En esta página, se muestra cómo revisar los hallazgos del Servicio de acciones sensibles en el La consola de Google Cloud incluye ejemplos de hallazgos del Servicio de acciones sensibles.
El servicio de acciones sensibles es un servicio integrado de Security Command Center que detecta cuándo acciones se realizan en tu organización, carpetas y proyectos que podrían ser perjudiciales para tu negocio si son tomados por o de un agente malicioso. Para obtener más información, consulta la descripción general del servicio de acciones sensibles.
Revisión de los hallazgos del Servicio de acciones sensibles
El servicio de acciones sensibles siempre estará habilitado cuando actives el nivel Estándar de Security Command Center y no se puede inhabilitar. Para ver más sobre los tipos de hallazgos del Servicio de acciones sensibles, consulta Hallazgos.
Cuando el Servicio de acciones sensibles detecta una acción que se considera sensible, crea un hallazgo y una entrada de registro. Puedes ver el hallazgo Consola de Google Cloud Puedes consultar las entradas de registro en Cloud Logging. Para probar el servicio de acciones sensibles, realiza una acción sensible y asegúrate de que hallazgo aparecerá en la página Hallazgos en la consola de Google Cloud. Para obtener más información, consulta Prueba el servicio de acciones sensibles.
Revisa resultados en Security Command Center
Los roles de IAM para Security Command Center se pueden otorgar a nivel de la organización, a nivel de carpeta o proyecto. Tu capacidad para ver, editar, crear o actualizar resultados, recursos, y las fuentes de seguridad dependen del nivel al que se te otorgue acceso. Para aprender para obtener más información sobre los roles de Security Command Center, consulta Control de acceso.
Para revisar los hallazgos del Servicio de acciones sensibles en la consola de Google Cloud, sigue estos pasos: estos pasos:
En la consola de Google Cloud, ve a la página Resultados de Security Command Center.
Si es necesario, selecciona tu organización o proyecto de Google Cloud.
En la sección Filtros rápidos, en Nombre visible de la fuente en la subsección correspondiente, selecciona Servicio de acciones sensibles.
La tabla se propaga con los resultados del Servicio de acciones sensibles.
Para ver los detalles de un resultado específico, haz clic en el nombre del resultado en
Category. El panel de detalles de resultados se expande para mostrar información que incluye lo siguiente:- Un resumen generado por IAVista previa del problema
- Cuándo ocurrió el evento
- La fuente de los datos de los resultados
- La gravedad de la detección, por ejemplo Alta
- Las acciones realizadas, como agregar un rol de Propietario o Editor, nivel de organización a un usuario de Gmail
- El usuario que realizó la acción, que se encuentra junto a Correo electrónico principal
Para mostrar todos los resultados que generaron las mismas acciones del usuario, haz lo siguiente:
- En el panel de detalles de los resultados, copia la dirección de correo electrónico junto a Correo electrónico principal
- Cerrar el panel
En el compilador de consultas, ingresa la siguiente consulta:
access.principal_email="USER_EMAIL"Reemplaza USER_EMAIL por la dirección de correo electrónico que se copió anteriormente.
Security Command Center muestra todos los resultados asociados con acciones realizadas por el usuario que especificaste.
Visualiza los resultados en Cloud Logging
El servicio de acciones sensibles escribe una entrada de registro en los registros de la plataforma de Google Cloud. para cada acción sensible si la encuentra. Estas entradas de registro se escriben incluso si no habilitaste Security Command Center.
Para ver las entradas de registro de acciones sensibles en Cloud Logging, haz lo siguiente:
Ve al Explorador de registros en la consola de Google Cloud.
En el selector de proyectos, en la parte superior de la página, selecciona el proyecto. para las que deseas ver las entradas de registro del Servicio de acciones sensibles. Como alternativa, para ver las entradas de registro a nivel de la organización, selecciona dentro de la organización.
En el cuadro de texto Consulta, ingresa la siguiente definición de recurso:
resource.type="sensitiveaction.googleapis.com/Location"Haga clic en Ejecutar consulta. La tabla Resultados de la consulta se actualiza con cualquier entrada de registro coincidente que se haya escrito dentro del período de tu para cada búsqueda.
Para ver los detalles de una entrada de registro, haz clic en una fila de la tabla y, luego, en Expande los campos anidados.
Puedes crear consultas de registros avanzados para especificar un conjunto de entradas de cualquier cantidad de registros.
Ejemplos de formatos de hallazgos
En esta sección, se incluye el resultado de JSON de los hallazgos del Servicio de acciones sensibles. tal como aparecen cuando creas exportaciones desde la consola de Google Cloud o ejecutar métodos de lista en la API de Security Command Center.
Los ejemplos de salida contienen los campos más comunes a todos los resultados. Sin embargo, es posible que no aparezcan todos los campos en todos los resultados. El resultado real que ves depende de la configuración de un recurso, y del tipo y estado de de los resultados de búsqueda.
Para ver hallazgos de ejemplo, expande uno o más de los siguientes nodos.
Evasión de defensa: política de la organización modificada
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "orgpolicy.googleapis.com",
"methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Organization Policy Changed",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-27T12:35:30.466Z",
"database": {},
"eventTime": "2022-08-27T12:35:30.264Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"IMPAIR_DEFENSES"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"display_name": "",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "change_organization_policy"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661603725",
"nanos": 12242032
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Evasión de defensa: Quitar administrador de facturación
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Remove Billing Admin",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T14:47:11.752Z",
"database": {},
"eventTime": "2022-08-31T14:47:11.256Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "REMOVE",
"role": "roles/billing.admin",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "remove_billing_admin"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661957226",
"nanos": 356329000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1578/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Impacto: Se creó la instancia de GPU
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "beta.compute.instances.insert"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Impact: GPU Instance Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-11T19:13:11.134Z",
"database": {},
"eventTime": "2022-08-11T19:13:09.885Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "gpu_instance_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1660245184",
"nanos": 578768000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Impacto: se crearon muchas instancias
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.insert",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:18:18.112Z",
"database": {},
"eventTime": "2022-08-22T21:18:17.759Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203092",
"nanos": 314642000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Impacto: se borraron muchas instancias
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.delete",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Deleted",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:21:11.432Z",
"database": {},
"eventTime": "2022-08-22T21:21:11.144Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_deleted"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203265",
"nanos": 669160000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Persistencia: Agrega un rol sensible
Este hallazgo no está disponible para activaciones a nivel de proyecto.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: Add Sensitive Role",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T17:20:13.305Z",
"database": {},
"eventTime": "2022-08-31T17:20:11.929Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "ADD",
"role": "roles/editor",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_sensitive_role"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661966410",
"nanos": 132148000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Persistencia: Se agregó la clave SSH al proyecto
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.projects.setCommonInstanceMetadata",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Persistence: Project SSH Key Added",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-25T13:24:43.142Z",
"database": {},
"eventTime": "2022-08-25T13:24:42.719Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION",
"SSH_AUTHORIZED_KEYS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Project",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_ssh_key"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661433879",
"nanos": 413362000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
¿Qué sigue?
- Obtén más información sobre cómo funciona el Servicio de acciones sensibles.
- Obtén información sobre cómo investigar y desarrollar planes de respuesta. para detectar amenazas.