Using Event Threat Detection

This page shows you how to review Event Threat Detection findings in the Security Command Center dashboard and includes examples of Event Threat Detection findings.

Event Threat Detection is a built-in service for the Security Command Center Premium tier that monitors your organization's Cloud Logging and Google Workspace logging streams and detects threats in near-real time. To learn more, see Event Threat Detection overview.

The following video shows the steps to set up Event Threat Detection and provides information about how to use the dashboard. Learn more about viewing and managing Event Threat Detection findings in Reviewing findings on this page.

Reviewing findings

To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings. After you enable Event Threat Detection and turn on logs for your organization, folders, and projects, Event Threat Detection generates findings. For more information about Event Threat Detection finding types, see Rules.

You can view Event Threat Detection findings in Security Command Center. If you configured Continuous Exports to write logs, you can also view findings in Cloud Logging. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Event Threat Detection.

Event Threat Detection activation occurs within seconds. Detection latencies are generally less than 15 minutes from the time a log is written to when a finding is available in Security Command Center. For more information on latency, see Security Command Center latency overview.

Reviewing findings in Security Command Center

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, security sources, and security marks depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

To review Event Threat Detection findings in Security Command Center, do the following:

  1. Go to the Security Command Center Findings page in the Google Cloud Console.

    Go to Findings

  2. Next to View by, click Source Type.

  3. In the Source type list, select Event Threat Detection.

  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information, including the following:

    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection severity, for example High
    • The actions taken, like adding an Identity and Access Management (IAM) role to a Gmail user
    • The user who took the action, listed next to properties_principalEmail
  5. To display all findings that were caused by the same user's actions:

    1. On the finding detail panel, copy the email address next to properties_principalEmail.
    2. Close the finding detail panel.
    3. In the Findings tab Filter box, enter sourceProperties.properties_principalEmail:USER_EMAIL, where USER_EMAIL is the email address you copied previously.

Security Command Center displays all findings that are associated with actions taken by the user you specified.

Viewing findings in Cloud Logging

To view Event Threat Detection findings in Cloud Logging, do the following:

  1. Go to Logs Explorer in the Cloud Console.

    Go to Logs Explorer

  2. In the Project selector at the top of the page, select the project where you are storing your Event Threat Detection logs.

  3. Click the Query builder tab.

  4. In the Resource drop-down list, select Threat Detector.

    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.
  5. Click Add. The query appears in the query builder text box.

  6. Alternatively, enter the following query in the text box:

    resource.type="threat_detector"
    

  7. Click Run Query. The Query results table is updated with the logs you selected.

  8. To view a log, click a table row, and then click Expand nested fields.

You can create advanced log queries to specify a set of log entries from any number of logs.

Example finding formats

This section includes the JSON output formats for individual Event Threat Detection findings as they appear when you create exports from the Security Command Center dashboard or run list methods in the Security Command Center API.

The output examples contain the fields most common to all findings. However, all fields may not appear in every finding. The actual output you see depends on a resource's configuration and the type and state of findings.

Brute Force: SSH

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Brute Force: SSH",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "65"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "projectId": "PROJECT_ID",
          "zone": "us-west1-a",
          "instanceId": "INSTANCE_ID",
          "attempts": [
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "SUCCESS"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            }
          ]
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/003/"
          }
        },
        "detectionCategory": {
          "technique": "brute_force",
          "indicator": "flow_log",
          "ruleName": "ssh_brute_force"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Discovery: Service Account Self-Investigation


{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Discovery: Service Account Self-Investigation",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "discovery",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "service_account_gets_own_iam_policy"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1619200104",
            "nanos": 9.08E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceAccountGetsOwnIamPolicy": {
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
          "projectId": "PROJECT_ID",
          "callerIp": "IP_ADDRESS",
          "callerUserAgent": "CALLER_USER_AGENT",
          "rawUserAgent": "RAW_USER_AGENT"
        }
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "Permission Groups Discovery: Cloud Groups",
          "url": "https://attack.mitre.org/techniques/T1069/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-23T17:48:24.908Z",
    "createTime": "2021-04-23T17:48:26.922Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceAccountGetsOwnIamPolicy": {
              "structValue": {
                "fields": {
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "projectId": {
                    "primitiveDataType": "STRING"
                  },
                  "callerIp": {
                    "primitiveDataType": "STRING"
                  },
                  "callerUserAgent": {
                    "primitiveDataType": "STRING"
                  },
                  "rawUserAgent": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "ORGANIZATION_NAME",
    "type": "google.cloud.resourcemanager.Project"
  }
}

    

Exfiltration: BigQuery Data Exfiltration

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Exfiltration: BigQuery Data Exfiltration",
      "sourceProperties": {
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"
          }
        ],
        "detectionCategory": {
          "technique": "org_exfiltration",
          "indicator": "audit_log",
          "ruleName": "big_query_exfil",
          "subRuleName": "exfil_to_external_table"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          }
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "dataExfiltrationAttempt": {
            "jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults",
            "jobState": "SUCCEEDED",
            "query": "SQL_QUERY",
            "userEmail": "PROJECT_ID@PROJECT_ID.iam.gserviceaccount.com",
            "job": {
              "projectId": "SOURCE_PROJECT_ID",
              "jobId": "JOB_ID",
              "location": "US"
            },
            "sourceTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "SOURCE_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ],
            "destinationTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "DESTINATION_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ]
          }
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Malware: Bad Domain

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad Domain",
      "sourceProperties": {
        "sourceId": {
          "customerOrganizationNumber": "ORGANIZATION_ID",
          "projectNumber": "PROJECT_NUMBER"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1568/"
          },          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal Domain Link",
              "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
            }
          ]
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "domains": [
            "DOMAIN"
          ],
          "network": {
            "location": "REGION",
            "project": "PROJECT_ID"
          },
          "dnsContexts": [
            {
              "authAnswer": true,
              "sourceIp": "IP_ADDRESS",
              "queryName": "DOMAIN",
              "queryType": "AAAA",
              "responseCode": "NOERROR",
              "responseData": [
                {
                  "domainName": "DOMAIN.",
                  "ttl": 299,
                  "responseClass": "IN",
                  "responseType": "AAAA",
                  "responseValue": "IP_ADDRESS"
                }
              ]
            }
          ]
        },
        "detectionPriority": "HIGH",
        "detectionCategory": {
          "technique": "C2",
          "indicator": "domain",
          "subRuleName": "google_intel",
          "ruleName": "bad_domain"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Malware: Bad IP

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad IP",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "ips": [
            "SOURCE_IP_ADDRESS",
            "DESTINATION_IP_ADDRESS"
          ],
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 6
          },
          "network": {
            "project": "PROJECT_ID",
            "location": "ZONE",
            "subnetworkId": "SUBNETWORK_ID",
            "subnetworkName": "default"
          },
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/tactics/TA0011/"
          },
          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
            },
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
            }
          ]
        },
        "detectionCategory": {
          "technique": "C2",
          "indicator": "ip",
          "ruleName": "bad_ip",
          "subRuleName": "google_intel"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Malware: Outgoing DoS

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "state": "ACTIVE",
      "category": "Malware: Outgoing DoS",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 17
          }
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1498/"
          }
        },
        "detectionCategory": {
          "technique": "malware",
          "indicator": "flow_log",
          "ruleName": "outgoing_dos"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Persistence: IAM Anomalous Grant

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Persistence: IAM Anomalous Grant",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1611833917",
            "nanos": 8.71508E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "detectionPriority": "HIGH",
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-01-28T11:38:37.871508Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
          "displayName": "Related Anomalous Grant Findings",
          "url": "https://console.cloud.google.com/security/command-center/findings?organizationId\u003dORGANIZATION_ID\u0026pageState\u003d(%22cscc-inventory%22:(%22f%22:%22%255B%257B_22k_22_3A_22sourceProperties.detectionCategory.ruleName_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22iam_anomalous_grant_5C_22_22%257D_2C%257B_22k_22_3A_22_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22%2528sourceProperties.properties.sensitiveRoleGrant.principalEmail_3A_5C_5C_5C_22PRINCIPAL_EMAIL_5C_5C_5C_22%2529_5C_22_22%257D%255D%22))"
        }
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_grant",
        "subRuleName": "external_member_invited_to_policy"
      },
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "properties": {
        "sensitiveRoleGrant": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "members": ["user:USER_EMAIL"]
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-01-28T11:38:41.301Z",
    "createTime": "2021-01-28T11:38:42.198Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "findingId": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "relatedFindingUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "sensitiveRoleGrant": {
              "structValue": {
                "fields": {
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "members": {
                    "listValues": {
                      "propertyDataTypes": [{
                        "primitiveDataType": "STRING"
                      }]
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
      "resourceFolderDisplayName": "PARENT_NAME"
    }]
  }
}
    

Persistence: New Geography

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",
    "state": "ACTIVE",
    "category": "Persistence: New Geography",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "ip_geolocation"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "RESOURCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1617994703",
            "nanos": 5.08853E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousLocation": {
          "anomalousLocation": "BE",
          "callerIp": "IP_ADDRESS",
          "principalEmail": "PRINCIPAL_EMAIL",
          "notSeenInLast": "2592000s",
          "typicalGeolocations": [{
            "country": {
              "identifier": "US"
            }
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T18:59:43.860Z",
    "createTime": "2021-04-09T18:59:44.440Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "findingId": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "anomalousLocation": {
              "structValue": {
                "fields": {
                  "anomalousLocation": {
                    "primitiveDataType": "STRING"
                  },
                  "callerIp": {
                    "primitiveDataType": "STRING"
                  },
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "notSeenInLast": {
                    "primitiveDataType": "STRING"
                  },
                  "typicalGeolocations": {
                    "listValues": {
                      "propertyDataTypes": [{
                        "structValue": {
                          "fields": {
                            "country": {
                              "structValue": {
                                "fields": {
                                  "identifier": {
                                    "primitiveDataType": "STRING"
                                  }
                                }
                              }
                            }
                          }
                        }
                      }]
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "RESOURCE_NAME"
  }
}
    

Persistence: New User Agent

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",
    "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",
    "state": "ACTIVE",
    "category": "Persistence: New User Agent",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "user_agent"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1614736482",
            "nanos": 9.76209552E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousSoftware": {
          "anomalousSoftwareClassification": ["USER_AGENT"],
          "behaviorPeriod": "2592000s",
          "callerUserAgent": "USER_AGENT",
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-03-03T01:54:47.681Z",
    "createTime": "2021-03-03T01:54:49.154Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "findingId": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "anomalousSoftware": {
              "structValue": {
                "fields": {
                  "anomalousSoftwareClassification": {
                    "listValues": {
                      "propertyDataTypes": [{
                        "primitiveDataType": "STRING"
                      }]
                    }
                  },
                  "behaviorPeriod": {
                    "primitiveDataType": "STRING"
                  },
                  "callerUserAgent": {
                    "primitiveDataType": "STRING"
                  },
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//monitoring.googleapis.com/projects/PROJECT_ID"
  }
}
    

Initial Access: Account Disabled Hijacked

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Account Disabled Hijacked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "account_disabled_hijacked"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624034293",
            "nanos": 6.78E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledHijacked",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-18T16:38:13.678Z",
    "createTime": "2021-06-18T16:38:16.508Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Initial Access: Disabled Password Leak


{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Disabled Password Leak",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "disabled_password_leak"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626462896",
            "nanos": 6.81E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-16T19:14:56.681Z",
    "createTime": "2021-07-16T19:15:00.430Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Initial Access: Government Based Attack

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Government Based Attack",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "government_based_attack"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624061458",
            "nanos": 7.4E7
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.govAttackWarning",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-19T00:10:58.074Z",
    "createTime": "2021-06-19T00:11:01.760Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Initial Access: Suspicious Login Blocked

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Suspicious Login Blocked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "suspicious_login"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621637767",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousLogin",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
       "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T22:56:07Z",
    "createTime": "2021-05-27T02:36:07.382Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Impair Defenses: Strong Authentication Disabled

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",
    "state": "ACTIVE",
    "category": "Impair Defenses: Strong Authentication Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "enforce_strong_authentication"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1623952110",
            "nanos": 6.51337E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.enforceStrongAuthentication",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
"workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-17T17:48:30.651Z",
    "createTime": "2021-06-17T17:48:33.574Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
  }
}

    

Impair Defenses: Two Step Verification Disabled

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Impair Defenses: Two Step Verification Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "two_step_verification_disabled"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626391356",
            "nanos": 5.96E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svDisable",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-15T23:22:36.596Z",
    "createTime": "2021-07-15T23:22:40.079Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "workspacesUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "principalEmail": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Persistence: SSO Enablement Toggle

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Enablement Toggle",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_enablement_toggle"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1622829313",
            "nanos": 3.42104E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.toggleSsoEnabled",
        "ssoState": "ENABLED",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-04T17:55:13.342Z",
    "createTime": "2021-06-04T17:55:15.900Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "ssoState": {
              "primitiveDataType": "STRING"
            },
            "domainName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

Persistence: SSO Settings Changed

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Settings Changed",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_settings_changed"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.changeSsoSettings",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T19:08:29.373Z",
    "createTime": "2021-05-27T11:36:24.429Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "organizationNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceName": {
              "primitiveDataType": "STRING"
            },
            "methodName": {
              "primitiveDataType": "STRING"
            },
            "domainName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

What's next