本页面介绍了如何在 Google Cloud 控制台中查看敏感操作服务发现结果,并包含敏感操作服务发现结果示例。
Sensitive Actions Service 是 Security Command Center 的内置服务,可检测 在您的 Google Cloud 组织、文件夹和 如果它们被盗用, 恶意行为者。 如需了解详情,请参阅敏感操作服务概览。
查看 Sensitive Actions Service 发现结果
敏感操作服务将始终处于启用状态,前提是您激活了 Security Command Center 标准层级,并且无法停用。有关 有关 Sensitive Actions Service 发现结果类型的信息,请参阅 发现。
当敏感操作服务检测到被视为敏感的操作时,它会 创建发现结果和日志条目。您可以在以下位置查看发现结果: Google Cloud 控制台。您可以在 Cloud Logging 中查询日志条目。 如需测试 Sensitive Actions Service,请执行敏感操作并确保 发现结果会显示在 Google Cloud 控制台的发现结果页面上。 如需了解详情,请参阅测试敏感操作服务。
在 Security Command Center 中审核发现结果
Security Command Center 的 IAM 角色可以在组织、文件夹或项目级层授予。您能否查看、修改、创建或更新发现结果、资产和安全来源,取决于您获授予的访问权限级别。如需详细了解 Security Command Center 角色,请参阅访问权限控制。
如需在 Google Cloud 控制台中查看敏感操作服务发现结果,请按照以下步骤操作:
在 Google Cloud 控制台中,转到 Security Command Center 发现结果页面。
如有必要,请选择您的 Google Cloud 项目或组织。
在快速过滤条件部分的来源显示名称子部分中,选择敏感操作服务。
该表填充了敏感操作服务发现结果。
如需查看特定发现结果的详细信息,请点击
Category
下的发现结果名称。发现结果详细信息窗格会展开,显示以下信息:- AI 生成的问题摘要预览版
- 事件发生的时间
- 发现结果数据的来源
- 检测严重程度,例如高
- 执行的操作,例如在 组织级别的权限授予 Gmail 用户
- 执行操作的用户,列在主账号电子邮件地址旁边
如需显示由同一用户的操作生成的所有发现结果,请执行以下操作:
- 在发现结果详细信息窗格中,复制主账号电子邮件地址旁边的电子邮件地址。
- 关闭窗格。
在查询构建器中,输入以下查询:
access.principal_email="USER_EMAIL"
将 USER_EMAIL 替换为您之前复制的电子邮件地址。
Security Command Center 会显示与您指定的用户执行的操作相关的所有发现结果。
在 Cloud Logging 中查看发现结果
Sensitive Actions Service 会将日志条目写入 Google Cloud Platform 日志 针对每项敏感操作(如果发现)。即使您未启用 Security Command Center,系统也会写入这些日志条目。
如需在 Cloud Logging 中查看敏感操作的日志条目,请执行以下操作: 执行以下操作:
转到 Google Cloud 控制台中的日志浏览器。
在页面顶部的项目选择器中,选择项目 敏感操作服务日志条目。 或者,如需查看组织级别的日志条目,请选择 组织。
在查询文本框中,输入以下资源定义:
resource.type="sensitiveaction.googleapis.com/Location"
点击运行查询。查询结果表已更新为 在您的时间段内写入的匹配日志条目 查询。
如需查看日志条目的详细信息,请点击表格中的相应行,然后点击 展开嵌套字段。
您可以创建高级日志查询 指定任意数量的日志中的一组日志条目。
发现结果格式示例
本部分包含 Sensitive Actions Service 发现结果的 JSON 输出 与通过 Google Cloud 控制台创建导出作业时显示的信息相同 或运行 Security Command Center API 中的 list 方法。
输出示例包含所有发现结果中最常见的字段。 但是,所有字段可能无法显示在每个发现结果中。您看到的实际输出取决于资源的配置以及发现结果的类型和状态。
如需查看示例发现结果,请展开以下一个或多个节点。
防护规避:组织政策已更改
此发现结果不适用于项目级激活。
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "orgpolicy.googleapis.com", "methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Organization Policy Changed", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-27T12:35:30.466Z", "database": {}, "eventTime": "2022-08-27T12:35:30.264Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "IMPAIR_DEFENSES" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "display_name": "", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "change_organization_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661603725", "nanos": 12242032 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
防护规避:移除结算管理员
此发现结果不适用于项目级激活。
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Remove Billing Admin", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T14:47:11.752Z", "database": {}, "eventTime": "2022-08-31T14:47:11.256Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "REMOVE", "role": "roles/billing.admin", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "remove_billing_admin" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661957226", "nanos": 356329000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1578/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
影响:创建了 GPU 实例
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "beta.compute.instances.insert" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Impact: GPU Instance Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-11T19:13:11.134Z", "database": {}, "eventTime": "2022-08-11T19:13:09.885Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "gpu_instance_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1660245184", "nanos": 578768000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
影响:许多实例已创建
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.insert", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:18:18.112Z", "database": {}, "eventTime": "2022-08-22T21:18:17.759Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203092", "nanos": 314642000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
影响:许多实例已删除
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.delete", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Deleted", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:21:11.432Z", "database": {}, "eventTime": "2022-08-22T21:21:11.144Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_deleted" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203265", "nanos": 669160000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
持久性:添加敏感角色
此发现结果不适用于项目级激活。
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: Add Sensitive Role", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T17:20:13.305Z", "database": {}, "eventTime": "2022-08-31T17:20:11.929Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "ADD", "role": "roles/editor", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_sensitive_role" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661966410", "nanos": 132148000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
持久性:项目 SSH 密钥已添加
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.projects.setCommonInstanceMetadata", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Persistence: Project SSH Key Added", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-25T13:24:43.142Z", "database": {}, "eventTime": "2022-08-25T13:24:42.719Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION", "SSH_AUTHORIZED_KEYS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661433879", "nanos": 413362000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
后续步骤
- 详细了解敏感操作服务的运作方式。
- 了解如何调查和制定响应计划 以检测威胁。