Cette page explique comment examiner les résultats du service Actions sensibles dans la console Google Cloud et inclut des exemples.
Le service Actions sensibles est un service intégré à Security Command Center qui détecte les actions effectuées par un acteur malveillant dans votre organisation, vos dossiers et vos projets Google Cloud qui pourraient nuire à votre entreprise. Pour en savoir plus, consultez la présentation du service Actions sensibles.
Examiner les résultats du service Actions sensibles
Le service Actions sensibles est toujours activé lorsque vous passez au niveau Standard de Security Command Center et ne peut pas être désactivé. Pour en savoir plus sur les types de résultats du service Actions sensibles, consultez la page Résultats.
Lorsque le service Actions sensibles détecte une action considérée comme sensible, il crée un résultat et une entrée de journal. Vous pouvez afficher le résultat dans la console Google Cloud. Vous pouvez interroger les entrées de journal dans Cloud Logging. Pour tester le service Actions sensibles, effectuez une action sensible et assurez-vous que le résultat apparaît sur la page Résultats de la console Google Cloud. Pour en savoir plus, consultez la page Tester le service des actions sensibles.
Examiner les résultats dans Security Command Center
Les rôles IAM pour Security Command Center peuvent être attribués au niveau de l'organisation, d'un dossier ou d'un projet. Votre capacité à afficher, modifier, créer ou mettre à jour des résultats, des éléments et des sources de sécurité dépend du niveau d'accès qui vous est accordé. Pour en savoir plus sur les rôles Security Command Center, consultez la page Contrôle des accès.
Pour examiner les résultats du service Actions sensibles dans la console Google Cloud, procédez comme suit:
Dans la console Google Cloud, accédez à la page Résultats de Security Command Center.
Si nécessaire, sélectionnez votre projet ou votre organisation GooglenCloud.
Dans la section Filtres rapides de la sous-section Nom à afficher de la source, sélectionnez Service Actions sensibles.
La table contient les résultats du service Actions sensibles.
Pour afficher les détails d'un résultat spécifique, cliquez sur le nom du résultat sous
Category. Le volet de détails du résultat se développe pour afficher des informations, y compris les suivantes :- Un récapitulatif généré par IAAperçu du problème
- Quand l'événement a eu lieu
- La source des données de résultat
- Le niveau de gravité de détection ; par exemple, Élevé
- Actions effectuées, comme ajouter un rôle de propriétaire ou d'éditeur au niveau de l'organisation à un utilisateur Gmail
- L'utilisateur ayant effectué l'action, indiqué à côté de Adresse e-mail principale.
Pour afficher tous les résultats issus des actions du même utilisateur, procédez comme suit :
- Dans le volet des détails du résultat, copiez l'adresse e-mail située à côté de Adresse e-mail principale.
- Fermez le volet.
Dans le générateur de requêtes, saisissez la requête suivante :
access.principal_email="USER_EMAIL"Remplacez USER_EMAIL par l'adresse e-mail que vous avez copiée précédemment.
Security Command Center affiche tous les résultats associés aux actions effectuées par l'utilisateur que vous avez spécifié.
Afficher les résultats dans Cloud Logging
Le service Actions sensibles écrit une entrée de journal dans les journaux Google Cloud Platform pour chaque action sensible si elle est détectée. Ces entrées de journal sont écrites même si vous n'avez pas activé Security Command Center.
Pour afficher les entrées de journal relatives aux actions sensibles dans Cloud Logging, procédez comme suit:
Accédez à l'explorateur de journaux dans la console Google Cloud.
Dans le sélecteur de projet en haut de la page, sélectionnez le projet pour lequel vous souhaitez afficher les entrées de journal du service Actions sensibles. Pour afficher les entrées de journal au niveau de l'organisation, vous pouvez également sélectionner l'organisation.
Dans la zone de texte Requête, saisissez la définition de ressource suivante :
resource.type="sensitiveaction.googleapis.com/Location"Cliquez sur Exécuter la requête. La table Résultats de la requête est mise à jour avec toutes les entrées de journal correspondantes écrites pendant la période de votre requête.
Pour afficher les détails d'une entrée de journal, cliquez sur une ligne de la table, puis sur Développer les champs imbriqués.
Vous pouvez créer des requêtes de journaux avancées pour spécifier un ensemble d'entrées de journal à partir de n'importe quel nombre de journaux.
Exemples de formats de résultats
Cette section inclut la sortie JSON des résultats du service Actions sensibles tels qu'ils apparaissent lorsque vous créez des exportations à partir de la console Google Cloud ou exécutez des méthodes de liste dans l'API Security Command Center.
Les exemples de sortie contiennent les champs les plus courants de tous les résultats. Toutefois, tous les champs peuvent ne pas apparaître dans tous les résultats. Le résultat réel dépend de la configuration d'une ressource, ainsi que du type et de l'état des résultats.
Pour afficher des exemples de résultats, développez un ou plusieurs des nœuds suivants.
Contournement des systèmes de défense: modification de la règle d’administration
Ce résultat n'est pas disponible pour les activations au niveau du projet.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "orgpolicy.googleapis.com",
"methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Organization Policy Changed",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-27T12:35:30.466Z",
"database": {},
"eventTime": "2022-08-27T12:35:30.264Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"IMPAIR_DEFENSES"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"display_name": "",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "change_organization_policy"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661603725",
"nanos": 12242032
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Contournement de la défense: suppression de l'administrateur de facturation
Ce résultat n'est pas disponible pour les activations au niveau du projet.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Remove Billing Admin",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T14:47:11.752Z",
"database": {},
"eventTime": "2022-08-31T14:47:11.256Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "REMOVE",
"role": "roles/billing.admin",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "remove_billing_admin"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661957226",
"nanos": 356329000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1578/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Impact: instance de GPU créée
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "beta.compute.instances.insert"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Impact: GPU Instance Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-11T19:13:11.134Z",
"database": {},
"eventTime": "2022-08-11T19:13:09.885Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "gpu_instance_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1660245184",
"nanos": 578768000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Impact: création de nombreuses instances
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.insert",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:18:18.112Z",
"database": {},
"eventTime": "2022-08-22T21:18:17.759Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203092",
"nanos": 314642000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Impact: suppression de nombreuses instances
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.delete",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Deleted",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:21:11.432Z",
"database": {},
"eventTime": "2022-08-22T21:21:11.144Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_deleted"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203265",
"nanos": 669160000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Persistance: ajouter un rôle sensible
Ce résultat n'est pas disponible pour les activations au niveau du projet.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: Add Sensitive Role",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T17:20:13.305Z",
"database": {},
"eventTime": "2022-08-31T17:20:11.929Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "ADD",
"role": "roles/editor",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_sensitive_role"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661966410",
"nanos": 132148000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Persistance: clé SSH du projet ajoutée
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.projects.setCommonInstanceMetadata",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Persistence: Project SSH Key Added",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-25T13:24:43.142Z",
"database": {},
"eventTime": "2022-08-25T13:24:42.719Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION",
"SSH_AUTHORIZED_KEYS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Project",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_ssh_key"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661433879",
"nanos": 413362000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Étapes suivantes
- En savoir plus sur le fonctionnement du service Actions sensibles
- Découvrez comment enquêter et développer des plans de réponse aux menaces.