使用 Event Threat Detection

>

在 Security Command Center 信息中心查看事件威胁检测发现结果,并查看事件威胁检测发现结果示例。

Event Threat Detection 是 Security Command Center 优质层级的一项内置服务,用于监控组织的 Cloud Logging 数据流并实时检测威胁。如需了解详情,请参阅 Event Threat Detection 概览

以下视频介绍了设置 Event Threat Detection 的步骤,并提供了有关如何使用信息中心的信息。如需详细了解如何查看和管理事件威胁检测发现结果,请参阅本页面的查看发现结果

审核发现结果

如需查看 Event Threat Detection 结果,您必须在 Security Command Center 服务设置中启用该服务。为贵组织、文件夹和项目启用 Event Threat Detection 和启用日志后,Event Threat Detection 便会生成发现结果。

您可以在 Security Command Center 中查看 Container Threat Detection 发现结果。如果您配置了连续导出来写入日志,则还可以在 Cloud Logging 中查看发现结果。要生成发现结果并验证您的配置,您可以有意触发检测器和 测试 Event Threat Detection

Event Threat Detection 激活会在几秒钟内完成。当 Security Command Center 中提供发现结果时,检测延迟时间通常低于 15 分钟(从写入日志后开始算起)如需详细了解延迟时间,请参阅 Security Command Center 延迟时间概览

在 Security Command Center 中审核发现结果

Security Command Center 角色可以在组织、文件夹或项目级层授予。您能否查看、修改、创建或更新发现结果、资产、安全来源和安全标记,取决于您被授予的访问权限级别。如需详细了解 Security Command Center 角色,请参阅访问权限控制

要在 Security Command Center 中查看 Event Threat Detection 的发现结果,请执行以下操作:

  1. 转到 Google Cloud Console 中的 Security Command Center 发现结果标签页。
    转到“发现结果”标签页
  2. 查看方式旁边,点击来源类型
  3. 来源类型列表中,选择 Event Threat Detection
  4. 如需查看特定检测结果的详细信息,请点击 category 下的检测结果名称。“检测结果详情”面板展开即可显示以下信息:
    • 事件是什么
    • 事件发生的时间
    • 发现结果数据的来源
    • 检测优先级,例如
    • 采取的操作,例如向 Gmail 用户添加身份和访问权限管理(IAM)角色
    • 采取相应操作的用户(在 properties_principalEmail 旁边)
  5. 要显示由同一用户的操作导致的所有结果,请按以下步骤操作:
    1. 在发现结果详情面板上,复制 properties_principalEmail 旁边的电子邮件地址。
    2. 关闭发现结果详情面板。
    3. 在“发现结果”标签页过滤框中,输入 sourceProperties.properties_principalEmail:USER_EMAIL,其中 USER_EMAIL 是您之前复制的电子邮件地址。

Security Command Center 会显示与您指定的用户执行的操作相关的所有发现结果。

在 Cloud Logging 中查看检测结果

如需在 Cloud Logging 中查看 Event Threat Detection 发现结果,请执行以下操作:

  1. 在 Cloud Console 中,转到日志浏览器

    转到日志浏览器

  2. 在页面顶部的项目选择器中,选择要存储 Event Threat Detection 日志的项目。

  3. 点击查询构建器标签页。

  4. 资源下拉列表中,选择 Threat Detector

    • 要查看所有检测器的发现结果,请选择 all detector_name
    • 要查看特定检测器的发现结果,请选择其名称。
  5. 点击添加。查询会显示在查询构建器文本框中。

  6. 或在文本框中输入以下查询:

    resource.type="threat_detector"
    

  7. 点击运行查询查询结果表将根据您选择的日志进行更新。

  8. 要查看日志,请点击表行,然后点击展开嵌套字段

您可以创建高级日志查询,从任意数量的日志中指定一组日志条目。

发现结果类别

Event Threat Detection 发现的结果包括以下内容:

监控和日志记录 说明
数据遭窃

Event Threat Detection 通过检查以下两种情形的审核日志来检测 BigQuery 中的数据渗漏:

  • 资源保存在您的组织外部,或者尝试执行被 VPC Service Controls 阻止的复制操作。
  • 尝试访问受 VPC Service Controls 保护的 BigQuery 资源。
SSH 暴力破解 Event Threat Detection 会检查 syslog 日志以检查是否存在连续失败,然后会执行成功,从而检测密码身份验证 SSH 的暴力破解。
挖矿 Event Threat Detection 通过检查 VPC 流日志和 Cloud DNS 日志,连接到与挖掘池的已知不良网域的连接来检测金币恶意软件。
IAM 滥用行为

异常值 IAM 授权:Event Threat Detection 会检测可能被视为异常值情况的 IAM 授权,例如:

  • 将 gmail.com 用户添加到具有项目编辑者角色的政策。
  • 通过 Google Cloud Console 邀请 gmail.com 用户成为项目所有者。
  • 授予敏感权限的服务帐号。
  • 自定义角色授予敏感权限。
  • 从您的组织外部添加的服务帐号。
恶意软件 Event Threat Detection 通过检查 VPC 流日志和 Cloud DNS 日志来检查已知命令和控制网域和 IPs,从而检测恶意软件。
网上诱骗 Event Threat Detection 通过检查 VPC 流日志和 Cloud DNS 日志中与已知网上诱骗网域和 IP 的连接来检测网上诱骗。
IAM 行为异常
预览版
Event Threat Detection 会通过检查来自异常 IP 地址的访问的 Cloud Audit Logs 和异常用户代理来检测异常 IAM 行为。
服务帐号自行调查
预览版
Event Threat Detection 检测何时使用服务帐号凭据来调查与同一服务帐号关联的角色和权限。

发现结果格式示例

本部分介绍在 Security Command Center 信息中心创建导出时,或在 Security Command Center API 中运行列出的方法时出现的 Event Threat Detection 发现结果的 JSON 输出格式,

输出示例包含所有发现结果中最常见的字段。但是,某些发现结果可能不会显示部分字段。您看到的实际输出取决于资源的配置以及发现结果的类型和状态。

暴力破解:SSH

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Brute Force: SSH",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "65"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "projectId": "PROJECT_ID",
          "zone": "us-west1-a",
          "instanceId": "INSTANCE_ID",
          "attempts": [
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "SUCCESS"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            },
            {
              "sourceIp": "SOURCE_IP_ADDRESS",
              "username": "PROJECT_ID",
              "vmName": "INSTANCE_ID",
              "authResult": "FAIL"
            }
          ]
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1078/003/"
          }
        },
        "detectionCategory": {
          "technique": "brute_force",
          "indicator": "flow_log",
          "ruleName": "ssh_brute_force"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

发现:服务帐号自行调查


{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Discovery: Service Account Self-Investigation",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "discovery",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_behavior",
        "subRuleName": "service_account_gets_own_iam_policy"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1619200104",
            "nanos": 9.08E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "serviceAccountGetsOwnIamPolicy": {
          "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",
          "projectId": "PROJECT_ID",
          "callerIp": "IP_ADDRESS",
          "callerUserAgent": "CALLER_USER_AGENT",
          "rawUserAgent": "RAW_USER_AGENT"
        }
      },
      "contextUris": {
        "mitreUri": {
          "displayName": "Permission Groups Discovery: Cloud Groups",
          "url": "https://attack.mitre.org/techniques/T1069/003/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "LOGGING_LINK"
        }]
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-23T17:48:24.908Z",
    "createTime": "2021-04-23T17:48:26.922Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "serviceAccountGetsOwnIamPolicy": {
              "structValue": {
                "fields": {
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "projectId": {
                    "primitiveDataType": "STRING"
                  },
                  "callerIp": {
                    "primitiveDataType": "STRING"
                  },
                  "callerUserAgent": {
                    "primitiveDataType": "STRING"
                  },
                  "rawUserAgent": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parentDisplayName": "ORGANIZATION_NAME",
    "type": "google.cloud.resourcemanager.Project"
  }
}

    

数据渗漏:BigQuery 数据渗漏

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resource_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Exfiltration: BigQuery Data Exfiltration",
      "sourceProperties": {
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          },
          {
            "gcpResourceName": "//bigquery.googleapis.com/projects/PROJECT_ID/jobs/JOB_ID"
          }
        ],
        "detectionCategory": {
          "technique": "org_exfiltration",
          "indicator": "audit_log",
          "ruleName": "big_query_exfil",
          "subRuleName": "exfil_to_external_table"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1567/002/"
          }
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "dataExfiltrationAttempt": {
            "jobLink": "https://console.cloud.google.com/bigquery?j=bq:US:bqtriggerjob_1234_UNUSABLE_LINK&project=SOURCE_PROJECT_ID&page=queryresults",
            "jobState": "SUCCEEDED",
            "query": "SQL_QUERY",
            "userEmail": "PROJECT_ID@PROJECT_ID.iam.gserviceaccount.com",
            "job": {
              "projectId": "SOURCE_PROJECT_ID",
              "jobId": "JOB_ID",
              "location": "US"
            },
            "sourceTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=SOURCE_PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "SOURCE_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ],
            "destinationTables": [
              {
                "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",
                "projectId": "DESTINATION_PROJECT_ID",
                "datasetId": "DATASET_ID",
                "tableId": "TABLE_ID"
              }
            ]
          }
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

恶意软件:错误网域

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad Domain",
      "sourceProperties": {
        "sourceId": {
          "customerOrganizationNumber": "ORGANIZATION_ID",
          "projectNumber": "PROJECT_NUMBER"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1568/"
          },          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal Domain Link",
              "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
            }
          ]
        },
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "domains": [
            "DOMAIN"
          ],
          "network": {
            "location": "REGION",
            "project": "PROJECT_ID"
          },
          "dnsContexts": [
            {
              "authAnswer": true,
              "sourceIp": "IP_ADDRESS",
              "queryName": "DOMAIN",
              "queryType": "AAAA",
              "responseCode": "NOERROR",
              "responseData": [
                {
                  "domainName": "DOMAIN.",
                  "ttl": 299,
                  "responseClass": "IN",
                  "responseType": "AAAA",
                  "responseValue": "IP_ADDRESS"
                }
              ]
            }
          ]
        },
        "detectionPriority": "HIGH",
        "detectionCategory": {
          "technique": "C2",
          "indicator": "domain",
          "subRuleName": "google_intel",
          "ruleName": "bad_domain"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
 }
    

恶意软件:错误 IP

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "state": "ACTIVE",
      "category": "Malware: Bad IP",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "insertId": "INSERT_ID",
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "ips": [
            "SOURCE_IP_ADDRESS",
            "DESTINATION_IP_ADDRESS"
          ],
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 6
          },
          "network": {
            "project": "PROJECT_ID",
            "location": "ZONE",
            "subnetworkId": "SUBNETWORK_ID",
            "subnetworkName": "default"
          },
          "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/tactics/TA0011/"
          },
          "virustotalIndicatorQueryUri": [
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"
            },
            {
              "displayName": "VirusTotal IP Link",
              "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"
            }
          ]
        },
        "detectionCategory": {
          "technique": "C2",
          "indicator": "ip",
          "ruleName": "bad_ip",
          "subRuleName": "google_intel"
        },
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ]
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

恶意软件:传出 DoS

{
    "finding": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "state": "ACTIVE",
      "category": "Malware: Outgoing DoS",
      "sourceProperties": {
        "evidence": [
          {
            "sourceLogId": {
              "timestamp": {
                "nanos": 0.0,
                "seconds": "0"
              },
              "resourceContainer": "projects/PROJECT_ID"
            }
          }
        ],
        "properties": {
          "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
          "ipConnection": {
            "srcIp": "SOURCE_IP_ADDRESS",
            "srcPort": SOURCE_PORT,
            "destIp": "DESTINATION_IP_ADDRESS",
            "destPort": DESTINATION_PORT,
            "protocol": 17
          }
        },
        "detectionPriority": "HIGH",
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "affectedResources": [{
          "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
        }],
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1498/"
          }
        },
        "detectionCategory": {
          "technique": "malware",
          "indicator": "flow_log",
          "ruleName": "outgoing_dos"
        }
      },
      "severity": "HIGH",
      "eventTime": "1970-01-01T00:00:00Z",
      "createTime": "1970-01-01T00:00:00Z"
    }
}
    

持久化:IAM 异常授权

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "state": "ACTIVE",
    "category": "Persistence: IAM Anomalous Grant",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "evidence": [{
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_ID",
          "timestamp": {
            "seconds": "1611833917",
            "nanos": 8.71508E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "detectionPriority": "HIGH",
      "findingId": "FINDING_ID",
      "contextUris": {
        "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1078/004/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-01-28T11:38:37.871508Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"
        }],
        "relatedFindingUri": {
          "displayName": "Related Anomalous Grant Findings",
          "url": "https://console.cloud.google.com/security/command-center/findings?organizationId\u003dORGANIZATION_ID\u0026pageState\u003d(%22cscc-inventory%22:(%22f%22:%22%255B%257B_22k_22_3A_22sourceProperties.detectionCategory.ruleName_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22iam_anomalous_grant_5C_22_22%257D_2C%257B_22k_22_3A_22_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22%2528sourceProperties.properties.sensitiveRoleGrant.principalEmail_3A_5C_5C_5C_22PRINCIPAL_EMAIL_5C_5C_5C_22%2529_5C_22_22%257D%255D%22))"
        }
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_grant",
        "subRuleName": "external_member_invited_to_policy"
      },
      "affectedResources": [{
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "properties": {
        "sensitiveRoleGrant": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "members": ["user:USER_EMAIL"]
        }
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-01-28T11:38:41.301Z",
    "createTime": "2021-01-28T11:38:42.198Z",
    "propertyDataTypes": {
      "sourceId": {
        "structValue": {
          "fields": {
            "projectNumber": {
              "primitiveDataType": "STRING"
            },
            "customerOrganizationNumber": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "evidence": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "sourceLogId": {
                  "structValue": {
                    "fields": {
                      "projectId": {
                        "primitiveDataType": "STRING"
                      },
                      "resourceContainer": {
                        "primitiveDataType": "STRING"
                      },
                      "timestamp": {
                        "dataType": "TIMESTAMP",
                        "structValue": {
                          "fields": {
                            "seconds": {
                              "primitiveDataType": "STRING"
                            },
                            "nanos": {
                              "primitiveDataType": "NUMBER"
                            }
                          }
                        }
                      },
                      "insertId": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }
              }
            }
          }]
        }
      },
      "detectionPriority": {
        "primitiveDataType": "STRING"
      },
      "findingId": {
        "primitiveDataType": "STRING"
      },
      "contextUris": {
        "structValue": {
          "fields": {
            "mitreUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            },
            "cloudLoggingQueryUri": {
              "listValues": {
                "propertyDataTypes": [{
                  "dataType": "HYPERLINK",
                  "structValue": {
                    "fields": {
                      "display_name": {
                        "primitiveDataType": "STRING"
                      },
                      "url": {
                        "primitiveDataType": "STRING"
                      }
                    }
                  }
                }]
              }
            },
            "relatedFindingUri": {
              "dataType": "HYPERLINK",
              "structValue": {
                "fields": {
                  "display_name": {
                    "primitiveDataType": "STRING"
                  },
                  "url": {
                    "primitiveDataType": "STRING"
                  }
                }
              }
            }
          }
        }
      },
      "detectionCategory": {
        "structValue": {
          "fields": {
            "technique": {
              "primitiveDataType": "STRING"
            },
            "indicator": {
              "primitiveDataType": "STRING"
            },
            "ruleName": {
              "primitiveDataType": "STRING"
            },
            "subRuleName": {
              "primitiveDataType": "STRING"
            }
          }
        }
      },
      "affectedResources": {
        "listValues": {
          "propertyDataTypes": [{
            "structValue": {
              "fields": {
                "gcpResourceName": {
                  "primitiveDataType": "STRING"
                }
              }
            }
          }]
        }
      },
      "properties": {
        "structValue": {
          "fields": {
            "sensitiveRoleGrant": {
              "structValue": {
                "fields": {
                  "principalEmail": {
                    "primitiveDataType": "STRING"
                  },
                  "members": {
                    "listValues": {
                      "propertyDataTypes": [{
                        "primitiveDataType": "STRING"
                      }]
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "severity": "HIGH",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
    "parentDisplayName": "PARENT_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": [{
      "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",
      "resourceFolderDisplayName": "PARENT_NAME"
    }]
  }
}
    

后续步骤