Auf dieser Seite erfahren Sie, wie Sie die Ergebnisse des Dienstes „Sensitive Actions“ in der Google Cloud Console prüfen. Außerdem finden Sie Beispiele für Ergebnisse des Dienstes „Sensitive Actions“.
Der Dienst „Sensitive Actions“ ist ein integrierter Dienst von Security Command Center, der erkennt, wenn Aktionen in Ihrer Google Cloud-Organisation, in Ordnern und Projekten ausgeführt werden, die Ihrem Unternehmen schaden könnten, wenn sie von böswilligen Akteuren ausgeführt werden. Weitere Informationen finden Sie im Überblick über den Dienst für sensible Aktionen.
Ergebnisse des Diensts „Sensitive Actions“ prüfen
Der Dienst für sensible Aktionen ist immer aktiviert, wenn Sie Security Command Center Standard aktivieren, und kann nicht deaktiviert werden. Weitere Informationen zu den Ergebnistypen des Dienstes „Sensitive Actions“ finden Sie unter Ergebnisse.
Wenn der Dienst für sensible Aktionen eine Aktion erkennt, die als vertraulich eingestuft wird, werden ein Ergebnis und ein Logeintrag erstellt. Sie können sich das Ergebnis in der Google Cloud Console ansehen. Sie können die Logeinträge in Cloud Logging abfragen. Führen Sie zum Testen des Dienstes „Sensitive Actions“ eine vertrauliche Aktion aus und achten Sie darauf, dass das Ergebnis auf der Seite Ergebnisse in der Google Cloud Console angezeigt wird. Weitere Informationen finden Sie unter Dienst für sensible Aktionen testen.
Ergebnisse in Security Command Center prüfen
Die IAM-Rollen für Security Command Center können auf Organisations-, Ordner- oder Projektebene gewährt werden. Ihre Fähigkeit, Ergebnisse, Assets und Sicherheitsquellen anzusehen, zu bearbeiten, zu erstellen oder zu aktualisieren, hängt von der Ebene ab, auf der Sie Zugriff haben. Weitere Informationen zu Security Command Center-Rollen finden Sie unter Zugriffssteuerung.
So prüfen Sie die Ergebnisse des Dienstes „Sensitive Actions“ in der Google Cloud Console:
Rufen Sie in der Google Cloud Console die Seite Ergebnisse von Security Command Center auf.
Wählen Sie gegebenenfalls Ihr Google Cloud-Projekt oder Ihre Organisation aus.
Wählen Sie im Bereich Schnellfilter im Unterabschnitt Anzeigename der Quelle die Option Dienst für sensible Aktionen aus.
Die Tabelle wird mit den Ergebnissen des Sensitive Actions Service gefüllt.
Klicken Sie auf den Namen des Ergebnisses unter
Category, um Details zu einem bestimmten Ergebnis aufzurufen. Der Bereich mit den Ergebnisdetails wird erweitert und enthält nun die folgenden Informationen:- Eine KI-generierte ZusammenfassungVorschau des Problems
- Zeitpunkt des Ereignisses
- Quelle der Ergebnisdaten
- Schweregrad der Erkennung, z. B. Hoch
- Die ausgeführten Aktionen, z. B. das Hinzufügen der Rolle „Inhaber“ oder „Bearbeiter“ auf Organisationsebene für einen Gmail-Nutzer
- Der Nutzer, der die Aktion ausgeführt hat, wird neben E-Mail-Adresse des Hauptkontos angezeigt.
So zeigen Sie alle Ergebnisse an, die durch die Aktionen eines Nutzers ausgelöst wurden:
- Kopieren Sie im Detailbereich mit den Ergebnissen die E-Mail-Adresse neben Haupt-E-Mail-Adresse.
- Schließen Sie den Bereich.
Geben Sie im Query Builder die folgende Abfrage ein:
access.principal_email="USER_EMAIL"Ersetzen Sie USER_EMAIL durch die zuvor kopierte E-Mail-Adresse.
Security Command Center zeigt alle Ergebnisse an, die Aktionen zugeordnet sind, die von dem von Ihnen angegebenen Nutzer ausgeführt wurden.
Ergebnisse in Cloud Logging ansehen
Der Dienst für sensible Aktionen schreibt für jede gefundene vertrauliche Aktion einen Logeintrag in die Logs der Google Cloud Platform. Diese Logeinträge werden auch dann geschrieben, wenn Sie Security Command Center nicht aktiviert haben.
So rufen Sie die Logeinträge für vertrauliche Aktionen in Cloud Logging auf:
Rufen Sie in der Google Cloud Console den Log-Explorer auf.
Wählen Sie oben auf der Seite in der Projektauswahl das Projekt aus, für das Sie die Logeinträge des Dienstes „Sensible Aktionen“ sehen möchten. Wenn Sie sich Logeinträge auf Organisationsebene ansehen möchten, wählen Sie die Organisation aus.
Geben Sie im Textfeld Abfrage die folgende Ressourcendefinition ein:
resource.type="sensitiveaction.googleapis.com/Location"Klicken Sie auf Abfrage ausführen. Die Tabelle Abfrageergebnisse wird mit allen übereinstimmenden Logeinträgen aktualisiert, die innerhalb des Abfragezeitraums geschrieben wurden.
Wenn Sie die Details eines Logeintrags ansehen möchten, klicken Sie auf eine Tabellenzeile und dann auf Verschachtelte Felder maximieren.
Sie können erweiterte Logabfragen erstellen, um eine Reihe von Logeinträgen aus einer beliebigen Anzahl von Logs anzugeben.
Beispiel für das Finden von Formaten
Dieser Abschnitt enthält die JSON-Ausgabe für die Ergebnisse des Dienstes „Sensitive Actions“, wie sie angezeigt werden, wenn Sie Exporte in der Google Cloud Console erstellen oder Listenmethoden in der Security Command Center API ausführen.
Die Ausgabebeispiele enthalten die Felder, die für alle Ergebnisse am häufigsten verwendet werden. Möglicherweise werden jedoch nicht alle Felder in jedem Ergebnis angezeigt. Die tatsächliche Ausgabe, die Sie sehen, hängt von der Konfiguration einer Ressource sowie vom Typ und Status der Ergebnisse ab.
Wenn Sie sich die Beispielergebnisse ansehen möchten, maximieren Sie einen oder mehrere der folgenden Knoten.
Umgehung von Abwehrmaßnahmen: Organisationsrichtlinie geändert
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "orgpolicy.googleapis.com",
"methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Organization Policy Changed",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-27T12:35:30.466Z",
"database": {},
"eventTime": "2022-08-27T12:35:30.264Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"IMPAIR_DEFENSES"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"display_name": "",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "change_organization_policy"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661603725",
"nanos": 12242032
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Umgehung von Abwehrmaßnahmen: Abrechnungsadministrator entfernen
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Remove Billing Admin",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T14:47:11.752Z",
"database": {},
"eventTime": "2022-08-31T14:47:11.256Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "REMOVE",
"role": "roles/billing.admin",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "remove_billing_admin"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661957226",
"nanos": 356329000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1578/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Auswirkungen: GPU-Instanz erstellt
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "beta.compute.instances.insert"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Impact: GPU Instance Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-11T19:13:11.134Z",
"database": {},
"eventTime": "2022-08-11T19:13:09.885Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "gpu_instance_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1660245184",
"nanos": 578768000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Auswirkungen: Viele Instanzen erstellt
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.insert",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:18:18.112Z",
"database": {},
"eventTime": "2022-08-22T21:18:17.759Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203092",
"nanos": 314642000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Auswirkungen: Viele Instanzen gelöscht
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.delete",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Deleted",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:21:11.432Z",
"database": {},
"eventTime": "2022-08-22T21:21:11.144Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_deleted"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203265",
"nanos": 669160000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Persistenz: Sensible Rolle hinzufügen
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: Add Sensitive Role",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T17:20:13.305Z",
"database": {},
"eventTime": "2022-08-31T17:20:11.929Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "ADD",
"role": "roles/editor",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_sensitive_role"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661966410",
"nanos": 132148000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Persistenz: SSH-Schlüssel des Projekts hinzugefügt
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.projects.setCommonInstanceMetadata",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Persistence: Project SSH Key Added",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-25T13:24:43.142Z",
"database": {},
"eventTime": "2022-08-25T13:24:42.719Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION",
"SSH_AUTHORIZED_KEYS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Project",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_ssh_key"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661433879",
"nanos": 413362000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Nächste Schritte
- Weitere Informationen zur Funktionsweise des Dienstes „Sensitive Actions“
- Informationen zum Prüfen und Entwickeln von Abwehrplänen für Bedrohungen