Halaman ini menunjukkan cara meninjau temuan Layanan Tindakan Sensitif di Konsol Google Cloud dan menyertakan contoh temuan Layanan Tindakan Sensitif.
Layanan Tindakan Sensitif adalah layanan bawaan dari paket Premium Security Command Center yang mendeteksi saat tindakan diambil di organisasi, folder, dan project Google Cloud yang dapat merusak bisnis Anda jika diambil oleh pelaku kejahatan. Untuk mempelajari lebih lanjut, lihat Ringkasan Layanan Tindakan Sensitif.
Meninjau temuan Layanan Tindakan Sensitif
Layanan Tindakan Sensitif selalu diaktifkan saat Anda mengaktifkan paket Premium Security Command Center, dan tidak dapat dinonaktifkan. Untuk informasi selengkapnya tentang jenis temuan Layanan Tindakan Sensitif, lihat Temuan.
Saat mendeteksi tindakan yang dianggap sensitif, Layanan Tindakan Sensitif akan membuat temuan dan entri log. Anda dapat melihat temuan tersebut di Konsol Google Cloud. Anda dapat membuat kueri terhadap entri log di Cloud Logging. Untuk menguji Layanan Tindakan Sensitif, lakukan tindakan sensitif dan pastikan temuannya muncul di halaman Temuan di Konsol Google Cloud. Untuk informasi selengkapnya, lihat Menguji Layanan Tindakan Sensitif.
Meninjau temuan di Security Command Center
Peran IAM untuk Security Command Center dapat diberikan di tingkat organisasi, folder, atau project. Kemampuan Anda untuk melihat, mengedit, membuat, atau memperbarui temuan, aset, dan sumber keamanan bergantung pada tingkat akses yang diberikan kepada Anda. Untuk mempelajari peran Security Command Center lebih lanjut, lihat Kontrol akses.
Untuk meninjau temuan Sensitive Actions Service di Konsol Google Cloud, ikuti langkah-langkah ini:
Di konsol Google Cloud, buka halaman Findings Security Command Center.
Jika perlu, pilih organisasi atau project Google Cloud Anda.
Di bagian Quick filters, di subbagian Source display name, pilih Sensitive Actions Service.
Tabel diisi dengan temuan Layanan Tindakan Sensitif.
Untuk melihat detail temuan tertentu, klik nama temuan di bagian
Category. Panel detail temuan diperluas untuk menampilkan informasi termasuk berikut:- Ringkasan yang dibuat AIPratinjau masalah
- Kapan peristiwa terjadi
- Sumber data temuan
- Tingkat keseriusan deteksi, misalnya Tinggi
- Tindakan yang diambil, seperti menambahkan peran Pemilik atau Editor di tingkat organisasi ke pengguna Gmail
- Pengguna yang melakukan tindakan, yang tercantum di samping Email utama
Untuk menampilkan semua temuan yang disebabkan oleh tindakan pengguna yang sama:
- Di panel temuan detail, salin alamat email di samping Email utama.
- Tutup panel.
Di pembuat kueri, masukkan kueri berikut:
access.principal_email="USER_EMAIL"Ganti USER_EMAIL dengan alamat email yang sebelumnya Anda salin.
Security Command Center menampilkan semua temuan terkait dengan tindakan yang diambil oleh pengguna yang Anda tentukan.
Melihat temuan di Cloud Logging
Layanan Action Sensitif menulis entri log ke log platform Google Cloud untuk setiap tindakan sensitif jika ditemukan. Entri log ini ditulis meskipun jika Anda belum mengaktifkan Security Command Center.
Untuk melihat entri log tindakan sensitif di Cloud Logging, lakukan langkah berikut:
Buka Logs Explorer di Konsol Google Cloud.
Pada Pemilih project di bagian atas halaman, pilih project yang ingin Anda lihat entri log Sensitive Actions Service. Atau, untuk melihat entri log di level organisasi, pilih organisasi.
Di kotak teks Query, masukkan definisi resource berikut:
resource.type="sensitiveaction.googleapis.com/Location"Klik Run Query. Tabel Query results diperbarui dengan entri log yang cocok, yang ditulis dalam jangka waktu kueri Anda.
Untuk melihat detail entri log, klik baris tabel, lalu klik Luaskan kolom bertingkat.
Anda dapat membuat kueri log lanjutan untuk menentukan sekumpulan entri log dari sejumlah log.
Contoh Format Penemuan
Bagian ini mencakup output JSON untuk temuan Sensitive Actions Service seperti yang muncul saat Anda membuat ekspor dari Google Cloud Console atau menjalankan metode daftar di Security Command Center API.
Contoh output berisi kolom yang paling umum untuk semua temuan. Namun, semua kolom mungkin tidak muncul di setiap temuan. Output aktual yang Anda lihat bergantung pada konfigurasi resource serta jenis dan status temuan.
Untuk melihat contoh temuan, luaskan satu atau beberapa node berikut.
Penghindaran Pertahanan: Kebijakan Organisasi Diubah
Temuan ini tidak tersedia untuk aktivasi level project.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "orgpolicy.googleapis.com",
"methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Organization Policy Changed",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-27T12:35:30.466Z",
"database": {},
"eventTime": "2022-08-27T12:35:30.264Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"IMPAIR_DEFENSES"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention",
"display_name": "",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "change_organization_policy"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
},
{
"gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661603725",
"nanos": 12242032
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1562/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Penghindaran Pertahanan: Menghapus Admin Penagihan
Temuan ini tidak tersedia untuk aktivasi level project.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Remove Billing Admin",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T14:47:11.752Z",
"database": {},
"eventTime": "2022-08-31T14:47:11.256Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "REMOVE",
"role": "roles/billing.admin",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "DEFENSE_EVASION",
"primaryTechniques": [
"MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "remove_billing_admin"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661957226",
"nanos": 356329000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1578/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Dampak: Instance GPU Dibuat
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "beta.compute.instances.insert"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Impact: GPU Instance Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-11T19:13:11.134Z",
"database": {},
"eventTime": "2022-08-11T19:13:09.885Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "gpu_instance_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1660245184",
"nanos": 578768000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Dampak: Banyak Instance yang Dibuat
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.insert",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Created",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:18:18.112Z",
"database": {},
"eventTime": "2022-08-22T21:18:17.759Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"RESOURCE_HIJACKING"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_created"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203092",
"nanos": 314642000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1496/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Dampak: Banyak Instance Dihapus
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIpGeo": {},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.delete",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Impact: Many Instances Deleted",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-22T21:21:11.432Z",
"database": {},
"eventTime": "2022-08-22T21:21:11.144Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "IMPACT",
"primaryTechniques": [
"DATA_DESTRUCTION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"display_name": "VM_INSTANCE_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Instance",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "many_instances_deleted"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661203265",
"nanos": 669160000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1485/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Persistensi: Menambahkan Peran Sensitif
Temuan ini tidak tersedia untuk aktivasi level project.
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"principalSubject": "user:PRINCIPAL_EMAIL"
},
"assetDisplayName": "organizations/ORGANIZATION_ID",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Persistence: Add Sensitive Role",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-31T17:20:13.305Z",
"database": {},
"eventTime": "2022-08-31T17:20:11.929Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"iamBindings": [
{
"action": "ADD",
"role": "roles/editor",
"member": "user:PRINCIPAL_ACCOUNT_CHANGED"
}
],
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Sensitive Actions Service",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions Service",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"display_name": "ORGANIZATION_NAME",
"project_name": "",
"project_display_name": "",
"parent_name": "",
"parent_display_name": "",
"type": "google.cloud.resourcemanager.Organization",
"folders": []
},
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_sensitive_role"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"
}
],
"evidence": [
{
"sourceLogId": {
"resourceContainer": "organizations/ORGANIZATION_ID",
"timestamp": {
"seconds": "1661966410",
"nanos": 132148000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project="
}
],
"relatedFindingUri": {}
}
}
}
Persistensi: Kunci SSH Project Ditambahkan
{
"findings": {
"access": {
"principalEmail": "PRINCIPAL_EMAIL",
"callerIp": "PRINCIPAL_IP_ADDRESS",
"callerIpGeo": {
"regionCode": "US"
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.projects.setCommonInstanceMetadata",
"principalSubject": "user:USER_EMAIL"
},
"canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"category": "Persistence: Project SSH Key Added",
"contacts": {
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
},
]
}
},
"createTime": "2022-08-25T13:24:43.142Z",
"database": {},
"eventTime": "2022-08-25T13:24:42.719Z",
"exfiltration": {},
"findingClass": "OBSERVATION",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions",
"indicator": {},
"kubernetes": {},
"mitreAttack": {
"primaryTactic": "PERSISTENCE",
"primaryTechniques": [
"ACCOUNT_MANIPULATION",
"SSH_AUTHORIZED_KEYS"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER",
"parentDisplayName": "Sensitive Actions",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID",
"severity": "LOW",
"sourceDisplayName": "Sensitive Actions",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID",
"display_name": "PROJECT_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.compute.Project",
"folders": [
{
"resourceFolderDisplayName": "FOLDER_NAME",
"resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"
}
]
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"ruleName": "sensitive_action",
"subRuleName": "add_ssh_key"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID"
},
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_ID",
"timestamp": {
"seconds": "1661433879",
"nanos": 413362000
},
"insertId": "INSERT_ID"
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1098/004/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
}
],
"relatedFindingUri": {}
}
}
}
Langkah selanjutnya
- Pelajari lebih lanjut cara kerja Layanan Tindakan Sensitif.
- Pelajari cara menyelidiki dan mengembangkan rencana respons terhadap ancaman.