Menggunakan Layanan Tindakan Sensitif

Halaman ini menunjukkan cara meninjau temuan Layanan Tindakan Sensitif di konsol Google Cloud dan menyertakan contoh temuan Layanan Tindakan Sensitif.

Layanan Tindakan Sensitif adalah layanan bawaan Security Command Center yang mendeteksi kapan tindakan dilakukan di organisasi, folder, dan project Google Cloud Anda yang dapat merusak bisnis Anda jika dilakukan oleh pelaku berbahaya. Untuk mempelajari lebih lanjut, lihat Ringkasan Layanan Tindakan Sensitif.

Meninjau temuan Layanan Tindakan Sensitif

Layanan Tindakan Sensitif selalu diaktifkan saat Anda mengaktifkan ke paket Standar Security Command Center, dan tidak dapat dinonaktifkan. Untuk mengetahui informasi selengkapnya tentang jenis temuan Layanan Tindakan Sensitif, lihat Temuan.

Saat mendeteksi tindakan yang dianggap sensitif, Layanan Tindakan Sensitif akan membuat temuan dan entri log. Anda dapat melihat temuan di konsol Google Cloud. Anda dapat membuat kueri entri log di Cloud Logging. Untuk menguji Layanan Tindakan Sensitif, lakukan tindakan sensitif dan pastikan temuan muncul di halaman Temuan di Konsol Google Cloud. Untuk informasi selengkapnya, lihat Menguji Layanan Tindakan Sensitif.

Meninjau temuan di Security Command Center

Peran IAM untuk Security Command Center dapat diberikan di tingkat organisasi, folder, atau project. Kemampuan Anda untuk melihat, mengedit, membuat, atau memperbarui temuan, aset, dan sumber keamanan bergantung pada tingkat akses yang Anda terima. Untuk mempelajari peran Security Command Center lebih lanjut, lihat Kontrol akses.

Untuk meninjau temuan Layanan Action Sensitif di konsol, ikuti langkah-langkah berikut:

Konsol Google Cloud

  1. Di konsol Google Cloud, buka halaman Temuan di Security Command Center.

    Buka Temuan

  2. Pilih project atau organisasi Google Cloud Anda.
  3. Di bagian Quick filters, di subbagian Source display name, pilih Sensitive Actions Service. Hasil kueri temuan diperbarui untuk hanya menampilkan temuan dari sumber ini.
  4. Untuk melihat detail temuan tertentu, klik nama temuan di kolom Kategori. Panel detail untuk temuan akan terbuka dan menampilkan tab Ringkasan.
  5. Di tab Ringkasan, tinjau detail temuan, termasuk informasi tentang apa yang terdeteksi, resource yang terpengaruh, dan—jika tersedia—langkah-langkah yang dapat Anda lakukan untuk memperbaiki temuan tersebut.
  6. Opsional: Untuk melihat definisi JSON lengkap dari temuan, klik tab JSON.

Konsol Security Operations

  1. Di konsol Security Operations, buka halaman Temuan.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
    

    Ganti CUSTOMER_SUBDOMAIN dengan ID khusus pelanggan Anda.

  2. Di bagian Aggregations, klik untuk meluaskan subbagian Source Display Name.
  3. Pilih Layanan Tindakan Sensitif. Hasil kueri temuan diperbarui untuk hanya menampilkan temuan dari sumber ini.
  4. Untuk melihat detail temuan tertentu, klik nama temuan di kolom Kategori. Panel detail untuk temuan akan terbuka dan menampilkan tab Ringkasan.
  5. Di tab Ringkasan, tinjau detail temuan, termasuk informasi tentang apa yang terdeteksi, resource yang terpengaruh, dan—jika tersedia—langkah-langkah yang dapat Anda lakukan untuk memperbaiki temuan tersebut.
  6. Opsional: Untuk melihat definisi JSON lengkap dari temuan, klik tab JSON.

Melihat temuan yang disebabkan oleh aktor yang sama

Saat menyelidiki apakah tindakan sensitif dilakukan oleh pelaku malicious, sebaiknya telusuri temuan lain yang disebabkan oleh pelaku tersebut.

Untuk melihat semua temuan yang disebabkan oleh aktor yang sama, ikuti langkah-langkah berikut:

  1. Buka temuan dan lihat detailnya.
  2. Di panel detail penemuan, salin alamat email di samping Email utama.
  3. Tutup panel.
  4. Di Query editor, tempel kueri berikut:

    access.principal_email="PRINCIPAL_EMAIL"
    

    Ganti PRINCIPAL_EMAIL dengan alamat email yang Anda salin sebelumnya. Security Command Center menampilkan semua temuan yang terkait dengan tindakan yang dilakukan oleh aktor yang Anda tentukan.

Melihat temuan di Cloud Logging

Layanan Tindakan Sensitif menulis entri log ke log platform Google Cloud untuk setiap tindakan sensitif jika ditemukan. Entri log ini ditulis meskipun Anda belum mengaktifkan Security Command Center.

Untuk melihat entri log tindakan sensitif di Cloud Logging, lakukan tindakan berikut:

  1. Buka Logs Explorer di konsol Google Cloud.

    Buka Logs Explorer

  2. Di Project selector di bagian atas halaman, pilih project yang entri log Layanan Tindakan Sensitifnya ingin Anda lihat. Atau, untuk melihat entri log di tingkat organisasi, pilih organisasi.

  3. Di kotak teks Query, masukkan definisi resource berikut: resource.type="sensitiveaction.googleapis.com/Location"

  4. Klik Run Query. Tabel Hasil kueri diperbarui dengan entri log yang cocok yang ditulis dalam jangka waktu kueri Anda.

  5. Untuk melihat detail entri log, klik baris tabel, lalu klik Luaskan kolom bertingkat.

Anda dapat membuat kueri log lanjutan untuk menentukan kumpulan entri log dari sejumlah log.

Contoh Format Penemuan

Bagian ini menyertakan output JSON untuk temuan Layanan Tindakan Sensitif seperti yang muncul saat Anda membuat ekspor dari konsol Google Cloud atau menjalankan metode daftar di Security Command Center API.

Contoh output berisi kolom yang paling umum untuk semua temuan. Namun, semua kolom mungkin tidak muncul di setiap temuan. Output sebenarnya yang Anda lihat bergantung pada konfigurasi resource serta jenis dan status temuan.

Untuk melihat contoh temuan, luaskan satu atau beberapa node berikut.

Penghindaran Pertahanan: Kebijakan Organisasi Diubah

Temuan ini tidak tersedia untuk aktivasi tingkat project.

      {
        "findings": {
          "access": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "callerIp": "PRINCIPAL_IP_ADDRESS",
            "callerIpGeo": {
              "regionCode": "US"
            },
            "serviceName": "orgpolicy.googleapis.com",
            "methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy",
            "principalSubject": "user:PRINCIPAL_EMAIL"
          },
          "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "category": "Defense Evasion: Organization Policy Changed",
          "contacts": {
            "technical": {
              "contacts": [
                {
                  "email": "EMAIL_ADDRESS_1"
                },
                {
                  "email": "EMAIL_ADDRESS_2"
                },
              ]
            }
          },
          "createTime": "2022-08-27T12:35:30.466Z",
          "database": {},
          "eventTime": "2022-08-27T12:35:30.264Z",
          "exfiltration": {},
          "findingClass": "OBSERVATION",
          "indicator": {},
          "kubernetes": {},
          "mitreAttack": {
            "primaryTactic": "DEFENSE_EVASION",
            "primaryTechniques": [
              "IMPAIR_DEFENSES"
            ]
          },
          "mute": "UNDEFINED",
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
          "parentDisplayName": "Sensitive Actions",
          "resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
          "severity": "LOW",
          "sourceDisplayName": "Sensitive Actions Service",
          "state": "ACTIVE",
          "vulnerability": {},
          "workflowState": "NEW"
        },
        "resource": {
          "name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
          "display_name": "",
          "project_name": "",
          "project_display_name": "",
          "parent_name": "",
          "parent_display_name": "",
          "type": "",
          "folders": []
        },
        "sourceProperties": {
          "sourceId": {
            "organizationNumber": "ORGANIZATION_ID",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "ruleName": "sensitive_action",
            "subRuleName": "change_organization_policy"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID"
            },
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
            },
            {
              "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "resourceContainer": "organizations/ORGANIZATION_ID",
                "timestamp": {
                  "seconds": "1661603725",
                  "nanos": 12242032
                },
                "insertId": "INSERT_ID"
              }
            }
          ],
          "properties": {},
          "findingId": "FINDING_ID",
          "contextUris": {
            "mitreUri": {
              "displayName": "MITRE Link",
              "url": "https://attack.mitre.org/techniques/T1562/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
              }
            ],
            "relatedFindingUri": {}
          }
        }
      }
    

Penghindaran Pertahanan: Menghapus Admin Penagihan

Temuan ini tidak tersedia untuk aktivasi tingkat project.

      {
        "findings": {
          "access": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "callerIp": "PRINCIPAL_IP_ADDRESS",
            "callerIpGeo": {},
            "serviceName": "cloudresourcemanager.googleapis.com",
            "methodName": "SetIamPolicy",
            "principalSubject": "user:PRINCIPAL_EMAIL"
          },
          "assetDisplayName": "organizations/ORGANIZATION_ID",
          "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
          "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "category": "Defense Evasion: Remove Billing Admin",
          "contacts": {
            "technical": {
              "contacts": [
                {
                  "email": "EMAIL_ADDRESS_1"
                },
                {
                  "email": "EMAIL_ADDRESS_2"
                },
              ]
            }
          },
          "createTime": "2022-08-31T14:47:11.752Z",
          "database": {},
          "eventTime": "2022-08-31T14:47:11.256Z",
          "exfiltration": {},
          "findingClass": "OBSERVATION",
          "iamBindings": [
            {
              "action": "REMOVE",
              "role": "roles/billing.admin",
              "member": "user:PRINCIPAL_ACCOUNT_CHANGED"
            }
          ],
          "indicator": {},
          "kubernetes": {},
          "mitreAttack": {
            "primaryTactic": "DEFENSE_EVASION",
            "primaryTechniques": [
              "MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE"
            ]
          },
          "mute": "UNDEFINED",
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
          "parentDisplayName": "Sensitive Actions Service",
          "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
          "severity": "LOW",
          "sourceDisplayName": "Sensitive Actions Service",
          "state": "ACTIVE",
          "vulnerability": {},
          "workflowState": "NEW"
        },
        "resource": {
          "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
          "display_name": "ORGANIZATION_NAME",
          "project_name": "",
          "project_display_name": "",
          "parent_name": "",
          "parent_display_name": "",
          "type": "google.cloud.resourcemanager.Organization",
          "folders": []
        },
        "sourceProperties": {
          "sourceId": {
            "organizationNumber": "ORGANIZATION_ID",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "ruleName": "sensitive_action",
            "subRuleName": "remove_billing_admin"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "resourceContainer": "organizations/ORGANIZATION_ID",
                "timestamp": {
                  "seconds": "1661957226",
                  "nanos": 356329000
                },
                "insertId": "INSERT_ID"
              }
            }
          ],
          "properties": {},
          "findingId": "FINDING_ID",
          "contextUris": {
            "mitreUri": {
              "displayName": "MITRE Link",
              "url": "https://attack.mitre.org/techniques/T1578/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
              }
            ],
            "relatedFindingUri": {}
          }
        }
      }
    

Dampak: Instance GPU Dibuat

      {
        "findings": {
          "access": {
            "principalEmail": "PRINCIPAL_EMAIL",
            "callerIp": "PRINCIPAL_IP_ADDRESS",
            "callerIpGeo": {
              "regionCode": "US"
            },
            "serviceName": "compute.googleapis.com",
            "methodName": "beta.compute.instances.insert"
          },
          "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
          "category": "Impact: GPU Instance Created",
          "contacts": {
            "technical": {
              "contacts": [
                {
                  "email": "EMAIL_ADDRESS_1"
                },
                {
                  "email": "EMAIL_ADDRESS_2"
                },
              ]
            }
          },
          "createTime": "2022-08-11T19:13:11.134Z",
          "database": {},
          "eventTime": "2022-08-11T19:13:09.885Z",
          "exfiltration": {},
          "findingClass": "OBSERVATION",
          "indicator": {},
          "kubernetes": {},
          "mitreAttack": {
            "primaryTactic": "IMPACT",
            "primaryTechniques": [
              "RESOURCE_HIJACKING"
            ]
          },
          "mute": "UNDEFINED",
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
          "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
          "parentDisplayName": "Sensitive Actions",
          "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
          "severity": "LOW",
          "sourceDisplayName": "Sensitive Actions Service",
          "state": "ACTIVE",
          "vulnerability": {},
          "workflowState": "NEW"
        },
        "resource": {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
          "display_name": "VM_INSTANCE_NAME",
          "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
          "project_display_name": "PROJECT_ID",
          "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
          "parent_display_name": "PROJECT_ID",
          "type": "google.compute.Instance",
          "folders": [
            {
              "resourceFolderDisplayName": "FOLDER_NAME",
              "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
            }
          ]
        },
        "sourceProperties": {
          "sourceId": {
            "projectNumber": "PROJECT_NUMBER",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "ruleName": "sensitive_action",
            "subRuleName": "gpu_instance_created"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
            },
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "projectId": "PROJECT_ID",
                "resourceContainer": "projects/PROJECT_ID",
                "timestamp": {
                  "seconds": "1660245184",
                  "nanos": 578768000
                },
                "insertId": "INSERT_ID"
              }
            }
          ],
          "properties": {},
          "findingId": "FINDING_ID",
          "contextUris": {
            "mitreUri": {
              "displayName": "MITRE Link",
              "url": "https://attack.mitre.org/techniques/T1496/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
              }
            ],
            "relatedFindingUri": {}
          }
        }
      }
    

Dampak: Banyak Instance yang Dibuat

    {
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIpGeo": {},
          "serviceName": "compute.googleapis.com",
          "methodName": "v1.compute.instances.insert",
          "principalSubject": "user:USER_EMAIL"
        },
        "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "category": "Impact: Many Instances Created",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-22T21:18:18.112Z",
        "database": {},
        "eventTime": "2022-08-22T21:18:17.759Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "IMPACT",
          "primaryTechniques": [
            "RESOURCE_HIJACKING"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
        "parentDisplayName": "Sensitive Actions",
        "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "display_name": "",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.compute.Instance",
        "folders": [
          {
            "resourceFolderDisplayName": "FOLDER_NAME",
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
          }
        ]
      },
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "many_instances_created"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
          },
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "resourceContainer": "projects/PROJECT_ID",
              "timestamp": {
                "seconds": "1661203092",
                "nanos": 314642000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1496/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

Dampak: Banyak Instance Dihapus

    {
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIpGeo": {},
          "serviceName": "compute.googleapis.com",
          "methodName": "v1.compute.instances.delete",
          "principalSubject": "user:USER_EMAIL"
        },
        "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "category": "Impact: Many Instances Deleted",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-22T21:21:11.432Z",
        "database": {},
        "eventTime": "2022-08-22T21:21:11.144Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "IMPACT",
          "primaryTechniques": [
            "DATA_DESTRUCTION"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
        "parentDisplayName": "Sensitive Actions",
        "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
        "display_name": "VM_INSTANCE_NAME",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.compute.Instance",
        "folders": [
          {
            "resourceFolderDisplayName": "FOLDER_NAME",
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
          }
        ]
      },
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "many_instances_deleted"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
          },
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "resourceContainer": "projects/PROJECT_ID",
              "timestamp": {
                "seconds": "1661203265",
                "nanos": 669160000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1485/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

Persistensi: Menambahkan Peran Sensitif

Temuan ini tidak tersedia untuk aktivasi tingkat project.

{
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIp": "PRINCIPAL_IP_ADDRESS",
          "callerIpGeo": {},
          "serviceName": "cloudresourcemanager.googleapis.com",
          "methodName": "SetIamPolicy",
          "principalSubject": "user:PRINCIPAL_EMAIL"
        },
        "assetDisplayName": "organizations/ORGANIZATION_ID",
        "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
        "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "category": "Persistence: Add Sensitive Role",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-31T17:20:13.305Z",
        "database": {},
        "eventTime": "2022-08-31T17:20:11.929Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "iamBindings": [
          {
            "action": "ADD",
            "role": "roles/editor",
            "member": "user:PRINCIPAL_ACCOUNT_CHANGED"
          }
        ],
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "PERSISTENCE",
          "primaryTechniques": [
            "ACCOUNT_MANIPULATION"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
        "parentDisplayName": "Sensitive Actions Service",
        "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions Service",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
        "display_name": "ORGANIZATION_NAME",
        "project_name": "",
        "project_display_name": "",
        "parent_name": "",
        "parent_display_name": "",
        "type": "google.cloud.resourcemanager.Organization",
        "folders": []
      },
      "sourceProperties": {
        "sourceId": {
          "organizationNumber": "ORGANIZATION_ID",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "add_sensitive_role"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "resourceContainer": "organizations/ORGANIZATION_ID",
              "timestamp": {
                "seconds": "1661966410",
                "nanos": 132148000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1098/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

Persistensi: Kunci SSH Project Ditambahkan

    {
      "findings": {
        "access": {
          "principalEmail": "PRINCIPAL_EMAIL",
          "callerIp": "PRINCIPAL_IP_ADDRESS",
          "callerIpGeo": {
            "regionCode": "US"
          },
          "serviceName": "compute.googleapis.com",
          "methodName": "v1.compute.projects.setCommonInstanceMetadata",
          "principalSubject": "user:USER_EMAIL"
        },
        "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "category": "Persistence: Project SSH Key Added",
        "contacts": {
          "technical": {
            "contacts": [
              {
                "email": "EMAIL_ADDRESS_1"
              },
              {
                "email": "EMAIL_ADDRESS_2"
              },
            ]
          }
        },
        "createTime": "2022-08-25T13:24:43.142Z",
        "database": {},
        "eventTime": "2022-08-25T13:24:42.719Z",
        "exfiltration": {},
        "findingClass": "OBSERVATION",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
        "indicator": {},
        "kubernetes": {},
        "mitreAttack": {
          "primaryTactic": "PERSISTENCE",
          "primaryTechniques": [
            "ACCOUNT_MANIPULATION",
            "SSH_AUTHORIZED_KEYS"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
        "parentDisplayName": "Sensitive Actions",
        "resourceName": "//compute.googleapis.com/projects/PROJECT_ID",
        "severity": "LOW",
        "sourceDisplayName": "Sensitive Actions",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//compute.googleapis.com/projects/PROJECT_ID",
        "display_name": "PROJECT_ID",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.compute.Project",
        "folders": [
          {
            "resourceFolderDisplayName": "FOLDER_NAME",
            "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
          }
        ]
      },
      "sourceProperties": {
        "sourceId": {
          "projectNumber": "PROJECT_NUMBER",
          "customerOrganizationNumber": "ORGANIZATION_ID"
        },
        "detectionCategory": {
          "ruleName": "sensitive_action",
          "subRuleName": "add_ssh_key"
        },
        "detectionPriority": "LOW",
        "affectedResources": [
          {
            "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID"
          },
          {
            "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
          }
        ],
        "evidence": [
          {
            "sourceLogId": {
              "projectId": "PROJECT_ID",
              "resourceContainer": "projects/PROJECT_ID",
              "timestamp": {
                "seconds": "1661433879",
                "nanos": 413362000
              },
              "insertId": "INSERT_ID"
            }
          }
        ],
        "properties": {},
        "findingId": "FINDING_ID",
        "contextUris": {
          "mitreUri": {
            "displayName": "MITRE Link",
            "url": "https://attack.mitre.org/techniques/T1098/004/"
          },
          "cloudLoggingQueryUri": [
            {
              "displayName": "Cloud Logging Query Link",
              "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
            }
          ],
          "relatedFindingUri": {}
        }
      }
    }
    

Langkah selanjutnya