Using Sensitive Actions Service

Stay organized with collections Save and categorize content based on your preferences.

This page shows you how to review Sensitive Actions Service findings in the Security Command Center dashboard and includes examples of Sensitive Actions Service findings.

Sensitive Actions Service is a built-in service of the Security Command Center Premium tier that detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor. To learn more, see Sensitive Actions Service overview.

Reviewing Sensitive Actions Service findings

Sensitive Actions Service is always enabled when you are subscribed to the Security Command Center Premium tier, and cannot be disabled. For more information about Sensitive Actions Service finding types, see Findings.

When Sensitive Actions Service detects an action that is considered sensitive, it creates a finding and a log entry. You can view the finding in the Security Command Center dashboard. You can query the log entries in Cloud Logging. To test Sensitive Actions Service, perform a sensitive action and make sure the finding appears in the Security Command Center dashboard. For more information, see Testing Sensitive Actions Service.

Reviewing findings in Security Command Center

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

To review Sensitive Actions Service findings in Security Command Center, do the following:

Legacy Findings page

  1. Go to the Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. Next to View by, click Source Type.

  3. In the Source type list, select Sensitive Actions Service.

  4. To view details about a specific finding, click the finding name under category. The Finding Details pane expands to display information, including the following:

    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection severity, for example High
    • The actions taken, like adding an Identity and Access Management (IAM) role to a Gmail user
    • The user who took the action, listed next to properties_principalEmail
  5. To display all findings that were caused by the same user's actions:

    1. On the finding detail pane, copy the email address next to properties_principalEmail.
    2. Close the Finding Details pane.
    3. In the Findings tab Filter box, enter the following query:
    sourceProperties.properties_principalEmail:"USER_EMAIL"
    

    Replace USER_EMAIL with the email address you previously copied.

    Security Command Center displays all findings that are associated with actions taken by the user you specified.

Findings page (Preview)

If you opted to upgrade to the Findings Workflow Improvements, follow these steps:

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

  3. In the Quick filters section, in the Source display name subsection, select Sensitive Actions Service.

    The table is populated with Sensitive Actions Service findings.

  4. To view details of a specific finding, click the finding name under Category. The finding details pane expands to display information including the following:

    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection severity, for example High
    • The actions taken, like adding an Owner or Editor role at the organization level to a Gmail user
    • The user who took the action, listed next to Principal email
  5. To display all findings that were caused by the same user's actions:

    1. On the finding details pane, copy the email address next to Principal email.
    2. Close the pane.
    3. In query builder, enter the following query:
    access.principal_email="USER_EMAIL"
    

    Replace USER_EMAIL with the email address you previously copied.

    Security Command Center displays all findings that are associated with actions taken by the user you specified.

Viewing findings in Cloud Logging

Sensitive Actions Service writes a log entry to the Google Cloud platform logs for each sensitive action if finds. These log entries are written even if you have not enabled Security Command Center.

To view the log entries for sensitive actions in Cloud Logging, do the following:

  1. Go to Logs Explorer in the Google Cloud console.

    Go to Logs Explorer

  2. In the Project selector at the top of the page, select the project for which you would like to see the Sensitive Actions Service log entries. Alternatively, to see log entries at the organization level, select the organization.

  3. In the Query text box, enter the following resource definition: resource.type="sensitiveaction.googleapis.com/Location"

  4. Click Run Query. The Query results table is updated with any matching log entries that were written within the time period of your query.

  5. To view the details of a log entry, click a table row, then click Expand nested fields.

You can create advanced log queries to specify a set of log entries from any number of logs.

Example Finding Formats

This section includes the JSON output for the Sensitive Actions Service findings as they appear when you create exports from the Security Command Center dashboard or run list methods in the Security Command Center API.

The output examples contain the fields most common to all findings. However, all fields might not appear in every finding. The actual output you see depends on a resource's configuration and the type and state of findings.

To see example findings, expand one or more of the following nodes.

Defense Evasion: Organization Policy Changed

      {
        "findings": {
          "access": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "callerIp": "PRINCIPAL_IP_ADDRESS",
            "callerIpGeo": {
              "regionCode": "US"
            },
            "serviceName": "orgpolicy.googleapis.com",
            "methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy",
            "principalSubject": "user:PRINCIPAL_EMAIL"
          },
          "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "category": "Defense Evasion: Organization Policy Changed",
          "contacts": {
            "technical": {
              "contacts": [
                {
                  "email": "EMAIL_ADDRESS_1"
                },
                {
                  "email": "EMAIL_ADDRESS_2"
                },
              ]
            }
          },
          "createTime": "2022-08-27T12:35:30.466Z",
          "database": {},
          "eventTime": "2022-08-27T12:35:30.264Z",
          "exfiltration": {},
          "findingClass": "OBSERVATION",
          "indicator": {},
          "kubernetes": {},
          "mitreAttack": {
            "primaryTactic": "DEFENSE_EVASION",
            "primaryTechniques": [
              "IMPAIR_DEFENSES"
            ]
          },
          "mute": "UNDEFINED",
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
          "parentDisplayName": "Sensitive Actions",
          "resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
          "severity": "LOW",
          "sourceDisplayName": "Sensitive Actions Service",
          "state": "ACTIVE",
          "vulnerability": {},
          "workflowState": "NEW"
        },
        "resource": {
          "name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
          "display_name": "",
          "project_name": "",
          "project_display_name": "",
          "parent_name": "",
          "parent_display_name": "",
          "type": "",
          "folders": []
        },
        "sourceProperties": {
          "sourceId": {
            "organizationNumber": "ORGANIZATION_ID",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "ruleName": "sensitive_action",
            "subRuleName": "change_organization_policy"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID"
            },
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
            },
            {
              "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "resourceContainer": "organizations/ORGANIZATION_ID",
                "timestamp": {
                  "seconds": "1661603725",
                  "nanos": 12242032
                },
                "insertId": "INSERT_ID"
              }
            }
          ],
          "properties": {},
          "findingId": "FINDING_ID",
          "contextUris": {
            "mitreUri": {
              "displayName": "MITRE Link",
              "url": "https://attack.mitre.org/techniques/T1562/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
              }
            ],
            "relatedFindingUri": {}
          }
        }
      }
    

Defense Evasion: Remove Billing Admin

      {
        "findings": {
          "access": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "callerIp": "PRINCIPAL_IP_ADDRESS",
            "callerIpGeo": {},
            "serviceName": "cloudresourcemanager.googleapis.com",
            "methodName": "SetIamPolicy",
            "principalSubject": "user:PRINCIPAL_EMAIL"
          },
          "assetDisplayName": "organizations/ORGANIZATION_ID",
          "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
          "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "category": "Defense Evasion: Remove Billing Admin",
          "contacts": {
            "technical": {
              "contacts": [
                {
                  "email": "EMAIL_ADDRESS_1"
                },
                {
                  "email": "EMAIL_ADDRESS_2"
                },
              ]
            }
          },
          "createTime": "2022-08-31T14:47:11.752Z",
          "database": {},
          "eventTime": "2022-08-31T14:47:11.256Z",
          "exfiltration": {},
          "findingClass": "OBSERVATION",
          "iamBindings": [
            {
              "action": "REMOVE",
              "role": "roles/billing.admin",
              "member": "user:PRINCIPAL_ACCOUNT_CHANGED"
            }
          ],
          "indicator": {},
          "kubernetes": {},
          "mitreAttack": {
            "primaryTactic": "DEFENSE_EVASION",
            "primaryTechniques": [
              "MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE"
            ]
          },
          "mute": "UNDEFINED",
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
          "parentDisplayName": "Sensitive Actions Service",
          "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
          "severity": "LOW",
          "sourceDisplayName": "Sensitive Actions Service",
          "state": "ACTIVE",
          "vulnerability": {},
          "workflowState": "NEW"
        },
        "resource": {
          "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
          "display_name": "ORGANIZATION_NAME",
          "project_name": "",
          "project_display_name": "",
          "parent_name": "",
          "parent_display_name": "",
          "type": "google.cloud.resourcemanager.Organization",
          "folders": []
        },
        "sourceProperties": {
          "sourceId": {
            "organizationNumber": "ORGANIZATION_ID",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "ruleName": "sensitive_action",
            "subRuleName": "remove_billing_admin"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "resourceContainer": "organizations/ORGANIZATION_ID",
                "timestamp": {
                  "seconds": "1661957226",
                  "nanos": 356329000
                },
                "insertId": "INSERT_ID"
              }
            }
          ],
          "properties": {},
          "findingId": "FINDING_ID",
          "contextUris": {
            "mitreUri": {
              "displayName": "MITRE Link",
              "url": "https://attack.mitre.org/techniques/T1578/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
              }
            ],
            "relatedFindingUri": {}
          }
        }
      }
    

Impact: GPU Instance Created

      {
        "findings": {
          "access": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "callerIp": "PRINCIPAL_IP_ADDRESS",
            "callerIpGeo": {
              "regionCode": "US"
            },
            "serviceName": "compute.googleapis.com",
            "methodName": "beta.compute.instances.insert"
          },
          "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
          "category": "Impact: GPU Instance Created",
          "contacts": {
            "technical": {
              "contacts": [
                {
                  "email": "EMAIL_ADDRESS_1"
                },
                {
                  "email": "EMAIL_ADDRESS_2"
                },
              ]
            }
          },
          "createTime": "2022-08-11T19:13:11.134Z",
          "database": {},
          "eventTime": "2022-08-11T19:13:09.885Z",
          "exfiltration": {},
          "findingClass": "OBSERVATION",
          "indicator": {},
          "kubernetes": {},
          "mitreAttack": {
            "primaryTactic": "IMPACT",
            "primaryTechniques": [
              "RESOURCE_HIJACKING"
            ]
          },
          "mute": "UNDEFINED",
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
          "parentDisplayName": "Sensitive Actions",
          "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
          "severity": "LOW",
          "sourceDisplayName": "Sensitive Actions Service",
          "state": "ACTIVE",
          "vulnerability": {},
          "workflowState": "NEW"
        },
        "resource": {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
          "display_name": "VM_INSTANCE_NAME",
          "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
          "project_display_name": "PROJECT_ID",
          "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
          "parent_display_name": "PROJECT_ID",
          "type": "google.compute.Instance",
          "folders": [
            {
              "resourceFolderDisplayName": "FOLDER_NAME",
              "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
            }
          ]
        },
        "sourceProperties": {
          "sourceId": {
            "projectNumber": "PROJECT_NUMBER",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "ruleName": "sensitive_action",
            "subRuleName": "gpu_instance_created"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
            },
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "projectId": "PROJECT_ID",
                "resourceContainer": "projects/PROJECT_ID",
                "timestamp": {
                  "seconds": "1660245184",
                  "nanos": 578768000
                },
                "insertId": "INSERT_ID"
              }
            }
          ],
          "properties": {},
          "findingId": "FINDING_ID",
          "contextUris": {
            "mitreUri": {
              "displayName": "MITRE Link",
              "url": "https://attack.mitre.org/techniques/T1496/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
              }
            ],
            "relatedFindingUri": {}
          }
        }
      }
    

Impact: Many Instances Created

    {
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIpGeo": {},
          "serviceName": "compute.googleapis.com",
          "methodName": "v1.compute.instances.insert",
          "principalSubject": "user:USER_EMAIL"
        },
        "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "category": "Impact: Many Instances Created",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-22T21:18:18.112Z",
        "database": {},
        "eventTime": "2022-08-22T21:18:17.759Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "IMPACT",
          "primaryTechniques": [
            "RESOURCE_HIJACKING"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
        "parentDisplayName": "Sensitive Actions",
        "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "display_name": "",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.compute.Instance",
        "folders": [
          {
            "resourceFolderDisplayName": "FOLDER_NAME",
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
          }
        ]
      },
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "many_instances_created"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
          },
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "resourceContainer": "projects/PROJECT_ID",
              "timestamp": {
                "seconds": "1661203092",
                "nanos": 314642000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1496/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

Impact: Many Instances Deleted

    {
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIpGeo": {},
          "serviceName": "compute.googleapis.com",
          "methodName": "v1.compute.instances.delete",
          "principalSubject": "user:USER_EMAIL"
        },
        "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "category": "Impact: Many Instances Deleted",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-22T21:21:11.432Z",
        "database": {},
        "eventTime": "2022-08-22T21:21:11.144Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "IMPACT",
          "primaryTechniques": [
            "DATA_DESTRUCTION"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
        "parentDisplayName": "Sensitive Actions",
        "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "display_name": "VM_INSTANCE_NAME",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.compute.Instance",
        "folders": [
          {
            "resourceFolderDisplayName": "FOLDER_NAME",
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
          }
        ]
      },
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "many_instances_deleted"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
          },
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "resourceContainer": "projects/PROJECT_ID",
              "timestamp": {
                "seconds": "1661203265",
                "nanos": 669160000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1485/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

Persistence: Add Sensitive Role

{
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIp": "PRINCIPAL_IP_ADDRESS",
          "callerIpGeo": {},
          "serviceName": "cloudresourcemanager.googleapis.com",
          "methodName": "SetIamPolicy",
          "principalSubject": "user:PRINCIPAL_EMAIL"
        },
        "assetDisplayName": "organizations/ORGANIZATION_ID",
        "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
        "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "category": "Persistence: Add Sensitive Role",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-31T17:20:13.305Z",
        "database": {},
        "eventTime": "2022-08-31T17:20:11.929Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "iamBindings": [
          {
            "action": "ADD",
            "role": "roles/editor",
            "member": "user:PRINCIPAL_ACCOUNT_CHANGED"
          }
        ],
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "PERSISTENCE",
          "primaryTechniques": [
            "ACCOUNT_MANIPULATION"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
        "parentDisplayName": "Sensitive Actions Service",
        "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions Service",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
        "display_name": "ORGANIZATION_NAME",
        "project_name": "",
        "project_display_name": "",
        "parent_name": "",
        "parent_display_name": "",
        "type": "google.cloud.resourcemanager.Organization",
        "folders": []
      },
      "sourceProperties": {
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "add_sensitive_role"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "resourceContainer": "organizations/ORGANIZATION_ID",
              "timestamp": {
                "seconds": "1661966410",
                "nanos": 132148000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1098/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

Persistence: Project SSH Key Added

    {
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIp": "PRINCIPAL_IP_ADDRESS",
          "callerIpGeo": {
            "regionCode": "US"
          },
          "serviceName": "compute.googleapis.com",
          "methodName": "v1.compute.projects.setCommonInstanceMetadata",
          "principalSubject": "user:USER_EMAIL"
        },
        "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "category": "Persistence: Project SSH Key Added",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-25T13:24:43.142Z",
        "database": {},
        "eventTime": "2022-08-25T13:24:42.719Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "PERSISTENCE",
          "primaryTechniques": [
            "ACCOUNT_MANIPULATION",
            "SSH_AUTHORIZED_KEYS"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
        "parentDisplayName": "Sensitive Actions",
        "resourceName": "//compute.googleapis.com/projects/PROJECT_ID",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//compute.googleapis.com/projects/PROJECT_ID",
        "display_name": "PROJECT_ID",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.compute.Project",
        "folders": [
          {
            "resourceFolderDisplayName": "FOLDER_NAME",
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
          }
        ]
      },
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "add_ssh_key"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID"
          },
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "resourceContainer": "projects/PROJECT_ID",
              "timestamp": {
                "seconds": "1661433879",
                "nanos": 413362000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1098/004/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

What's next