
"nanos": 26483000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
]
}
}
}
権限昇格: Kubernetes RBAC 機密オブジェクトの変更
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
"category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-07T07:42:36.536Z",
"database": {},
"eventTime": "2022-10-07T07:42:06.044Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"bindings": [
{
"name": "cluster-admin",
"role": {
"kind": "CLUSTER_ROLE",
"name": "cluster-admin"
},
"subjects": [
{
"kind": "USER",
"name": "testUser-1665153212"
}
]
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "edit_sensitive_rbac_object"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665128526",
"nanos": 44146000
},
"insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a"
}
}
],
"properties": {},
"findingId": "05b52fe8267d44bdb33c89367f0dd11a",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
権限昇格: マスター証明書の Kubernetes CSR の作成
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.certificates.v1.certificatesigningrequests.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
"category": "Privilege Escalation: Create Kubernetes CSR for master cert",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-08T14:38:12.501Z",
"database": {},
"eventTime": "2022-10-08T14:37:46.944Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "csr_for_master_cert"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665239866",
"nanos": 944045000
},
"insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101"
}
}
],
"properties": {},
"findingId": "0562169c2e3b44879030a7369dbf839c",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
権限昇格: 機密性の高い Kubernetes バインディングの作成
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
"category": "Privilege Escalation: Creation of sensitive Kubernetes bindings",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-11T09:29:44.425Z",
"database": {},
"eventTime": "2022-10-11T09:29:26.309Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"bindings": [
{
"name": "cluster-admin",
"role": {
"kind": "CLUSTER_ROLE",
"name": "cluster-admin"
}
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "create_sensitive_binding"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665480566",
"nanos": 309136000
},
"insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321"
}
}
],
"properties": {},
"findingId": "02dcbf565d9d4972a126ac3c38fd4295",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
権限昇格: 漏洩したブートストラップ認証情報を使用した Kubernetes CSR
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.certificates.v1.certificatesigningrequests.list"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
"category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-12T12:28:11.480Z",
"database": {},
"eventTime": "2022-10-12T12:28:08.597Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "get_csr_with_compromised_bootstrap_credentials"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665577688",
"nanos": 597107000
},
"insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993"
}
}
],
"properties": {},
"findingId": "025e0ba774da4d678883257cd125fc43",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
権限昇格: Kubernetes 特権コンテナのリリース
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "k8s.io",
"methodName": "io.k8s.core.v1.pods.create"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
"category": "Privilege Escalation: Launch of privileged Kubernetes container",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2022-10-08T21:43:41.145Z",
"database": {},
"eventTime": "2022-10-08T21:43:09.188Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kubernetes": {
"pods": [
{
"ns": "default",
"name": "POD_NAME",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI"
}
]
}
]
},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
"display_name": "CLUSTER_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "gke_control_plane",
"subRuleName": "launch_privileged_container"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1665265389",
"nanos": 188357000
},
"insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c"
}
}
],
"properties": {},
"findingId": "04206668443b45078d5b51c908ad87da",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
権限昇格: 管理アクティビティに関する、サービス アカウントの異常な権限借用
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
権限昇格: 管理アクティビティに関する、異常なマルチステップ サービス アカウントの委任
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_multistep_admin_activity"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
権限昇格: データアクセスに関する、異常なマルチステップ サービス アカウントの委任
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_multistep_data_access"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
権限昇格: 管理アクティビティに関する、サービス アカウントの異常な権限借用
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_impersonator_admin_activity"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
権限昇格: データアクセスに関する、サービス アカウントの異常な権限借用
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.list",
"serviceAccountDelegationInfo": [
{
"principalEmail": "PRINCIPAL_EMAIL"
},
{
"principalEmail": "PRINCIPAL_EMAIL"
}
]
},
"assetDisplayName": "PROJECT_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access",
"cloudDlpInspection": {},
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-02-09T03:26:04.611Z",
"database": {},
"eventTime": "2023-02-09T03:26:05.403Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "ORGANIZATION",
"type": "google.cloud.resourcemanager.Project",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "anomalous_sa_delegation_impersonator_data_access"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//storage.googleapis.com/"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1675913160",
"nanos": 929341814
},
"insertId": "o5ii7hddddd"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
}
}
}
}
システム復旧の抑制: Google Cloud バックアップと DR からのホストの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteHost",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"host": "HOST_NAME",
"applications": [
"HOST_NAME"
],
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Deleted Google Cloud Backup and DR host",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_hosts_delete_host"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
"backupDisasterRecovery": {
"host": "HOST_NAME",
"applications": [
"HOST_NAME"
]
}
}
}
データの破棄: Google Cloud バックアップと DR からのイメージの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "expireBackup",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME",
"policies": [
"POLICY_NAME"
],
"profile": "PROFILE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Data Destruction: Google Cloud Backup and DR expire image",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_expire_image"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME",
"policies": [
"POLICY_NAME"
],
"profile": "PROFILE_NAME"
}
}
}
システム復旧の抑制: Google Cloud バックアップと DR からのプランの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteSla",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"applications": [
"HOST_NAME"
],
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_remove_plan"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
"backupDisasterRecovery": {
"applications": [
"HOST_NAME"
]
}
}
}
データの破棄: Google Cloud バックアップと DR からのすべてのイメージの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "backupdr.googleapis.com",
"methodName": "expireBackups",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Data Destruction: Google Cloud Backup and DR expire all images",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_expire_images_all"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups."
}
}
システム復旧の抑制: Google Cloud バックアップと DR からのプロファイルの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteSlt",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete template",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_template_delete_template"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
"backupDisasterRecovery": {
"backupTemplate": "TEMPLATE_NAME"
}
}
}
システム復旧の抑制: Google Cloud バックアップと DR からのプロファイルの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deletePolicy",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"policies": [
"DeleteMe"
],
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete policy",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_template_delete_policy"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
"backupDisasterRecovery": {
"policies": [
"POLICY_NAME"
]
}
}
}
システム復旧の抑制: Google Cloud バックアップと DR からのプロファイルの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "IP_ADDRESS",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteSlp",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"profile": "PROFILE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete profile",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_template_delete_profile"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
"backupDisasterRecovery": {
"profile": "PROFILE_NAME"
}
}
}
データの破棄: Google Cloud バックアップと DR からのアプライアンスの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteCluster",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"appliance": "APPLIANCE_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Data Destruction: Google Cloud Backup and DR remove appliance",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_appliances_remove_appliance"
},
"detectionPriority": "MEDIUM",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
"backupDisasterRecovery": {
"appliance": "APPLIANCE_NAME"
}
}
}
システム復旧の抑制: Google Cloud バックアップと DR からのストレージ プールの削除
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "deleteDiskPool",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"backupDisasterRecovery": {
"storagePool": "STORAGE_POOL_NAME",
"backupCreateTime": "EVENT_TIMESTAMP"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Inhibit System Recovery: Google Cloud Backup and DR delete storage pool",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_storage_pools_delete"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
"backupDisasterRecovery": {
"storagePool": "STORAGE_POOL_NAME"
}
}
}
影響: Google Cloud のバックアップと DR により、バックアップの頻度が低減した
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "updatePolicy",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Impact: Google Cloud Backup and DR reduced backup frequency",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "The backup schedule has been modified to reduce backup frequency.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_reduce_backup_frequency"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "The backup schedule has been modified to reduce backup frequency.",
}
}
影響: Google Cloud バックアップと DR により、バックアップの有効期限が短縮された
{
"finding": {
"access": {
"principalEmail": "USER_EMAIL",
"callerIp": "CALLER_IP",
"callerIpGeo": {
"regionCode": "REGION_CODE"
},
"serviceName": "backupdr.googleapis.com",
"methodName": "updateBackup",
"principalSubject": "user:USER_EMAIL"
},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
"category": "Impact: Google Cloud Backup and DR reduced backup expiration",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "EVENT_TIMESTAMP",
"database": {},
"description": "The expiration date for a backup has been reduced.",
"eventTime": "EVENT_TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"INHIBIT_SYSTEM_RECOVERY"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "MEDIUM",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_ID",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"parent_display_name": "FOLDER_NAME",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "backup_reduce_backup_expiration"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1490/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LINK_TO_LOG_QUERY"
}
],
"relatedFindingUri": {}
},
"description": "The expiration date for a backup has been reduced."
}
}
初期アクセス: アカウントの無効化(ハイジャック)
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Account Disabled Hijacked",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "account_disabled_hijacked"
},
"detectionPriority": "MEDIUM",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1624034293",
"nanos": 6.78E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledHijacked",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-18T16:38:13.678Z",
"createTime": "2021-06-18T16:38:16.508Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
初期アクセス: 無効化(パスワードの漏洩)
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Disabled Password Leak",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "disabled_password_leak"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1626462896",
"nanos": 6.81E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledPasswordLeak",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-07-16T19:14:56.681Z",
"createTime": "2021-07-16T19:15:00.430Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT",
"indicator": {
}
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
初期アクセス: 政府支援による攻撃
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Government Based Attack",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "government_based_attack"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1624061458",
"nanos": 7.4E7
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.govAttackWarning",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-19T00:10:58.074Z",
"createTime": "2021-06-19T00:11:01.760Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
初期アクセス: Log4j の悪用
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"state": "ACTIVE",
"category": "Initial Access: Log4j Compromise Attempt",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "log4j_compromise_attempt"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1639690492",
"nanos": 9.13836E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"loadBalancerName": "LOAD_BALANCER_NAME",
"requestUrl": "REQUEST_URL?${jndi:ldap://google.com}"
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1190/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
}],
"relatedFindingUri": {
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-12-16T21:34:52.913Z",
"createTime": "2021-12-16T21:34:55.022Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"mute": "UNDEFINED",
"findingClass": "THREAT"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
"parentDisplayName": "FOLDER_DISPLAY_NAME",
"type": "google.cloud.resourcemanager.Project",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
"resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
}],
"displayName": "PROJECT_ID"
}
}
初期アクセス: 不審なログインのブロック
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Initial Access: Suspicious Login Blocked",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "valid_accounts",
"indicator": "audit_log",
"ruleName": "suspicious_login"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621637767",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLogin",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-05-21T22:56:07Z",
"createTime": "2021-05-27T02:36:07.382Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
初期アクセス: データベース スーパーユーザーによるユーザー テーブルへの書き込み
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Initial Access: Database Superuser Writes to User Tables",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "cloudsql_superuser_writes_to_user_tables",
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1567/002/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}],
"relatedFindingUri": {
"displayName": "Related CloudSQL Exfiltration findings",
"url": "RELATED_FINDINGS_LINK"
}
}
},
"eventTime": "2022-01-19T21:36:07.901Z",
"createTime": "2022-01-19T21:36:08.695Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": ["DEFAULT_ACCOUNTS"]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
},
"access": {
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.query"
}
},
"resource": {
"name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.cloud.sql.Instance",
"folders": [{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_ID"
}],
"displayName": "INSTANCE_NAME"
}
}
初期アクセス: 過剰な権限の拒否アクション
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME",
"principalSubject": "PRINCIPAL_SUBJECT",
"serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Excessive Permission Denied Actions",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "anomalous_behavior",
"subRuleName": "new_api_method"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {
"failedActions": [
{
"methodName": "SetIamPolicy",
"serviceName": "iam.googleapis.com",
"attemptTimes": "7",
"lastOccurredTime": "2023-03-15T17:35:18.771219Z"
},
{
"methodName": "iam.googleapis.com",
"serviceName": "google.iam.admin.v1.CreateServiceAccountKey",
"attemptTimes": "3",
"lastOccurredTime": "2023-03-15T05:36:14.954701Z"
}
]
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
}
}
}
}
初期アクセス: 使われていないサービス アカウントに対するアクション
{
"findings": {
"access": {
"principalEmail": "DORMANT_SERVICE_ACCOUNT",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Dormant Service Account Action",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"parent_display_name": "FOLDER_NAME",
"type": "RESOURCE_TYPE",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "dormant_sa_used_in_action",
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0003/"
}
}
}
}
初期アクセス: 休眠状態のサービス アカウントに対するキーの作成
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.CreateServiceAccountKey"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Dormant Service Account Key Created",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
},
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-01-12T10:35:47.381Z",
"database": {},
"eventTime": "2023-01-12T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
"display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
"parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
"type": "google.iam.ServiceAccountKey",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "key_created_on_dormant_sa"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/tactics/TA0003/"
}
}
}
}
初期アクセス: 漏洩したサービス アカウント キーの使用
{
"findings": {
"access": {
"principalEmail": "SERVICE_ACCOUNT",
"callerIp": "IP_ADDRESS,
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "SERVICE_NAME",
"methodName": "METHOD_NAME"
"serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY"
},
"assetDisplayName": "ASSET_DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Initial Access: Leaked Service Account Key Used",
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS"
}
]
}
},
"createTime": "2023-07-18T10:35:47.381Z",
"database": {},
"eventTime": "2023-07-18T10:35:47.270Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "INITIAL_ACCESS",
"primaryTechniques": [
"VALID_ACCOUNTS",
"CLOUD_ACCOUNTS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "AFFECTED_RESOURCE",
"severity": "HIGH",
"sourceDisplayName": "Event Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "RESOURCE_NAME",
"display_name": "RESOURCE_DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "leaked_sa_key_used"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "GOOGLE_RESOURCE"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1673519681",
"nanos": 728289000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/004/"
}
}
},
"description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL"
}
防御への侵害: 強力な認証の無効化
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",
"state": "ACTIVE",
"category": "Impair Defenses: Strong Authentication Disabled",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "impair_defenses",
"indicator": "audit_log",
"ruleName": "enforce_strong_authentication"
},
"detectionPriority": "MEDIUM",
"affectedResources": [{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1623952110",
"nanos": 6.51337E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "admin.googleapis.com",
"methodName": "google.admin.AdminService.enforceStrongAuthentication",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-17T17:48:30.651Z",
"createTime": "2021-06-17T17:48:33.574Z",
"severity": "MEDIUM",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
}
}
防御への侵害: 2 段階認証プロセスの無効化
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Impair Defenses: Two Step Verification Disabled",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "impair_defenses",
"indicator": "audit_log",
"ruleName": "two_step_verification_disabled"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1626391356",
"nanos": 5.96E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svDisable",
"ssoState": "UNKNOWN",
"principalEmail": "PRINCIPAL_EMAIL"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-07-15T23:22:36.596Z",
"createTime": "2021-07-15T23:22:40.079Z",
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT",
"indicator": {
}
},
"resource": {
"name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
}
}
永続性: SSO の有効化の切り替え
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
"state": "ACTIVE",
"category": "Persistence: SSO Enablement Toggle",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "account_manipulation",
"indicator": "audit_log",
"ruleName": "sso_enablement_toggle"
},
"detectionPriority": "HIGH",
"affectedResources": [{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1622829313",
"nanos": 3.42104E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "admin.googleapis.com",
"methodName": "google.admin.AdminService.toggleSsoEnabled",
"ssoState": "ENABLED",
"domainName": "ORGANIZATION_NAME"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-06-04T17:55:13.342Z",
"createTime": "2021-06-04T17:55:15.900Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
}
}
永続性: GCE 管理者による起動スクリプトの追加
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
"category": "Persistence: GCE Admin Added Startup Script",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "gce_admin"
"subRuleName": "instance_add_startup_script"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621624109",
"nanos": 3.73721E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"callerIp": "IP_ADDRESS",
"principalEmail": "PRINCIPAL_EMAIL",
"gceInstanceId": "GCE_INSTANCE_ID",
"projectId": "PROJECT_ID",
"metadataKeyOperation": "ADDED",
"callerUserAgent": "USER_AGENT",
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1543/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}]
}
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
}
}
永続性: GCE 管理者による SSH 認証鍵の追加
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
"category": "Persistence: GCE Admin Added SSH Key",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "gce_admin"
"subRuleName": "instance_add_ssh_key"
},
"detectionPriority": "LOW",
"affectedResources": [{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
}, {
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621624109",
"nanos": 3.73721E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"callerIp": "IP_ADDRESS",
"principalEmail": "PRINCIPAL_EMAIL",
"gceInstanceId": "GCE_INSTANCE_ID",
"projectId": "PROJECT_ID",
"metadataKeyOperation": "ADDED",
"callerUserAgent": "USER_AGENT",
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1543/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}]
}
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
}
}
永続性: 変更された SSO 設定
プロジェクト レベルで有効にしている場合、この検出結果は利用できません。
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
"state": "ACTIVE",
"category": "Persistence: SSO Settings Changed",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "account_manipulation",
"indicator": "audit_log",
"ruleName": "sso_settings_changed"
},
"detectionPriority": "HIGH",
"affectedResources": [
{
"gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "0",
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1621624109",
"nanos": 3.73721E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"serviceName": "admin.googleapis.com",
"methodName": "google.admin.AdminService.changeSsoSettings",
"domainName": "ORGANIZATION_NAME"
},
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
}],
"workspacesUri": {
"displayName": "Workspaces Link",
"url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"
}
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-05-21T19:08:29.373Z",
"createTime": "2021-05-27T11:36:24.429Z",
"severity": "HIGH",
"workflowState": "NEW",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"findingClass": "THREAT"
},
"resource": {
"name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
}
}
Cloud IDS
{
"finding": {
"access": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
"category": "Cloud IDS: THREAT_ID",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"connections": [
{
"destinationIp": "IP_ADDRESS",
"destinationPort": PORT,
"sourceIp": "IP_ADDRESS",
"sourcePort": PORT,
"protocol": "PROTOCOL"
}
],
"createTime": "TIMESTAMP",
"database": {},
"description": "This signature detects a payload in HTTP traffic which could possibly be malicious.",
"eventTime": "TIMESTAMP",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"display_name": "PROJECT_DISPLAY_NAME",
"type": "google.cloud.resourcemanager.Project",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "ctd-engprod-project",
"parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER",
"parent_display_name": "PARENT_DISPLAY_NAME",
"folders": [
{
"resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resource_folder_display_name": "FOLDER_DISPLAY_NAME"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "cloud_ids_threat_activity"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "TIMESTAMP",
"nanos": TIMESTAMP
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_QUERY_URI"
}
],
"relatedFindingUri": {}
},
"description": "THREAT_DESCRIPTION"
}
}
ラテラル ムーブメント: 変更されたブートディスクがインスタンスにアタッチされた
{
"finding": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.attachDisk",
},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
"category": "Lateral Movement: Modify Boot Disk Attaching to Instance",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"createTime": "2024-02-01T23:55:17.589Z",
"database": {},
"eventTime": "2024-02-01T23:55:17.396Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"logEntries": [
{
"cloudLoggingEntry": {
"insertId": "INSERT_ID",
"logId": "cloudaudit.googleapis.com/activity",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": "2024-02-01T23:55:15.017887Z"
}
}
],
"mitreAttack": {
"primaryTactic": "TACTIC_UNSPECIFIED"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION",
"parentDisplayName": "Event Threat Detection",
"resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"securityPosture": {},
"severity": "LOW",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"displayName": "INSTANCE_ID",
"type": "google.compute.Instance",
"gcpMetadata": {
"project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_NUMBER",
"parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_NUMBER,
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": "FOLDER_NUMBER"
}
],
"organization": "organizations/ORGANIZATION_NUMBER"
}
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "modify_boot_disk",
"subRuleName": "attach_to_instance"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID"
},
{
"gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_NUMBER",
"resourceContainer": "PROJECT_NUMBER",
"timestamp": {
"seconds": "1706831715",
"nanos": 17887000
},
"insertId": "INSERT_ID",
"logId": "cloudaudit.googleapis.com/activity"
}
}
],
"properties": {
"diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID",
"targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"workerInstances": [
"projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
],
"bootDiskPayloads": [
{
"instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"operation": "MODIFY_BOOT_DISK_ATTACH",
"principalEmail": "PRINCIPAL_EMAIL",
"eventTime": "2024-02-01T23:55:06.706640Z"
},
{
"instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
"operation": "MODIFY_BOOT_DISK_DETACH",
"principalEmail": "PRINCIPAL_EMAIL",
"eventTime": "2024-02-01T23:55:05.608631Z"
}
]
},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1570/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
権限昇格: AlloyDB の過剰な権限付与
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Privilege Escalation: AlloyDB Over-Privileged Grant",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "alloydb_user_granted_all_permissions",
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/001/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}]
}
},
"eventTime": "EVENT_TIMESTAMP",,
"createTime": "CREATE_TIMESTAMP",,
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "PRIVILEGE_ESCALATION",
"primaryTechniques": [
"VALID_ACCOUNTS"
],
"additionalTactics": [
"PERSISTENCE"
],
"additionalTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
"grantees": [GRANTEE],
},
"access": {
"serviceName": "alloydb.googleapis.com",
"methodName": "alloydb.instances.query"
}
},
"resource": {
"name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"type": "google.alloydb.Instance",
"cloudProvider": "GOOGLE_CLOUD_PLATFORM",
"service": "alloydb.googleapis.com",
"location": "REGION",
"gcpMetadata": {
"project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": FOLDER_NAME
}
],
"organization": "organizations/ORGANIZATION_ID"
},
"resourcePath": {
"nodes": [
{
"nodeType": "GCP_PROJECT",
"id": "projects/PROJECT_NUMBER",
"displayName": "PROJECT_ID"
},
{
"nodeType": "GCP_FOLDER",
"id": "folders/FOLDER_NUMBER",
"displayName": "FOLDER_NAME"
},
{
"nodeType": "GCP_ORGANIZATION",
"id": "organizations/ORGANIZATION_ID"
}
]
},
"resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
}
}
権限昇格: AlloyDB データベース スーパーユーザーによるユーザー テーブルへの書き込み
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"state": "ACTIVE",
"category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables",
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "alloydb_user_granted_all_permissions",
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
},
{
"gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
}
],
"evidence": [{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "0",
"nanos": 0.0
},
"insertId": "INSERT_ID"
}
}],
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1078/001/"
},
"cloudLoggingQueryUri": [{
"displayName": "Cloud Logging Query Link",
"url": "LOGGING_LINK"
}]
}
},
"eventTime": "EVENT_TIMESTAMP",,
"createTime": "CREATE_TIMESTAMP",,
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "PRIVILEGE_ESCALATION",
"primaryTechniques": [
"VALID_ACCOUNTS"
],
"additionalTactics": [
"PERSISTENCE"
],
"additionalTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"database": {
"displayName": "DATABASE_NAME",
"userName": "USER_NAME",
"query": QUERY",
},
"access": {
"serviceName": "alloydb.googleapis.com",
"methodName": "alloydb.instances.query"
}
},
"resource": {
"name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
"type": "google.alloydb.Instance",
"cloudProvider": "GOOGLE_CLOUD_PLATFORM",
"service": "alloydb.googleapis.com",
"location": "REGION",
"gcpMetadata": {
"project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"folders": [
{
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
"resourceFolderDisplayName": FOLDER_NAME
}
],
"organization": "organizations/ORGANIZATION_ID"
},
"resourcePath": {
"nodes": [
{
"nodeType": "GCP_PROJECT",
"id": "projects/PROJECT_NUMBER",
"displayName": "PROJECT_ID"
},
{
"nodeType": "GCP_FOLDER",
"id": "folders/FOLDER_NUMBER",
"displayName": "FOLDER_NAME"
},
{
"nodeType": "GCP_ORGANIZATION",
"id": "organizations/ORGANIZATION_ID"
}
]
},
"resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
}
}
次のステップ
- Event Threat Detection の仕組みの詳細について確認する。
- 脅威に対する対応計画を策定して開発する方法を学習する。