Using Event Threat Detection

This page shows you how to review Event Threat Detection findings in the Google Cloud console and includes examples of Event Threat Detection findings.

Event Threat Detection is a built-in service for the Security Command Center Premium tier that monitors the Cloud Logging logging streams for your organization or projects and detects threats in near-real time. If you activate Security Command Center Premium tier at the organization level, Event Threat Detection can also monitor your organization's Google Workspace logging streams. To learn more, see Event Threat Detection overview.

Reviewing findings

To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings. After you enable Event Threat Detection, Event Threat Detection generates findings by scanning specific logs. Some of the logs Event Threat Detection can scan are turned off by default, so you might need to turn them on.

For more information about the built-in detection rules that Event Threat Detection uses and the logs that Event Threat Detection scans, see the following topics:

You can view Event Threat Detection findings in Security Command Center. If you configured Continuous Exports to write logs, you can also view findings in Cloud Logging. Continuous Exports to Cloud Logging are only available when you activate Security Command Center Premium tier at the organization level. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Event Threat Detection.

Event Threat Detection activation occurs within seconds. Detection latencies are generally less than 15 minutes from the time a log is written to when a finding is available in Security Command Center. For more information on latency, see Security Command Center latency overview.

Reviewing findings in Security Command Center

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Use the following procedure to review findings in the Google Cloud console:

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

  3. In the Quick filters section, in the Source display name subsection, select one or both of the following:

    The table is populated with Event Threat Detection findings.

  4. To view details of a specific finding, click the finding name under Category. The finding details pane expands to display information including the following:

    • An AI-generated summaryPreview of the issue
    • When the event occurred
    • The source of the finding data
    • The detection severity, for example High
    • The actions taken, like adding an Identity and Access Management (IAM) role to a Gmail user
    • The user who took the action, listed next to Principal email
  5. To display all findings that were caused by the same user's actions:

    1. On the finding details pane, copy the email address next to Principal email.
    2. Close the pane.
    3. In query builder, enter the following query:

      access.principal_email="USER_EMAIL"
      

      Replace USER_EMAIL with the email address you previously copied.

      Security Command Center displays all findings that are associated with actions taken by the user you specified.

Viewing findings in Cloud Logging

If you configure Continuous Exports to write logs, you can view Event Threat Detection findings in Cloud Logging. This feature is only available if you activate Security Command Center Premium tier at the organization level.

To view Event Threat Detection findings in Cloud Logging, do the following:

  1. Go to Logs Explorer in the Google Cloud console.

    Go to Logs Explorer

  2. In the Project selector at the top of the page, select the project where you are storing your Event Threat Detection logs.

  3. Click the Query builder tab.

  4. In the Resource drop-down list, select Threat Detector.

    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.
  5. Click Add. The query appears in the query builder text box.

  6. Alternatively, enter the following query in the text box:

    resource.type="threat_detector"
    

  7. Click Run Query. The Query results table is updated with the logs you selected.

  8. To view a log, click a table row, and then click Expand nested fields.

You can create advanced log queries to specify a set of log entries from any number of logs.

Investigate findings in Chronicle

Chronicle integration is only available when you activate Security Command Center Premium tier at the organization level.

If you activate Security Command Center Premium tier at the organization level, you can use Chronicle to investigate Event Threat Detection findings.

Event Threat Detection integrates seamlessly with Chronicle, a Google Cloud service that lets you investigate threats and pivot through related actions and events in a unified timeline. Chronicle enriches findings, helping you identify indicators of interest and simplify investigations.

For example, if Event Threat Detection identifies a principal who made a suspicious IAM role grant, you can use Chronicle to view that user's recent login activity and check whether they made other suspicious changes after the role grant.

To send Event Threat Detection findings to Chronicle, do the following:

  1. Go to the Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. In the Quick filters panel, scroll down to Source display name and select Event Threat Detection.

    The Findings query results panel updates to show only Event Threat Detection findings.

  3. In the Findings query results panel, under Category, click on the name of the finding that you need to investigate.

  4. On the Summary tab of the details panel, in the Related links section, click Investigate in Chronicle.

  5. Follow the instructions in Chronicle's guided user interface.

To learn how to use Chronicle, see the Chronicle documentation, which includes useful guides for conducting investigations:

You can also investigate threats by reviewing additional finding details. For more information, see Investigating and responding to threats.

Example finding formats

This section includes the JSON output formats for Event Threat Detection findings as they appear when you create exports from the Google Cloud console or run list methods in the Security Command Center API.

The output examples contain the fields most common to all findings. However, all fields might not appear in every finding. The actual output you see depends on a resource's configuration and the type and state of findings.

To see example findings, expand one or more of the following nodes.

Active Scan: Log4j Vulnerable to RCE

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "state": "ACTIVE",
    "category": "Active Scan: Log4j Vulnerable to RCE",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "ruleName": "log4j_scan_success"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }, {
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1639701222",
            "nanos": 7.22988344E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "scannerDomain": "SCANNER_DOMAIN",
        "sourceIp": "SOURCE_IP_ADDRESS",
        "vpcName": "default"
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1210/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-12-17T00:33:42.722Z",
    "createTime": "2021-12-17T00:33:44.633Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.compute.Instance",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
      "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
    }],
    "displayName": "INSTANCE_ID"
  }
}
    

Brute Force: SSH

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Brute Force: SSH",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "65"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "projectId": "PROJECT_ID",
          "zone": "us-west1-a",
          "instanceId": "INSTANCE_ID",
          "attempts": [
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "SUCCESS"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            }
          ]
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/003/"
          }
        },
        "detectionCategory": {
          "technique": "brute_force",
          "indicator": "flow_log",
          "ruleName": "ssh_brute_force"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Credential Access: External Member Added To Privileged Group

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME",
    "state": "ACTIVE",
    "category": "Credential Access: External Member Added To Privileged Group",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "external_member_added_to_privileged_group"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633622881",
            "nanos": 6.73869E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "externalMemberAddedToPrivilegedGroup": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
          "externalMember": "user:EXTERNAL_EMAIL",
          "sensitiveRoles": [{
            "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
            "roleName": ["ROLES"]
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": " https://attack.mitre.org/techniques/T1078"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:08:03.888Z",
    "createTime": "2021-10-07T16:08:04.516Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"
  }
}
    

Credential Access: Privileged Group Opened To Public

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings",
    "state": "ACTIVE",
    "category": "Credential Access: Privileged Group Opened To Public",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "privileged_group_opened_to_public"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1634774534",
            "nanos": 7.12E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "privilegedGroupOpenedToPublic": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
          "sensitiveRoles": [{
            "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
            "roleName": ["ROLES"]
          }],
          "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": " https://attack.mitre.org/techniques/T1078"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-21T00:02:19.173Z",
    "createTime": "2021-10-21T00:02:20.099Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"
  }
}
    

Credential Access: Sensitive Role Granted To Hybrid Group

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "cloudresourcemanager.googleapis.com",
      "methodName": "SetIamPolicy",
    },
    "assetDisplayName": "PROJECT_NAME",
    "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Credential Access: Sensitive Role Granted To Hybrid Group",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-12-22T00:31:58.242Z",
    "database": {},
    "eventTime": "2022-12-22T00:31:58.151Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "roles/iam.securityAdmin",
        "member": "group:GROUP_NAME@ORGANIZATION_NAME",
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
    "parent_display_name": "FOLDER_ID",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_ID",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "technique": "persistence",
      "indicator": "audit_log",
      "ruleName": "sensitive_role_to_group_with_external_member"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1671669114",
            "nanos": 715318000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {
      "sensitiveRoleToHybridGroup": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",
        "bindingDeltas": [
          {
            "action": "ADD",
            "role": "roles/iam.securityAdmin",
            "member": "group:GROUP_NAME@ORGANIZATION_NAME",
          }
        ],
        "resourceName": "projects/PROJECT_ID"
      }
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      }
    }
  }
}
    

Defense Evasion: Breakglass Workload Deployment Created

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "k8s.io",
      "methodName": "io.k8s.core.v1.pods.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Defense Evasion: Breakglass Workload Deployment Created",
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "test-container",
        "uri": "test-image"
      }
    ],
    "createTime": "2023-03-24T17:38:45.756Z",
    "database": {},
    "eventTime": "2023-03-24T17:38:45.709Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "NAMESPACE",
          "name": "POD_NAME",
          "labels": [
            {
              "name": "image-policy.k8s.io/break-glass",
              "value": "true"
            }
          ],
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "DEFENSE_EVASION",
      "primaryTechniques": [
        "ABUSE_ELEVATION_CONTROL_MECHANISM"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "display_name": "default",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "parent_display_name": "CLUSTER_NAME",
    "type": "k8s.io.Namespace",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1548/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    },
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "binary_authorization_breakglass_workload",
      "subRuleName": "create"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1679679521",
            "nanos": 141571000
          },
          "insertId": "INSERT_ID"
        }
      }
    ]
  }
}
    

Defense Evasion: Breakglass Workload Deployment Updated

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "k8s.io",
      "methodName": "io.k8s.core.v1.pods.update"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Defense Evasion: Breakglass Workload Deployment Updated",
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "test-container",
        "uri": "test-image"
      }
    ],
    "createTime": "2023-03-24T17:38:45.756Z",
    "database": {},
    "eventTime": "2023-03-24T17:38:45.709Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "NAMESPACE",
          "name": "POD_NAME",
          "labels": [
            {
              "name": "image-policy.k8s.io/break-glass",
              "value": "true"
            }
          ],
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "DEFENSE_EVASION",
      "primaryTechniques": [
        "ABUSE_ELEVATION_CONTROL_MECHANISM"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",
    "display_name": "default",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "parent_display_name": "CLUSTER_NAME",
    "type": "k8s.io.Namespace",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1548/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    },
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "binary_authorization_breakglass_workload",
      "subRuleName": "update"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1679679521",
            "nanos": 141571000
          },
          "insertId": "INSERT_ID"
        }
      }
    ]
  }
}
    

Defense Evasion: Modify VPC Service Control

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
    "state": "ACTIVE",
    "category": "Defense Evasion: Modify VPC Service Control",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "modify_auth_process",
        "indicator": "audit_log",
        "ruleName": "vpcsc_changes",
        "subRuleName": "reduce_perimeter_protection"
      },
      "detectionPriority": "LOW",
      "affectedResources": [
        {
          "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER"
        },
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }
      ],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1633625631",
            "nanos": 1.78978E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",
        "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS",
        "delta": {
          "restrictedResources": [{
            "resourceName": "PROJECT_NAME",
            "action": "REMOVE"
          }],
          "restrictedServices": [{
            "serviceName": "SERVICE_NAME",
            "action": "REMOVE"
          }],
          "allowedServices": [{
            "serviceName": "SERVICE_NAME",
            "action": "ADD"
          }],
          "accessLevels": [{
            "policyName": "ACCESS_LEVEL_POLICY",
            "action": "ADD"
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": ""https://attack.mitre.org/techniques/T1556/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:53:53.875Z",
    "createTime": "2021-10-07T16:53:54.411Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {},
      "serviceName": "accesscontextmanager.googleapis.com",
      "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter"
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "type": "google.cloud.resourcemanager.Organization",
    "displayName": "RESOURCE_DISPLAY_NAME"
  }
}
    

Discovery: Can get sensitive Kubernetes object check


{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
    "category": "Discovery: Can get sensitive Kubernetes object check",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-08T01:39:42.957Z",
    "database": {},
    "eventTime": "2022-10-08T01:39:40.632Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "accessReviews": [
        {
          "name": "secrets-1665218000",
          "resource": "secrets",
          "verb": "get"
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "can_get_sensitive_object"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665193180",
            "nanos": 632000000
          },
          "insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf"
        }
      }
    ],
    "properties": {},
    "findingId": "03f466dc25a8496693b7482304fb2e7f",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0007/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Discovery: Service Account Self-Investigation


{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Discovery: Service Account Self-Investigation",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "discovery",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "service_account_gets_own_iam_policy"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1619200104",
            "nanos": 9.08E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceAccountGetsOwnIamPolicy": {
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
          "projectId": "PROJECT_ID",
          "callerIp": "IP_ADDRESS",
          "callerUserAgent": "CALLER_USER_AGENT",
          "rawUserAgent": "RAW_USER_AGENT"
        }
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "Permission Groups Discovery: Cloud Groups",
          "url": "https://attack.mitre.org/techniques/T1069/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-23T17:48:24.908Z",
    "createTime": "2021-04-23T17:48:26.922Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "ORGANIZATION_NAME",
    "type": "google.cloud.resourcemanager.Project"
  }
}
    

Evasion: Access from Anonymizing Proxy

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Evasion: Access from Anonymizing Proxy",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "proxy_access"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1633625631",
            "nanos": 1.78978E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "changeFromBadIp": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "ip": "SOURCE_IP_ADDRESS"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1090/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-10-07T16:53:53.875Z",
    "createTime": "2021-10-07T16:53:54.411Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}
    

Exfiltration: BigQuery Data Exfiltration

This finding can include one of two possible subrules:

  • exfil_to_external_table, with a severity of HIGH.
  • vpc_perimeter_violation, with a severity of LOW.

The following example shows the JSON for subrule exfil_to_external_table.

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Exfiltration: BigQuery Data Exfiltration",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "2023-05-30T15:49:59.709Z",
    "database": {},
    "eventTime": "2023-05-30T15:49:59.432Z",
    "exfiltration": {
      "sources": [
        {
          "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
        }
      ],
      "targets": [
        {
          "name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID"
        }
      ]
    },
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": [
        "EXFILTRATION_OVER_WEB_SERVICE",
        "EXFILTRATION_TO_CLOUD_STORAGE"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
    "parent_display_name": "FOLDER_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [
      {
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
        "resourceFolderDisplayName": "FOLDER_NAME"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "technique": "org_exfiltration",
      "indicator": "audit_log",
      "ruleName": "big_query_exfil",
      "subRuleName": "exfil_to_external_table"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1685461795",
            "nanos": 341527000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {
      "dataExfiltrationAttempt": {
        "jobState": "SUCCEEDED",
        "jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults",
        "job": {
          "projectId": "PROJECT_ID",
          "jobId": "BIGQUERY_JOB_ID",
          "location": "BIGQUERY_JOB_LOCATION"
        },
        "query": "QUERY",
        "sourceTables": [
          {
            "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
            "projectId": "PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID"
          }
        ],
        "destinationTables": [
          {
            "resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table",
            "projectId": "TARGET_PROJECT_ID",
            "datasetId": "TARGET_DATASET_ID",
            "tableId": "TARGET_TABLE_ID"
          }
        ],
        "userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com"
      },
      "principalEmail": "PRINCIPAL_EMAIL"
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1567/002/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Exfiltration: BigQuery Data Extraction

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "state": "ACTIVE",
    "category": "Exfiltration: BigQuery Data Extraction",
    "sourceProperties": {
      "affectedResources": [
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }
      ],
      "detectionCategory": {
        "technique": "storage_bucket_exfiltration",
        "indicator": "audit_log",
        "ruleName": "big_query_exfil",
        "subRuleName": "exfil_to_cloud_storage"
      },
      "detectionPriority": "LOW",
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1567/002/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }],
        "relatedFindingUri": {
          "displayName": "Related BigQuery Exfiltration Extraction findings",
          "url": "RELATED_FINDINGS_LINK"
        }
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": PROJECT_ID,
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "extractionAttempt": {
          "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
          "job": {
            "projectId": "SOURCE_PROJECT_ID",
            "jobId": "JOB_ID",
            "location": "US"
          },
          "sourceTable": {
            "projectId": "DESTINATION_PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID",
            "resourceUri": "FULL_URI"
          },
          "destinations": [
            {
              "originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
              "collectionType": "GCS_BUCKET",
              "collectionName": "TARGET_GCS_BUCKET_NAME",
              "objectName": "TARGET_FILE_NAME"
            }
          ]
        },
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2022-03-31T21:22:11.359Z",
    "createTime": "2022-03-31T21:22:12.689Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
    },
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    },
    "exfiltration": {
      "sources": [
        {
          "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
        }
      ],
      "targets": [
        {
          "name": "TARGET_GCS_URI"
        }
      ]
    }
  },
  "resource": {
    "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
    "parentDisplayName": "PROJECT_ID:DATASET_ID",
    "type": "google.cloud.bigquery.Table",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
      "resourceFolderDisplayName": "FOLDER_NAME"
    }],
    "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
  }
}
    

Exfiltration: BigQuery Data to Google Drive

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "state": "ACTIVE",
    "category": "Exfiltration: BigQuery Data to Google Drive",
    "sourceProperties": {
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "detectionCategory": {
        "technique": "google_drive_exfiltration",
        "indicator": "audit_log",
        "ruleName": "big_query_exfil",
        "subRuleName": "exfil_to_google_drive"
      },
      "detectionPriority": "LOW",
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1567/002/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }],
        "relatedFindingUri": {
          "displayName": "Related BigQuery Exfiltration to Google Drive findings",
          "url": "RELATED_FINDINGS_LINK"
        }
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": PROJECT_ID,
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"        }
      }],
      "properties": {
        "extractionAttempt": {
          "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",
          "job": {
            "projectId": "SOURCE_PROJECT_ID",
            "jobId": "JOB_ID",
            "location": "US"
          },
          "sourceTable": {
            "projectId": "DESTINATION_PROJECT_ID",
            "datasetId": "DATASET_ID",
            "tableId": "TABLE_ID",
            "resourceUri": "FULL_URI"
          },
          "destinations": [
            {
              "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME",
              "collectionType": "GDRIVE",
              "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER",
              "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME"
            }
          ]
        },
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2022-03-31T21:20:18.408Z",
    "createTime": "2022-03-31T21:20:18.715Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "mitreAttack": {
      "primaryTactic": "EXFILTRATION",
      "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
    },
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP",
      "callerIpGeo": {
      },
      "serviceName": "bigquery.googleapis.com",
      "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"
    },
    "exfiltration": {
      "sources": [
        {
          "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"
        }
      ],
      "targets": [
        {
          "name": "TARGET_GOOGLE_DRIVE_URI"
        }
      ]
    }
  },
  "resource": {
    "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",
    "parentDisplayName": "PROJECT_ID:DATASET_ID",
    "type": "google.cloud.bigquery.Table",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
      "resourceFolderDisplayName": "FOLDER_NAME"
    }],
    "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"
  }
}
    

Exfiltration: CloudSQL Data Exfiltration

This finding isn't available for project-level activations.

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Data Exfiltration",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "technique": "storage_bucket_exfiltration",
          "indicator": "audit_log",
          "ruleName": "cloudsql_exfil",
          "subRuleName": "export_to_public_gcs"
        },
        "detectionPriority": "HIGH",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": PROJECT_ID,
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "properties": {
          "exportToGcs": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
            "gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",
            "bucketAccess": "PUBLICLY_ACCESSIBLE",
            "bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
            "exportScope": "WHOLE_INSTANCE"
          }
        },
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "eventTime": "2021-10-11T16:32:59.828Z",
      "createTime": "2021-10-11T16:33:00.229Z",
      "severity": "HIGH",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
      },
      "access": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "callerIp": "IP",
        "callerIpGeo": {
        },
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.export"
      },
      "exfiltration": {
        "sources": [
          {
            "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
            "components": []
          }
        ],
        "targets": [
          {
            "name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",
            "components": [
              "TARGET_FILE_NAME"
            ]
          }
        ]
      },
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_ID",
      "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_ID",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_NAME"
      }],
      "displayName": "INSTANCE_NAME"
    }
}
    

Exfiltration: CloudSQL Restore Backup to External Organization

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Restore Backup to External Organization",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "SOURCE_PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "technique": "backup_exfiltration",
          "indicator": "audit_log",
          "ruleName": "cloudsql_exfil",
          "subRuleName": "restore_to_external_instance"
        },
        "detectionPriority": "HIGH",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          },
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "SOURCE_PROJECT_ID",
            "resourceContainer": "projects/SOURCE_PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "properties": {
          "restoreToExternalInstance": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
            "backupId": "BACKUP_ID",
            "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          }
        },
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "eventTime": "2022-01-19T21:36:07.901Z",
      "createTime": "2022-01-19T21:36:08.695Z",
      "severity": "HIGH",
      "workflowState": "NEW",
      "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]
      },
      "access": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "callerIp": "IP",
        "callerIpGeo": {
        },
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.restoreBackup"
      },
      "exfiltration": {
        "sources": [
          {
            "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"
          }
        ],
        "targets": [
          {
            "name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"
          }
        ]
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER",
      "projectDisplayName": "SOURCE_PROJECT_ID",
      "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",
      "parentDisplayName": "SOURCE_INSTANCE_NAME",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_ID"
      }],
      "displayName": "mysql-backup-restore-instance"
    }
}
    

Exfiltration: CloudSQL Over-Privileged Grant

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Exfiltration: CloudSQL Over-Privileged Grant",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "cloudsql_exfil",
          "subRuleName": "user_granted_all_permissions"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "eventTime": "2022-01-19T21:36:07.901Z",
      "createTime": "2022-01-19T21:36:08.695Z",
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "EXFILTRATION",
        "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"]
      },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
        "grantees": [GRANTEE],
      },
      "access": {
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.query"
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_ID",
      "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_ID",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_ID"
      }],
      "displayName": "INSTANCE_NAME"
    }
}
    

Malware: Bad Domain

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad Domain",
      "sourceProperties": {
        "sourceId": {
          "customerOrganizationNumber": "ORGANIZATION_ID",
          "projectNumber": "PROJECT_NUMBER"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1568/"
          },          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal Domain Link",
              "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
            }
          ]
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "domains": [
            "DOMAIN"
          ],
          "network": {
            "location": "REGION",
            "project": "PROJECT_ID"
          },
          "dnsContexts": [
            {
              "authAnswer": true,
              "sourceIp": "IP_ADDRESS",
              "queryName": "DOMAIN",
              "queryType": "AAAA",
              "responseCode": "NOERROR",
              "responseData": [
                {
                  "domainName": "DOMAIN.",
                  "ttl": 299,
                  "responseClass": "IN",
                  "responseType": "AAAA",
                  "responseValue": "IP_ADDRESS"
                }
              ]
            }
          ]
        },
        "detectionPriority": "HIGH",
        "detectionCategory": {
          "technique": "C2",
          "indicator": "domain",
          "subRuleName": "google_intel",
          "ruleName": "bad_domain"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

Malware: Bad IP

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad IP",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "ips": [
            "SOURCE_IP_ADDRESS",
            "DESTINATION_IP_ADDRESS"
          ],
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 6
          },
          "network": {
            "project": "PROJECT_ID",
            "location": "ZONE",
            "subnetworkId": "SUBNETWORK_ID",
            "subnetworkName": "default"
          },
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        },
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/tactics/TA0011/"
          },
          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
            },
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
            }
          ]
        },
        "detectionCategory": {
          "technique": "C2",
          "indicator": "ip",
          "ruleName": "bad_ip",
          "subRuleName": "google_intel"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "LOW",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Malware: Cryptomining Bad Domain

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Malware: Cryptomining Bad Domain",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "cryptomining",
        "indicator": "domain",
        "ruleName": "bad_domain",
        "subRuleName": "cryptomining"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1636566099",
            "nanos": 5.41483849E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "domains": ["DOMAIN"],
        "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
        "network": {
          "project": "PROJECT_ID",
          "location": "ZONE"
        },
        "dnsContexts": [{
          "authAnswer": true,
          "sourceIp": "SOURCE_IP_ADDRESS",
          "queryName": "DOMAIN",
          "queryType": "A",
          "responseCode": "NXDOMAIN"
        }],
        "vpc": {
          "vpcName": "default"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1496/"
        },
        "virustotalIndicatorQueryUri": [{
          "displayName": "VirusTotal Domain Link",
          "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
        }],
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-11-10T17:41:41.594Z",
    "createTime": "2021-11-10T17:41:42.014Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "indicator": {
      "domains": ["DOMAIN"]
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}
    

Malware: Cryptomining Bad IP

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Malware: Cryptomining Bad IP",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "cryptomining",
        "indicator": "ip",
        "ruleName": "bad_ip",
        "subRuleName": "cryptomining"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1636566005",
            "nanos": 9.74622832E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "ips": ["DESTINATION_IP_ADDRESS"],
        "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
        "network": {
          "project": "PROJECT_ID",
          "location": "ZONE",
          "subnetworkId": "SUBNETWORK_ID",
          "subnetworkName": "default"
        },
        "ipConnection": {
          "srcIp": "SOURCE_IP_ADDRESS",
          "destIp": "DESTINATION_IP_ADDRESS",
          "protocol": 1.0
        },
        "indicatorContext": [{
          "ipAddress": "DESTINATION_IP_ADDRESS",
          "countryCode": "FR",
          "reverseDnsDomain": "REVERSE_DNS_DOMAIN",
          "carrierName": "CARRIER_NAME",
          "organizationName": "ORGANIZATION_NAME",
          "asn": "AUTONOMOUS_SYSTEM_NUMBERS"
        }],
        "srcVpc": {
        },
        "destVpc": {
          "projectId": "PROJECT_ID",
          "vpcName": "default",
          "subnetworkName": "default"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1496/"
        },
        "virustotalIndicatorQueryUri": [{
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
        }],
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-11-10T17:40:38.048Z",
    "createTime": "2021-11-10T17:40:38.472Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT",
    "indicator": {
      "ipAddresses": ["DESTINATION_IP_ADDRESS"]
    }
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "displayName": "PROJECT_ID"
  }
}
    

Malware: Outgoing DoS

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "state": "ACTIVE",
      "category": "Malware: Outgoing DoS",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 17
          }
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1498/"
          }
        },
        "detectionCategory": {
          "technique": "malware",
          "indicator": "flow_log",
          "ruleName": "outgoing_dos"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

Persistence: IAM Anomalous Grant

The IAM Anomalous Grant finding is unique in that it includes sub-rules that provide more specific information about each instance of this finding. The severity classification of this finding depends on the sub-rule and each sub-rule might require a different response.

The following list shows all possible sub-rules and their severities:

  • external_service_account_added_to_policy: HIGH
    • HIGH, if a highly sensitive role was granted or if a medium-sensitivity role was granted at the organization level. For more information, see Highly-sensitive roles.
    • MEDIUM, if a medium-sensitivity role was granted. For more information, see Medium-sensitivity roles.
  • external_member_invited_to_policy: HIGH
  • external_member_added_to_policy:
    • HIGH, if a highly sensitive role was granted or if a medium-sensitivity role was granted at the organization level. For more information, see Highly-sensitive roles.
    • MEDIUM, if a medium-sensitivity role was granted. For more information, see Medium-sensitivity roles.
  • custom_role_given_sensitive_permissions: MEDIUM
  • service_account_granted_sensitive_role_to_member: HIGH
  • policy_modified_by_default_compute_service_account: HIGH

The JSON fields that a finding includes can differ from one finding category to another. For example, the following JSON includes fields for a security account. If a finding category does not relate to a service account, those fields are not included in the JSON.

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "SERVICE_NAME",
      "methodName": "METHOD_NAME",
      "principalSubject": "PRINCIPAL_SUBJECT",
      "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
    },
    "assetDisplayName": "ASSET_DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Persistence: IAM Anomalous Grant",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_1"
          },
          {
            "email": "EMAIL_ADDRESS_2"
          }
        ]
      },
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_3"
          },
          {
            "email": "EMAIL_ADDRESS_4
          }
        ]
      }
    },
    "createTime": "CREATE_TIMESTAMP",
    "database": {},
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "IAM_ROLE",
        "member": "serviceAccount:ACCOUNT_NAME"
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "RESOURCE_FULL_NAME",
    "severity": "SEVERITY_CLASSIFICATION",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "RESOURCE_FULL_NAME",
    "display_name": "RESOURCE_DISPLAY_NAME",
    "project_name": "//RESOURCE/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "RESOURCE_PARENT_NAME",
    "parent_display_name": "PARENT_DISPLAY_NAME",
    "type": "RESOURCE_TYPE",
    "folders": [
      {
        "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
        "resourceFolder": "RESOURCE_FOLDER_ID"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "technique": "persistence",
      "indicator": "audit_log",
      "ruleName": "iam_anomalous_grant",
      "subRuleName": "TYPE_OF_ANOMALOUS_GRANT"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1678897327",
            "nanos": 26483000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {
      "sensitiveRoleGrant": {
        "principalEmail": "PRINCIPAL_EMAIL",
        "bindingDeltas": [
          {
            "action": "ADD",
            "role": "roles/GRANTED_ROLE",
            "member": "serviceAccount:SERVICE_ACCOUNT_NAME",
          }
        ],
        "members": [
          "serviceAccount:SERVICE_ACCOUNT_NAME"
        ]
      }
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {
        "displayName": "Related Anomalous Grant Findings",
        "url": "LINK_TO_RELATED_FINDING"
      }
    }
  }
}
    

Persistence: Impersonation Role Granted for Dormant Service Account

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "iam.googleapis.com",
      "methodName": "google.iam.admin.v1.SetIAMPolicy"
    },
    "assetDisplayName": "ASSET_DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Persistence: Impersonation Role Granted for Dormant Service Account",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_1"
          },
          {
            "email": "EMAIL_ADDRESS_2"
          }
        ]
      },
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_3"
          },
          {
            "email": "EMAIL_ADDRESS_4
          }
        ]
      }
    },
    "createTime": "CREATE_TIMESTAMP",
    "database": {},
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "roles/iam.serviceAccountTokenCreator",
        "member": "IAM_Account_Who_Received_Impersonation_Role"
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
    "severity": "MEDIUM",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
    "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.iam.ServiceAccount",
    "folders": [
      {
        "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
        "resourceFolder": "RESOURCE_FOLDER_ID"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "impersonation_role_granted_over_dormant_sa"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1678897327",
            "nanos": 26483000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ]
    }
  }
}
    

Persistence: New API Method

{
 "findings": {
   "access": {
     "principalEmail": "PRINCIPAL_EMAIL",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME",
     "principalSubject": "PRINCIPAL_SUBJECT",
     "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Persistence: New API Method",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {},
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "severity": "LOW",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
   "parent_display_name": "FOLDER_NAME",
   "type": "RESOURCE_TYPE",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "technique": "persistence",
     "indicator": "audit_log",
     "ruleName": "anomalous_behavior",
     "subRuleName": "new_api_method"
   },
   "detectionPriority": "LOW",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {
     "newApiMethod": {
       "newApiMethod": {
         "serviceName": "SERVICE_NAME",
         "methodName": "METHOD_NAME"
       },
       "principalEmail": "PRINCIPAL_EMAIL",
       "callerIp": "IP_ADDRESS",
       "callerUserAgent": "CALLER_USER_AGENT",
       "resourceContainer": "projects/PROJECT_NUMBER"
     }
   },
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/tactics/TA0003/"
     }
   }
 }
}
    

Persistence: New Geography

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",
    "state": "ACTIVE",
    "category": "Persistence: New Geography",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "ip_geolocation"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "RESOURCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1617994703",
            "nanos": 5.08853E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousLocation": {
          "anomalousLocation": "BE",
          "callerIp": "IP_ADDRESS",
          "principalEmail": "PRINCIPAL_EMAIL",
          "notSeenInLast": "2592000s",
          "typicalGeolocations": [{
            "country": {
              "identifier": "US"
            }
          }]
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T18:59:43.860Z",
    "createTime": "2021-04-09T18:59:44.440Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "RESOURCE_NAME"
  }
}
    

Persistence: New User Agent

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",
    "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",
    "state": "ACTIVE",
    "category": "Persistence: New User Agent",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "user_agent"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1614736482",
            "nanos": 9.76209552E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "anomalousSoftware": {
          "anomalousSoftwareClassification": ["USER_AGENT"],
          "behaviorPeriod": "2592000s",
          "callerUserAgent": "USER_AGENT",
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"
        }
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-03-03T01:54:47.681Z",
    "createTime": "2021-03-03T01:54:49.154Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//monitoring.googleapis.com/projects/PROJECT_ID"
  }
}
    

Privilege Escalation: Dormant Service Account Granted Sensitive Role

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "cloudresourcemanager.googleapis.com",
      "methodName": "SetIamPolicy",
    },
    "assetDisplayName": "ASSET_DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_1"
          },
          {
            "email": "EMAIL_ADDRESS_2"
          }
        ]
      },
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS_3"
          },
          {
            "email": "EMAIL_ADDRESS_4
          }
        ]
      }
    },
    "createTime": "CREATE_TIMESTAMP",
    "database": {},
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "iamBindings": [
      {
        "action": "ADD",
        "role": "SENSITIVE_IAM_ROLE",
        "member": "serviceAccount:DORMANT_SERVICE_ACCOUNT"
      }
    ],
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS",
        "CLOUD_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "RESOURCE_FULL_NAME",
    "severity": "SEVERITY_CLASSIFICATION",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "RESOURCE_FULL_NAME",
    "display_name": "RESOURCE_DISPLAY_NAME",
    "project_name": "//RESOURCE/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "RESOURCE_PARENT_NAME",
    "parent_display_name": "PARENT_DISPLAY_NAME",
    "type": "RESOURCE_TYPE",
    "folders": [
      {
        "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",
        "resourceFolder": "RESOURCE_FOLDER_ID"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "sensitive_role_added_to_dormant_sa"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1678897327",
            "nanos": 26483000
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ]
    }
  }
}
    

Privilege escalation: Changes to sensitive kubernetes RBAC objects

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
    "category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-07T07:42:36.536Z",
    "database": {},
    "eventTime": "2022-10-07T07:42:06.044Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "bindings": [
        {
          "name": "cluster-admin",
          "role": {
            "kind": "CLUSTER_ROLE",
            "name": "cluster-admin"
          },
          "subjects": [
            {
              "kind": "USER",
              "name": "testUser-1665153212"
            }
          ]
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "edit_sensitive_rbac_object"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665128526",
            "nanos": 44146000
          },
          "insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a"
        }
      }
    ],
    "properties": {},
    "findingId": "05b52fe8267d44bdb33c89367f0dd11a",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Privilege escalation: Create kubernetes CSR for master cert

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.certificates.v1.certificatesigningrequests.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
    "category": "Privilege Escalation: Create Kubernetes CSR for master cert",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-08T14:38:12.501Z",
    "database": {},
    "eventTime": "2022-10-08T14:37:46.944Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {},
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "HIGH",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "csr_for_master_cert"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665239866",
            "nanos": 944045000
          },
          "insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101"
        }
      }
    ],
    "properties": {},
    "findingId": "0562169c2e3b44879030a7369dbf839c",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Privilege escalation: Creation of sensitive kubernetes bindings

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
    "category": "Privilege Escalation: Creation of sensitive Kubernetes bindings",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-11T09:29:44.425Z",
    "database": {},
    "eventTime": "2022-10-11T09:29:26.309Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "bindings": [
        {
          "name": "cluster-admin",
          "role": {
            "kind": "CLUSTER_ROLE",
            "name": "cluster-admin"
          }
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "create_sensitive_binding"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665480566",
            "nanos": 309136000
          },
          "insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321"
        }
      }
    ],
    "properties": {},
    "findingId": "02dcbf565d9d4972a126ac3c38fd4295",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.certificates.v1.certificatesigningrequests.list"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
    "category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-12T12:28:11.480Z",
    "database": {},
    "eventTime": "2022-10-12T12:28:08.597Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {},
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "HIGH",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "get_csr_with_compromised_bootstrap_credentials"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665577688",
            "nanos": 597107000
          },
          "insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993"
        }
      }
    ],
    "properties": {},
    "findingId": "025e0ba774da4d678883257cd125fc43",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Privilege Escalation: Launch of privileged Kubernetes container

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "US"
      },
      "serviceName": "k8s.io",
      "methodName": "io.k8s.core.v1.pods.create"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
    "category": "Privilege Escalation: Launch of privileged Kubernetes container",
    "contacts": {
      "technical": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          },
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-10-08T21:43:41.145Z",
    "database": {},
    "eventTime": "2022-10-08T21:43:09.188Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "default",
          "name": "POD_NAME",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI"
            }
          ]
        }
      ]
    },
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "severity": "LOW",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",
    "display_name": "CLUSTER_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": [
      {
        "resourceFolderDisplayName": "FOLDER_NAME",
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "gke_control_plane",
      "subRuleName": "launch_privileged_container"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1665265389",
            "nanos": 188357000
          },
          "insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c"
        }
      }
    ],
    "properties": {},
    "findingId": "04206668443b45078d5b51c908ad87da",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/tactics/TA0004/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}
    

Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_multistep_admin_activity"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}
    

Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_multistep_data_access"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}
    

Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_impersonator_admin_activity"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}
    

Privilege Escalation: Anomalous Service Account Impersonator for Data Access

{
  "findings": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "storage.googleapis.com",
      "methodName": "storage.buckets.list",
      "serviceAccountDelegationInfo": [
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        },
        {
          "principalEmail": "PRINCIPAL_EMAIL"
        }
      ]
    },
    "assetDisplayName": "PROJECT_ID",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access",
    "cloudDlpInspection": {},
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2023-02-09T03:26:04.611Z",
    "database": {},
    "eventTime": "2023-02-09T03:26:05.403Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "INITIAL_ACCESS",
      "primaryTechniques": [
        "VALID_ACCOUNTS"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "sourceDisplayName": "Event Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "anomalous_sa_delegation_impersonator_data_access"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//storage.googleapis.com/"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1675913160",
            "nanos": 929341814
          },
          "insertId": "o5ii7hddddd"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1078/"
      }
    }
  }
}
    

Inhibit System Recovery: Deleted Google Cloud Backup and DR host

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteHost",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "host": "HOST_NAME",
      "applications": [
        "HOST_NAME"
      ],
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Deleted Google Cloud Backup and DR host",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_hosts_delete_host"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",
    "backupDisasterRecovery": {
      "host": "HOST_NAME",
      "applications": [
        "HOST_NAME"
      ]
    }
  }
}
    

Data Destruction: Google Cloud Backup and DR expire image

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "expireBackup",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME",
      "policies": [
        "POLICY_NAME"
      ],
      "profile": "PROFILE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Data Destruction: Google Cloud Backup and DR expire image",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "DATA_DESTRUCTION"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_expire_image"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1485/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME",
      "policies": [
        "POLICY_NAME"
      ],
      "profile": "PROFILE_NAME"
    }
  }
}
    

Inhibit System Recovery: Google Cloud Backup and DR remove plan

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteSla",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "applications": [
        "HOST_NAME"
      ],
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_remove_plan"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",
    "backupDisasterRecovery": {
      "applications": [
        "HOST_NAME"
      ]
    }
  }
}
    

Data Destruction: Google Cloud Backup and DR expire all images

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {},
      "serviceName": "backupdr.googleapis.com",
      "methodName": "expireBackups",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Data Destruction: Google Cloud Backup and DR expire all images",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "DATA_DESTRUCTION"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_expire_images_all"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1485/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups."
  }
}
    

Inhibit System Recovery: Google Cloud Backup and DR delete template

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteSlt",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete template",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_template_delete_template"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",
    "backupDisasterRecovery": {
      "backupTemplate": "TEMPLATE_NAME"
    }
  }
}
    

Inhibit System Recovery: Google Cloud Backup and DR delete policy

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deletePolicy",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "policies": [
        "DeleteMe"
      ],
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete policy",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_template_delete_policy"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",
    "backupDisasterRecovery": {
      "policies": [
        "POLICY_NAME"
      ]
    }
  }
}
    

Inhibit System Recovery: Google Cloud Backup and DR delete profile

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "IP_ADDRESS",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteSlp",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "profile": "PROFILE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete profile",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_template_delete_profile"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",
    "backupDisasterRecovery": {
      "profile": "PROFILE_NAME"
    }
  }
}
    

Data Destruction: Google Cloud Backup and DR remove appliance

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteCluster",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "appliance": "APPLIANCE_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Data Destruction: Google Cloud Backup and DR remove appliance",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "DATA_DESTRUCTION"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "HIGH",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_appliances_remove_appliance"
    },
    "detectionPriority": "HIGH",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1485/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",
    "backupDisasterRecovery": {
      "appliance": "APPLIANCE_NAME"
    }
  }
}
    

Inhibit System Recovery: Google Cloud Backup and DR delete storage pool

{
  "finding": {
    "access": {
      "principalEmail": "USER_EMAIL",
      "callerIp": "CALLER_IP",
      "callerIpGeo": {
        "regionCode": "REGION_CODE"
      },
      "serviceName": "backupdr.googleapis.com",
      "methodName": "deleteDiskPool",
      "principalSubject": "user:USER_EMAIL"
    },
    "attackExposure": {},
    "backupDisasterRecovery": {
      "storagePool": "STORAGE_POOL_NAME",
      "backupCreateTime": "EVENT_TIMESTAMP"
    },
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",
    "category": "Inhibit System Recovery: Google Cloud Backup and DR delete storage pool",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "EVENT_TIMESTAMP",
    "database": {},
    "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
    "eventTime": "EVENT_TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "primaryTactic": "IMPACT",
      "primaryTechniques": [
        "INHIBIT_SYSTEM_RECOVERY"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "MEDIUM",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_ID",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "FOLDER_NAME",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "backup_storage_pools_delete"
    },
    "detectionPriority": "MEDIUM",
    "affectedResources": [
      {
        "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "0",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1490/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LINK_TO_LOG_QUERY"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",
    "backupDisasterRecovery": {
      "storagePool": "STORAGE_POOL_NAME"
    }
  }
}
    

Initial Access: Account Disabled Hijacked

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Account Disabled Hijacked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "account_disabled_hijacked"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624034293",
            "nanos": 6.78E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledHijacked",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-18T16:38:13.678Z",
    "createTime": "2021-06-18T16:38:16.508Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Initial Access: Disabled Password Leak

This finding isn't available for project-level activations.


{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Disabled Password Leak",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "disabled_password_leak"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626462896",
            "nanos": 6.81E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-16T19:14:56.681Z",
    "createTime": "2021-07-16T19:15:00.430Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Initial Access: Government Based Attack

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Government Based Attack",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "government_based_attack"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1624061458",
            "nanos": 7.4E7
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.govAttackWarning",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-19T00:10:58.074Z",
    "createTime": "2021-06-19T00:11:01.760Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Initial Access: Log4j Compromise Attempt

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Initial Access: Log4j Compromise Attempt",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "ruleName": "log4j_compromise_attempt"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1639690492",
            "nanos": 9.13836E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "loadBalancerName": "LOAD_BALANCER_NAME",
        "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}"
      },
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1190/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-12-16T21:34:52.913Z",
    "createTime": "2021-12-16T21:34:55.022Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "mute": "UNDEFINED",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
    "parentDisplayName": "FOLDER_DISPLAY_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",
      "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"
    }],
    "displayName": "PROJECT_ID"
  }
}

    

Initial Access: Suspicious Login Blocked

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Initial Access: Suspicious Login Blocked",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "valid_accounts",
        "indicator": "audit_log",
        "ruleName": "suspicious_login"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621637767",
            "nanos": 0.0
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousLogin",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
       "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T22:56:07Z",
    "createTime": "2021-05-27T02:36:07.382Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Initial Access: Database Superuser Writes to User Tables

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Initial Access: Database Superuser Writes to User Tables",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "cloudsql_superuser_writes_to_user_tables",
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }],
          "relatedFindingUri": {
            "displayName": "Related CloudSQL Exfiltration findings",
            "url": "RELATED_FINDINGS_LINK"
          }
        }
      },
      "eventTime": "2022-01-19T21:36:07.901Z",
      "createTime": "2022-01-19T21:36:08.695Z",
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
        "primaryTactic": "INITIAL_ACCESS",
        "primaryTechniques": ["DEFAULT_ACCOUNTS"]
      },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
      },
      "access": {
        "serviceName": "cloudsql.googleapis.com",
        "methodName": "cloudsql.instances.query"
      }
    },
    "resource": {
      "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_ID",
      "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_ID",
      "type": "google.cloud.sql.Instance",
      "folders": [{
        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resourceFolderDisplayName": "FOLDER_ID"
      }],
      "displayName": "INSTANCE_NAME"
    }
}
    

Initial Access: Excessive Permission Denied Actions

{
 "findings": {
   "access": {
     "principalEmail": "PRINCIPAL_EMAIL",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME",
     "principalSubject": "PRINCIPAL_SUBJECT",
     "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Excessive Permission Denied Actions",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {},
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "severity": "LOW",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
   "parent_display_name": "FOLDER_NAME",
   "type": "RESOURCE_TYPE",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "technique": "persistence",
     "indicator": "audit_log",
     "ruleName": "anomalous_behavior",
     "subRuleName": "new_api_method"
   },
   "detectionPriority": "LOW",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {
     "failedActions": [
        {
          "methodName": "SetIamPolicy",
          "serviceName": "iam.googleapis.com",
          "attemptTimes": "7",
          "lastOccurredTime": "2023-03-15T17:35:18.771219Z"
        },
        {
          "methodName": "iam.googleapis.com",
          "serviceName": "google.iam.admin.v1.CreateServiceAccountKey",
          "attemptTimes": "3",
          "lastOccurredTime": "2023-03-15T05:36:14.954701Z"
        }
      ]
   },
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/techniques/T1078/004/"
     }
   }
 }
}
    

Initial Access: Dormant Service Account Action

{
 "findings": {
   "access": {
     "principalEmail": "DORMANT_SERVICE_ACCOUNT",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Dormant Service Account Action",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {
    "primaryTactic": "INITIAL_ACCESS",
    "primaryTechniques": [
      "VALID_ACCOUNTS",
      "CLOUD_ACCOUNTS"
      ]
   },
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "severity": "HIGH",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
   "parent_display_name": "FOLDER_NAME",
   "type": "RESOURCE_TYPE",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "technique": "persistence",
     "indicator": "audit_log",
     "ruleName": "dormant_sa_used_in_action",
   },
   "detectionPriority": "HIGH",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {},
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/tactics/TA0003/"
     }
   }
 }
}
    

Initial Access: Dormant Service Account Key Created

{
 "findings": {
   "access": {
     "principalEmail": "PRINCIPAL_EMAIL",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "iam.googleapis.com",
     "methodName": "google.iam.admin.v1.CreateServiceAccountKey"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Dormant Service Account Key Created",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         },
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-01-12T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-01-12T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {
    "primaryTactic": "INITIAL_ACCESS",
    "primaryTechniques": [
      "VALID_ACCOUNTS",
      "CLOUD_ACCOUNTS"
      ]
   },
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
   "severity": "HIGH",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",
   "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
   "parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",
   "parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",
   "type": "google.iam.ServiceAccountKey",
   "folders": [
     {
       "resourceFolderDisplayName": "FOLDER_NAME",
       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
     }
   ]
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "ruleName": "key_created_on_dormant_sa"
   },
   "detectionPriority": "HIGH",
   "affectedResources": [
     {
       "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {},
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/tactics/TA0003/"
     }
   }
 }
}
    

Initial Access: Leaked Service Account Key Used

{
 "findings": {
   "access": {
     "principalEmail": "SERVICE_ACCOUNT",
     "callerIp": "IP_ADDRESS,
     "callerIpGeo": {
        "regionCode": "US"
      },
     "serviceName": "SERVICE_NAME",
     "methodName": "METHOD_NAME"
     "serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY"
   },
   "assetDisplayName": "ASSET_DISPLAY_NAME",
   "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",
   "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "category": "Initial Access: Leaked Service Account Key Used",
   "contacts": {
     "security": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     },
     "technical": {
       "contacts": [
         {
           "email": "EMAIL_ADDRESS"
         }
       ]
     }
   },
   "createTime": "2023-07-18T10:35:47.381Z",
   "database": {},
   "eventTime": "2023-07-18T10:35:47.270Z",
   "exfiltration": {},
   "findingClass": "THREAT",
   "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
   "indicator": {},
   "kernelRootkit": {},
   "kubernetes": {},
   "mitreAttack": {
    "primaryTactic": "INITIAL_ACCESS",
    "primaryTechniques": [
      "VALID_ACCOUNTS",
      "CLOUD_ACCOUNTS"
      ]
   },
   "mute": "UNDEFINED",
   "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
   "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",
   "parentDisplayName": "Event Threat Detection",
   "resourceName": "AFFECTED_RESOURCE",
   "severity": "HIGH",
   "sourceDisplayName": "Event Threat Detection",
   "state": "ACTIVE",
   "vulnerability": {},
   "workflowState": "NEW"
 },
 "resource": {
   "name": "RESOURCE_NAME",
   "display_name": "RESOURCE_DISPLAY_NAME",
   "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
   "project_display_name": "PROJECT_ID",
 },
 "sourceProperties": {
   "sourceId": {
     "projectNumber": "PROJECT_NUMBER",
     "customerOrganizationNumber": "ORGANIZATION_NUMBER"
   },
   "detectionCategory": {
     "ruleName": "leaked_sa_key_used"
   },
   "detectionPriority": "HIGH",
   "affectedResources": [
     {
       "gcpResourceName": "GOOGLE_RESOURCE"
     }
   ],
   "evidence": [
     {
       "sourceLogId": {
         "projectId": "PROJECT_ID",
         "resourceContainer": "projects/PROJECT_ID",
         "timestamp": {
           "seconds": "1673519681",
           "nanos": 728289000
         },
         "insertId": "INSERT_ID"
       }
     }
   ],
   "properties": {},
   "findingId": "FINDING_ID",
   "contextUris": {
     "mitreUri": {
       "displayName": "MITRE Link",
       "url": "https://attack.mitre.org/techniques/T1078/004/"
     }
   }
 },
 "description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL"
}
    

Impair Defenses: Strong Authentication Disabled

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",
    "state": "ACTIVE",
    "category": "Impair Defenses: Strong Authentication Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "enforce_strong_authentication"
      },
      "detectionPriority": "MEDIUM",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1623952110",
            "nanos": 6.51337E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.enforceStrongAuthentication",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
"workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-17T17:48:30.651Z",
    "createTime": "2021-06-17T17:48:33.574Z",
    "severity": "MEDIUM",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"
  }
}

    

Impair Defenses: Two Step Verification Disabled

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Impair Defenses: Two Step Verification Disabled",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "impair_defenses",
        "indicator": "audit_log",
        "ruleName": "two_step_verification_disabled"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1626391356",
            "nanos": 5.96E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svDisable",
        "ssoState": "UNKNOWN",
        "principalEmail": "PRINCIPAL_EMAIL"
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1562/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-07-15T23:22:36.596Z",
    "createTime": "2021-07-15T23:22:40.079Z",
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT",
    "indicator": {
    }
  },
  "resource": {
    "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"
  }
}
    

Persistence: SSO Enablement Toggle

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Enablement Toggle",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_enablement_toggle"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [{
        "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1622829313",
            "nanos": 3.42104E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.toggleSsoEnabled",
        "ssoState": "ENABLED",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-06-04T17:55:13.342Z",
    "createTime": "2021-06-04T17:55:15.900Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

Persistence: GCE Admin Added Startup Script

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
    "category": "Persistence: GCE Admin Added Startup Script",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "gce_admin"
        "subRuleName": "instance_add_startup_script"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "callerIp": "IP_ADDRESS",
        "principalEmail": "PRINCIPAL_EMAIL",
        "gceInstanceId": "GCE_INSTANCE_ID",
        "projectId": "PROJECT_ID",
        "metadataKeyOperation": "ADDED",
        "callerUserAgent": "USER_AGENT",
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1543/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }]
      }
    },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
  }
}
    

Persistence: GCE Admin Added SSH Key

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
    "category": "Persistence: GCE Admin Added SSH Key",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "gce_admin"
        "subRuleName": "instance_add_ssh_key"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "callerIp": "IP_ADDRESS",
        "principalEmail": "PRINCIPAL_EMAIL",
        "gceInstanceId": "GCE_INSTANCE_ID",
        "projectId": "PROJECT_ID",
        "metadataKeyOperation": "ADDED",
        "callerUserAgent": "USER_AGENT",
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1543/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }]
      }
    },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",
  }
}
    

Persistence: SSO Settings Changed

This finding isn't available for project-level activations.

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",
    "state": "ACTIVE",
    "category": "Persistence: SSO Settings Changed",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "account_manipulation",
        "indicator": "audit_log",
        "ruleName": "sso_settings_changed"
      },
      "detectionPriority": "HIGH",
      "affectedResources": [
        {
          "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
        },
        {
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }
      ],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceName": "admin.googleapis.com",
        "methodName": "google.admin.AdminService.changeSsoSettings",
        "domainName": "ORGANIZATION_NAME"
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1098/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }],
        "workspacesUri": {
          "displayName": "Workspaces Link",
          "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-05-21T19:08:29.373Z",
    "createTime": "2021-05-27T11:36:24.429Z",
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "findingClass": "THREAT"
  },
  "resource": {
    "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"
  }
}
    

Cloud IDS

{
  "finding": {
    "access": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Cloud IDS: THREAT_ID",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "connections": [
      {
        "destinationIp": "IP_ADDRESS",
        "destinationPort": PORT,
        "sourceIp": "IP_ADDRESS",
        "sourcePort": PORT,
        "protocol": "PROTOCOL"
      }
    ],
    "createTime": "TIMESTAMP",
    "database": {},
    "description": "This signature detects a payload in HTTP traffic which could possibly be malicious.",
    "eventTime": "TIMESTAMP",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "display_name": "PROJECT_DISPLAY_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "ctd-engprod-project",
    "parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER",
    "parent_display_name": "PARENT_DISPLAY_NAME",
    "folders": [
      {
        "resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
        "resource_folder_display_name": "FOLDER_DISPLAY_NAME"
      }
    ]
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_ID"
    },
    "detectionCategory": {
      "ruleName": "cloud_ids_threat_activity"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "TIMESTAMP",
            "nanos": TIMESTAMP
          },
          "insertId": "INSERT_ID"
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_QUERY_URI"
        }
      ],
      "relatedFindingUri": {}
    },
    "description": "THREAT_DESCRIPTION"
  }
}
    

Lateral Movement: Modified Boot Disk Attached to Instance

{
  "finding": {
    "access": {
      "principalEmail": "PRINCIPAL_EMAIL",
      "callerIpGeo": {},
      "serviceName": "compute.googleapis.com",
      "methodName": "v1.compute.instances.attachDisk",
    },
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Lateral Movement: Modify Boot Disk Attaching to Instance",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "createTime": "2024-02-01T23:55:17.589Z",
    "database": {},
    "eventTime": "2024-02-01T23:55:17.396Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {},
    "logEntries": [
      {
        "cloudLoggingEntry": {
          "insertId": "INSERT_ID",
          "logId": "cloudaudit.googleapis.com/activity",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": "2024-02-01T23:55:15.017887Z"
        }
      }
    ],
    "mitreAttack": {
      "primaryTactic": "TACTIC_UNSPECIFIED"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION",
    "parentDisplayName": "Event Threat Detection",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
    "securityPosture": {},
    "severity": "LOW",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
    "displayName": "INSTANCE_ID",
    "type": "google.compute.Instance",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "projectDisplayName": "PROJECT_NUMBER",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "PROJECT_NUMBER,
      "folders": [
        {
          "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
          "resourceFolderDisplayName": "FOLDER_NUMBER"
        }
      ],
      "organization": "organizations/ORGANIZATION_NUMBER"
    }
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modify_boot_disk",
      "subRuleName": "attach_to_instance"
    },
    "detectionPriority": "LOW",
    "affectedResources": [
      {
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
      },
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      },
      {
        "gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID"
      },
      {
        "gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_NUMBER",
          "resourceContainer": "PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1706831715",
            "nanos": 17887000
          },
          "insertId": "INSERT_ID",
          "logId": "cloudaudit.googleapis.com/activity"
        }
      }
    ],
    "properties": {
      "diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID",
      "targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
      "workerInstances": [
        "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"
      ],
      "bootDiskPayloads": [
        {
          "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
          "operation": "MODIFY_BOOT_DISK_ATTACH",
          "principalEmail": "PRINCIPAL_EMAIL",
          "eventTime": "2024-02-01T23:55:06.706640Z"
        },
        {
          "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",
          "operation": "MODIFY_BOOT_DISK_DETACH",
          "principalEmail": "PRINCIPAL_EMAIL",
          "eventTime": "2024-02-01T23:55:05.608631Z"
        }
      ]
    },
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1570/"
      },
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
    

Privilege Escalation: AlloyDB Over-Privileged Grant

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Privilege Escalation: AlloyDB Over-Privileged Grant",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "alloydb_user_granted_all_permissions",
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/001/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }]
        }
      },
      "eventTime": "EVENT_TIMESTAMP",,
      "createTime": "CREATE_TIMESTAMP",,
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
          "primaryTactic": "PRIVILEGE_ESCALATION",
          "primaryTechniques": [
            "VALID_ACCOUNTS"
          ],
          "additionalTactics": [
            "PERSISTENCE"
          ],
          "additionalTechniques": [
            "ACCOUNT_MANIPULATION"
          ]
        },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
        "grantees": [GRANTEE],
      },
      "access": {
        "serviceName": "alloydb.googleapis.com",
        "methodName": "alloydb.instances.query"
      }
    },
    "resource": {
      "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "type": "google.alloydb.Instance",
      "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
      "service": "alloydb.googleapis.com",
      "location": "REGION",
      "gcpMetadata": {
        "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "projectDisplayName": "PROJECT_ID",
        "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parentDisplayName": "PROJECT_ID",
        "folders": [
          {
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
            "resourceFolderDisplayName": FOLDER_NAME
          }
        ],
        "organization": "organizations/ORGANIZATION_ID"
      },
      "resourcePath": {
        "nodes": [
          {
            "nodeType": "GCP_PROJECT",
            "id": "projects/PROJECT_NUMBER",
            "displayName": "PROJECT_ID"
          },
          {
            "nodeType": "GCP_FOLDER",
            "id": "folders/FOLDER_NUMBER",
            "displayName": "FOLDER_NAME"
          },
          {
            "nodeType": "GCP_ORGANIZATION",
            "id": "organizations/ORGANIZATION_ID"
          }
        ]
      },
      "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
    }
}
    

Privilege Escalation: AlloyDB Database Superuser Writes to User Tables

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "state": "ACTIVE",
      "category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables",
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "alloydb_user_granted_all_permissions",
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"
          }
        ],
        "evidence": [{
          "sourceLogId": {
            "projectId": "PROJECT_ID",
            "resourceContainer": "projects/PROJECT_ID",
            "timestamp": {
              "seconds": "0",
              "nanos": 0.0
            },
            "insertId": "INSERT_ID"
          }
        }],
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/001/"
          },
          "cloudLoggingQueryUri": [{
            "displayName": "Cloud Logging Query Link",
            "url": "LOGGING_LINK"
          }]
        }
      },
      "eventTime": "EVENT_TIMESTAMP",,
      "createTime": "CREATE_TIMESTAMP",,
      "severity": "LOW",
      "workflowState": "NEW",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
      "mute": "UNDEFINED",
      "findingClass": "THREAT",
      "mitreAttack": {
          "primaryTactic": "PRIVILEGE_ESCALATION",
          "primaryTechniques": [
            "VALID_ACCOUNTS"
          ],
          "additionalTactics": [
            "PERSISTENCE"
          ],
          "additionalTechniques": [
            "ACCOUNT_MANIPULATION"
          ]
        },
      "database": {
        "displayName": "DATABASE_NAME",
        "userName": "USER_NAME",
        "query": QUERY",
      },
      "access": {
        "serviceName": "alloydb.googleapis.com",
        "methodName": "alloydb.instances.query"
      }
    },
    "resource": {
      "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",
      "type": "google.alloydb.Instance",
      "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
      "service": "alloydb.googleapis.com",
      "location": "REGION",
      "gcpMetadata": {
        "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "projectDisplayName": "PROJECT_ID",
        "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parentDisplayName": "PROJECT_ID",
        "folders": [
          {
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
            "resourceFolderDisplayName": FOLDER_NAME
          }
        ],
        "organization": "organizations/ORGANIZATION_ID"
      },
      "resourcePath": {
        "nodes": [
          {
            "nodeType": "GCP_PROJECT",
            "id": "projects/PROJECT_NUMBER",
            "displayName": "PROJECT_ID"
          },
          {
            "nodeType": "GCP_FOLDER",
            "id": "folders/FOLDER_NUMBER",
            "displayName": "FOLDER_NAME"
          },
          {
            "nodeType": "GCP_ORGANIZATION",
            "id": "organizations/ORGANIZATION_ID"
          }
        ]
      },
      "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"
    }
}
    

What's next