Security sources

This page contains a list of the Google Cloud security sources that are available in Security Command Center. When you enable a security source, it provides vulnerabilities and threat findings to Security Command Center.

You can view findings in the Google Cloud console and filter them in many different ways, such as by finding type, resource type, or for a specific asset. Each security source might provide more filters to help you organize your findings.

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Vulnerabilities

Vulnerability detectors can help you find potential weaknesses in your Google Cloud resources.

GKE security posture dashboard

The GKE security posture dashboard is a page in the Google Cloud console that provides you with opinionated, actionable findings about potential security issues in your GKE clusters.

If you enable any of the following GKE security posture dashboard features, you'll see the findings in the Security Command Center Standard tier or the Premium tier:

GKE security posture dashboard feature Security Command Center finding type
Workload configuration auditing MISCONFIGURATION
VULNERABILITY

The findings display information about the security issue and provide recommendations to resolve the issues in your workloads or clusters.

IAM recommender

IAM recommender issues recommendations that you can follow to improve security by removing or replacing IAM roles from principals when the roles contain IAM permissions that the principal does not need.

Enable or disable IAM recommender findings

To enable or disable IAM recommender findings in Security Command Center, follow these steps:

  1. Go to the Integrated services tab of the Security Command Center Settings page in the Google Cloud console:

    Go to Settings

  2. If necessary, scroll down to the IAM recommender entry.

  3. To the right of the entry, select Enable or Disable.

Findings from IAM recommender are classified as vulnerabilities.

To remediate IAM recommender a finding, expand the following section to see a table of the IAM recommender findings. The remediation steps for each finding are included in the table entry.

View IAM recommender findings in the console

In the Google Cloud console, you can view the findings that are issued by IAM recommender either on the Vulnerabilities page by selecting the IAM recommender query preset or on the Findings page by selecting IAM Recommender in the Source display name section of the Quick filters panel.

Policy Controller

Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters. These policies act as guardrails and can help with best practices, security, and compliance management of your clusters and fleet.

If you install Policy Controller, and enable either the CIS Kubernetes Benchmark v1.5.1 or the PCI-DSS v3.2.1 Policy Controller bundles, or both, Policy Controller automatically writes cluster violations to Security Command Center as Misconfiguration class findings. The finding description and next steps in the Security Command Center findings are the same as the constraint description and remediation steps of the corresponding Policy Controller bundle.

The Policy Controller findings come from the following Policy Controller bundles:

To find and remediate Policy Controller findings, see Remediating Policy Controller findings.

Rapid Vulnerability Detection

Rapid Vulnerability Detection runs managed scans that detect so-called "N-day" vulnerabilities, known exploits that allow arbitrary data access and remote code execution, including weak credentials, incomplete software installations, and exposed administrator user interfaces.

For the complete list of vulnerabilities that Rapid Vulnerability Detection detects, see Rapid Vulnerability Detection findings and remediations.

Security Health Analytics vulnerability types

Security Health Analytics managed vulnerability assessment scanning for Google Cloud can automatically detect common vulnerabilities and misconfigurations across:

  • Cloud Monitoring and Cloud Logging
  • Compute Engine
  • Google Kubernetes Engine containers and networks
  • Cloud Storage
  • Cloud SQL
  • Identity and Access Management (IAM)
  • Cloud Key Management Service (Cloud KMS)
  • Cloud DNS

Security Health Analytics is automatically enabled when you select the Security Command Center Standard or Premium tier. Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory, using batch, real-time, and mixed-mode scans.

For more information about Security Health Analytics scan modes, see Security Health Analytics scan types.

To view a complete list of Security Health Analytics detectors and findings, see the Security Health Analytics findings page, or expand the following section.

Security posture service

The security posture service is a built-in service for the Security Command Center Premium tier that lets you define, assess, and monitor the overall status of your security in Google Cloud. It provides information about how your environment aligns with the policies that you define in your security posture.

The security posture service isn't related to the GKE security posture dashboard, which only shows findings in GKE clusters.

Sensitive Data Protection

Sensitive Data Protection is a fully managed Google Cloud service that helps you discover, classify, and protect your sensitive data. You can use Sensitive Data Protection to determine whether you're storing sensitive or personally identifiable information (PII), like the following:

  • Person names
  • Credit card numbers
  • National or state ID numbers
  • Health insurance ID numbers
  • Secrets

In Sensitive Data Protection, each type of sensitive data that you search for is called an infoType.

If you configure your Sensitive Data Protection operation to send results to Security Command Center, you can see the findings directly in the Security Command Center section of the Google Cloud console, in addition to the Sensitive Data Protection section.

Vulnerability findings from the Sensitive Data Protection discovery service

The Sensitive Data Protection discovery service helps you determine whether your Cloud Functions environment variables contain secrets, such as passwords, authentication tokens, and Google Cloud credentials. For a full list of secret types that Sensitive Data Protection detects in this feature, see Credentials and secrets.

Finding type Finding description Compliance standards
Secrets in environment variables

Category name in the API:
SECRETS_IN_ENVIRONMENT_VARIABLES
This detector checks for secrets in Cloud Functions environment variables.

Remediation: Remove the secret from the environment variable and store it in Secret Manager instead.

CIS GCP Foundation 1.3: 1.18

CIS GCP Foundation 2.0: 1.18

From the time you turn on secrets discovery in Sensitive Data Protection, it can take up to 12 hours for the initial scan of environment variables to complete. Subsequently, Sensitive Data Protection scans environment variables every 24 hours. In practice, scans can run more frequently than that.

To enable this detector, see Report secrets in environment variables to Security Command Center in the Sensitive Data Protection documentation.

Observation findings from Sensitive Data Protection

This section describes the observation findings that Sensitive Data Protection generates in Security Command Center.

Observation findings from the discovery service

The Sensitive Data Protection discovery service helps you determine whether your BigQuery data contains specific infoTypes and where they reside in your organization, folders, and projects.

A discovery operation generates profiles of the underlying BigQuery data at the project, table, and column levels. Each table data profile generates the following finding categories in Security Command Center:

Data sensitivity
An indication of the sensitivity level of the data in a particular table. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Sensitive Data Protection calculated when generating the data profile.
Data risk
The risk associated with the data in its current state. When calculating data risk, Sensitive Data Protection considers the sensitivity level of the data in the table and the presence of access controls to protect that data. The severity of the finding is the data risk level that Sensitive Data Protection calculated when generating the data profile.

From the time Sensitive Data Protection generates the data profiles, it can take up to six hours for the associated Data sensitivity and Data risk findings to appear in Security Command Center.

For information on how to send data profile results to Security Command Center, see one of the following:

Observation findings from the Sensitive Data Protection inspection service

A Sensitive Data Protection inspection job identifies each instance of data of a specific infoType in a storage system like a Cloud Storage bucket or a BigQuery table. For example, you can run an inspection job that searches for all strings that match the CREDIT_CARD_NUMBER infoType detector in a Cloud Storage bucket.

For each infoType detector that has one or more matches, Sensitive Data Protection generates a corresponding Security Command Center finding. The finding category is the name of the infoType detector that had a match—for example, Credit card number. The finding includes the number of matching strings that were detected in text or images in the resource.

For security reasons, the actual strings that were detected aren't included in the finding. For example, a Credit card number finding shows how many credit card numbers were found, but doesn't show the actual credit card numbers.

Because there are more than 150 built-in infoType detectors in Sensitive Data Protection, all possible Security Command Center finding categories aren't listed here. For a full list of infoType detectors, see InfoType detector reference.

For information on how to send the results of an inspection job to Security Command Center, see Send Sensitive Data Protection inspection job results to Security Command Center.

Review Sensitive Data Protection findings in the Google Cloud console

Use the following procedure to review findings in the Google Cloud console:

  1. Go to the Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. Select your Google Cloud project or organization.

  3. In the Quick filters section, in the Source display name subsection, select Sensitive Data Protection.

    The table is populated with Sensitive Data Protection findings.

  4. To view details of a specific finding, click the finding name under Category. The details panel for the finding opens and displays the Summary tab.

  5. On the Summary tab, review the information about the finding, including information about what was detected, the resource that was affected, and more.

VM Manager

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.

To use VM Manager with project-level activations of Security Command Center Premium, activate Security Command Center Standard in the parent organization.

If you enable VM Manager with the Security Command Center Premium tier, VM Manager automatically writes high and critical findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in operating systems (OS) that are installed on VMs, including Common Vulnerabilities and Exposures (CVEs).

Vulnerability reports are not available for Security Command Center Standard.

Findings simplify the process of using VM Manager's Patch Compliance feature, which is in preview. The feature lets you conduct patch management at the organization level across all of your projects. Currently, VM Manager supports patch management at the single project level.

To remediate VM Manager findings, see Remediating VM Manager findings.

To stop vulnerability reports from being written to Security Command Center, see Mute VM Manager findings.

Vulnerabilities of this type all relate to installed operating system packages in supported Compute Engine VMs.

Table 24. VM Manager vulnerability reports
Detector Summary Asset scan settings Compliance standards
OS vulnerability

Category name in the API: OS_VULNERABILITY

Finding description: VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

VM Manager's vulnerability reports detail vulnerabilities in installed operating system packages for Compute Engine VMs, including Common Vulnerabilities and Exposures (CVEs).

For a complete list of supported operating systems, see Operating system details.

Findings appear in Security Command Center shortly after vulnerabilities are detected. Vulnerability reports in VM Manager are generated as follows:

  • For most vulnerabilities in the installed OS package, the OS Config API generates a vulnerability report within a few minutes of the change.
  • For CVEs, the OS Config API generates the vulnerability report within three to four hours after the CVE is published to the OS.

Web Security Scanner

Web Security Scanner provides managed and custom web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications.

Managed scans

Web Security Scanner managed scans are configured and managed by Security Command Center. Managed scans automatically run once each week to detect and scan public web endpoints. These scans don't use authentication and they send GET-only requests so they don't submit any forms on live websites.

Managed scans run separately from custom scans.

If Security Command Center is activated at the organization level, you can use managed scans to centrally manage basic web application vulnerability detection for projects in your organization, without having to involve individual project teams. When findings are discovered, you can work with those teams to set up more comprehensive custom scans.

When you enable Web Security Scanner as a service, managed scan findings are automatically available in the Security Command Center Vulnerabilities page and related reports. For information about how to enable Web Security Scanner managed scans, see configuring Security Command Center.

Managed scans support only applications that use the default port, which is 80 for HTTP connections and 443 for HTTPS connections. If your applcation uses a non-default port, do a custom scan instead.

Custom scans

Web Security Scanner custom scans provide granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content.

You define custom scans at the project level.

Custom scan findings are available in Security Command Center after you complete the guide to set up Web Security Scanner custom scans.

Detectors and compliance

Web Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security Project (OWASP). For guidance on mitigating OWASP risks, see OWASP Top 10 mitigation options on Google Cloud.

The compliance mapping is included for reference and is not provided or reviewed by the OWASP Foundation.

This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance of your products or services with any regulatory or industry benchmarks or standards.

Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.

Category Finding description OWASP 2017 Top 10 OWASP 2021 Top 10
Accessible Git repository

Category name in the API: ACCESSIBLE_GIT_REPOSITORY

A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository.

Pricing tier: Standard

Fix this finding

A5 A01
Accessible SVN repository

Category name in the API: ACCESSIBLE_SVN_REPOSITORY

An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository.

Pricing tier: Standard

Fix this finding

A5 A01
Cacheable password input

Category name in the API: CACHEABLE_PASSWORD_INPUT

Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage.

Pricing tier: Premium

Fix this finding

A3 A04
Clear text password

Category name in the API: CLEAR_TEXT_PASSWORD

Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network.

Pricing tier: Standard

Fix this finding

A3 A02
Insecure allow origin ends with validation

Category name in the API: INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION

A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected root domain is part of the Origin header value before reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards, prepend the dot to the root domain—for example, .endsWith(".google.com").

Pricing tier: Premium

Fix this finding

A5 A01
Insecure allow origin starts with validation

Category name in the API: INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION

A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected domain fully matches the Origin header value before reflecting it in the Access-Control-Allow-Origin response header—for example, .equals(".google.com").

Pricing tier: Premium

Fix this finding

A5 A01
Invalid content type

Category name in the API: INVALID_CONTENT_TYPE

A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set X-Content-Type-Options HTTP header with the correct value.

Pricing tier: Standard

Fix this finding

A6 A05
Invalid header

Category name in the API: INVALID_HEADER

A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Standard

Fix this finding

A6 A05
Mismatching security header values

Category name in the API: MISMATCHING_SECURITY_HEADER_VALUES

A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Standard

Fix this finding

A6 A05
Misspelled security header name

Category name in the API: MISSPELLED_SECURITY_HEADER_NAME

A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Standard

Fix this finding

A6 A05
Mixed content

Category name in the API: MIXED_CONTENT

Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS.

Pricing tier: Standard

Fix this finding

A6 A05
Outdated library

Category name in the API: OUTDATED_LIBRARY

A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version.

Pricing tier: Standard

Fix this finding

A9 A06
Server side request forgery

Category name in the API: SERVER_SIDE_REQUEST_FORGERY

A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to.

Pricing tier: Standard

Fix this finding

Not applicable A10
Session ID leak

Category name in the API: SESSION_ID_LEAK

When making a cross-domain request, the web application includes the user's session identifier in its Referer request header. This vulnerability gives the receiving domain access to the session identifier, which can be used to impersonate or uniquely identify the user.

Pricing tier: Premium

Fix this finding

A2 A07
SQL injection

Category name in the API: SQL_INJECTION

A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query.

Pricing tier: Premium

Fix this finding

A1 A03
Struts insecure deserialization

Category name in the API: STRUTS_INSECURE_DESERIALIZATION

The use of a vulnerable version of Apache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.

Pricing tier: Premium

Fix this finding

A8 A08
XSS

Category name in the API: XSS

A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data.

Pricing tier: Standard

Fix this finding

A7 A03
XSS angular callback

Category name in the API: XSS_ANGULAR_CALLBACK

A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework.

Pricing tier: Standard

Fix this finding

A7 A03
XSS error

Category name in the API: XSS_ERROR

A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data.

Pricing tier: Standard

Fix this finding

A7 A03
XXE reflected file leakage

Category name in the API: XXE_REFLECTED_FILE_LEAKAGE

An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities.

Pricing tier: Premium

Fix this finding

A4 A05

Threats

Threat detectors can help you find potentially harmful events.

Anomaly Detection

Anomaly Detection is a built-in service that uses behavior signals from outside your system. It displays granular information about security anomalies detected for your projects and virtual machine (VM) instances, such as potential leaked credentials. Anomaly Detection is automatically enabled when you activate Security Command Center Standard or Premium tier, and findings are available in the Google Cloud console.

Anomaly Detection findings include the following:

Anomaly name Finding category Description
Account has leaked credentials account_has_leaked_credentials

Credentials for a Google Cloud service account are accidentally leaked online or are compromised.

Severity: Critical

Account has leaked credentials

GitHub notified Security Command Center that the credentials that were used for a commit appear to be the credentials for a Google Cloud Identity and Access Management service account.

The notification includes the service account name and the private key identifier. Google Cloud also sends your designated contact for security and privacy issues a notification by email.

To remediate this issue, take one or more of the following actions:

  • Identify the legitimate user of the key.
  • Rotate the key.
  • Remove the key.
  • Investigate any actions that were taken by the key after the key was leaked to ensure that none of the actions were malicious.

JSON: leaked account credentials finding

{
  "findings": {
    "access": {},
    "assetDisplayName": "PROJECT_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_INSTANCE_ID/findings/FINDING_ID",
    "category": "account_has_leaked_credentials",
    "contacts": {
      "security": {
        "contacts": [
          {
            "email": "EMAIL_ADDRESS"
          }
        ]
      }
    },
    "createTime": "2022-08-05T20:59:41.022Z",
    "database": {},
    "eventTime": "2022-08-05T20:59:40Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/cat",
    "indicator": {},
    "kubernetes": {},
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_INSTANCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_INSTANCE_ID",
    "parentDisplayName": "Cloud Anomaly Detection",
    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "severity": "CRITICAL",
    "sourceDisplayName": "Cloud Anomaly Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "display_name": "PROJECT_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "PROJECT_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "parent_display_name": "ORGANIZATION_NAME",
    "type": "google.cloud.resourcemanager.Project",
    "folders": []
  },
  "sourceProperties": {
    "project_identifier": "PROJECT_ID",
    "compromised_account": "SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com",
    "finding_type": "Potential compromise of a resource in your organization.",
    "summary_message": "We have detected leaked Service Account authentication credentials that could be potentially compromised.",
    "action_taken": "Notification sent",
    "private_key_identifier": "SERVICE_ACCOUNT_KEY_ID",
    "url": "https://github.com/KEY_FILE_PATH/KEY_FILE_NAME.json"
  }
}
    

Container Threat Detection

Container Threat Detection can detect the most common container runtime attacks and alert you in Security Command Center and optionally in Cloud Logging. Container Threat Detection includes several detection capabilities, an analysis tool, and an API.

Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel and performs natural language processing on scripts to detect the following events:

  • Added Binary Executed
  • Added Library Loaded
  • Execution: Added Malicious Binary Executed
  • Execution: Added Malicious Library Loaded
  • Execution: Built in Malicious Binary Executed
  • Execution: Modified Malicious Binary Executed
  • Execution: Modified Malicious Library Loaded
  • Malicious Script Executed
  • Reverse Shell
  • Unexpected Child Shell

Learn more about Container Threat Detection.

Event Threat Detection

Event Threat Detection uses log data from inside your systems. It watches Cloud Logging stream for projects, and consumes logs as they become available. When a threat is detected, Event Threat Detection writes a finding to Security Command Center and to a Cloud Logging project. Event Threat Detection is automatically enabled when you activate the Security Command Center Premium tier and findings are available in the Google Cloud console.

The following table lists examples of Event Threat Detection findings.

Table C. Event Threat Detection finding types
Data destruction

Event Threat Detection detects data destruction by examining audit logs from the Backup and DR Service Management Server for the following scenarios:

  • Deletion of a backup image
  • Deletion of all backup images associated with an application
  • Deletion of a backup/recovery appliance
Data exfiltration

Event Threat Detection detects data exfiltration from BigQuery and Cloud SQL by examining audit logs for the following scenarios:

  • A BigQuery resource is saved outside of your organization, or a copy operation is attempted that is blocked by VPC Service Controls.
  • An attempt is made to access BigQuery resources that are protected by VPC Service Controls.
  • A Cloud SQL resource is fully or partially exported to a Cloud Storage bucket outside of your organization or to a bucket that is owned by your organization and is publicly accessible.
  • A Cloud SQL backup is restored to a Cloud SQL instance outside your organization.
  • A BigQuery resource that your organization owns is exported to a Cloud Storage bucket outside your organization, or to a bucket in your organization that is publicly accessible.
  • A BigQuery resource that your organization owns is exported to a Google Drive folder.
Cloud SQL suspicious activity

Event Threat Detection examines audit logs to detect the following events that might indicate a compromise of a valid user account on Cloud SQL instances:

  • A database user is granted all privileges to a Cloud SQL for PostgreSQL database, or to all tables, procedures, or functions in a schema.
  • A Cloud SQL default database account superuser (`postgres` on PostgreSQL instances or 'root' on MySQL instances) is used to write to non-system tables.
AlloyDB for PostgreSQL suspicious activity

Event Threat Detection examines audit logs to detect the following events that might indicate a compromise of a valid user account on AlloyDB for PostgreSQL instances:

  • A database user is granted all privileges to a AlloyDB for PostgreSQL database, or to all tables, procedures, or functions in a schema.
  • An AlloyDB for PostgreSQL default database account superuser (`postgres`) is used to write to non-system tables.
Brute force SSH Event Threat Detection detects brute force of password authentication SSH by examining syslog logs for repeated failures followed by a success.
Cryptomining Event Threat Detection detects coin mining malware by examining VPC flow logs and Cloud DNS logs for connections to known bad domains or IP addresses of mining pools.
IAM abuse

Anomalous IAM grants: Event Threat Detection detects the addition of IAM grants that might be considered anomalous, like:

  • Adding a gmail.com user to a policy with the project editor role.
  • Inviting a gmail.com user as a project owner from the Google Cloud console.
  • Service account granting sensitive permissions.
  • Custom role granted sensitive permissions.
  • Service account added from outside your organization.
Inhibit System Recovery

Event Threat Detection detects anomalous changes to Backup and DR that may impact backup posture, including major policy changes and removal of critical Backup and DR components.

Log4j Event Threat Detection detects possible attempts at Log4j exploitation and active Log4j vulnerabilities.
Malware Event Threat Detection detects malware by examining VPC flow logs and Cloud DNS logs for connections to known command and control domains and IPs.
Outgoing DoS Event Threat Detection examines VPC flow logs to detect outgoing denial of service traffic.
Anomalous access Event Threat Detection detects anomalous access by examining Cloud Audit Logs for Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses.
Anomalous IAM behavior Event Threat Detection detects anomalous IAM behavior by examining Cloud Audit Logs for the following scenarios:
  • IAM user and service accounts accessing Google Cloud from anomalous IP addresses.
  • IAM service accounts accessing Google Cloud from anomalous user agents.
  • Principals and resources impersonating IAM service accounts to access Google Cloud.
Service account self-investigation Event Threat Detection detects when a service account credential is used to investigate the roles and permissions associated with that same service account.
Compute Engine Admin Added SSH Key Event Threat Detection detects a modification to the Compute Engine instance metadata ssh key value on an established instance (older than 1 week).
Compute Engine Admin Added Startup Script Event Threat Detection detects a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week).
Suspicious account activity Event Threat Detection detects potential compromise of Google Workspace accounts by examining audit logs for anomalous account activities, including leaked passwords and attempted suspicious logins.
Government-backed attack Event Threat Detection examines Google Workspace audit logs to detect when government-backed attackers might have tried to compromise a user's account or computer.
Single sign-on (SSO) changes Event Threat Detection examines Google Workspace audit logs to detect when SSO is disabled or settings are changed for Google Workspace admin accounts.
2-step verification Event Threat Detection examines Google Workspace audit logs to detect when 2-step verification is disabled on user and admin accounts.
Anomalous API behavior Event Threat Detection detects anomalous API behavior by examining Cloud Audit Logs for requests to Google Cloud services that a principal has not seen before.
Defense Evasion

Event Threat Detection detects Defense Evasion by examining Cloud Audit Logs for the following scenarios:

  • Changes to existing VPC Service Controls perimeters that would lead to a reduction in the protection offered.
  • Deployments or updates to workloads that use the break-glass flag to override Binary Authorization controls.Preview
Discovery

Event Threat Detection detects discovery operations by examining audit logs for the following scenarios:

  • A potentially malicious actor attempted to determine what sensitive objects in GKE they can query for, by using the kubectl command.
  • A service account credential is being used to investigate the roles and permissions associated with that same service account.
Initial Access Event Threat Detection detects initial access operations by examining audit logs for the following scenarios:
  • A dormant user-managed service account triggered an action.Preview
  • A principal attempted to invoke various Google Cloud methods but failed repeatedly because of permission denied errors.Preview
Privilege escalation

Event Threat Detection detects privilege escalation in GKE by examining audit logs for the following scenarios:

  • To escalate privilege, a potentially malicious actor attempted to modify a ClusterRole or ClusterRoleBinding role-based access control (RBAC) object of the sensitive cluster-admin role by using a PUT or PATCH request.
  • A potentially malicious actor created a Kubernetes master certificate signing request (CSR), which gives them cluster-admin access.
  • To escalate privilege, a potentially malicious actor attempted to create a new RoleBinding or ClusterRoleBinding object for the cluster-admin role.
  • A potentially malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials.
  • A potentially malicious actor created a Pod that contains privileged containers or containers with privilege escalation capabilities.
Cloud IDS detections Cloud IDS detects layer 7 attacks by analyzing mirrored packets and, when it detects a suspicious event, triggers an Event Threat Detection finding. To learn more about Cloud IDS detections, see Cloud IDS Logging information. Preview
Lateral movement Event Threat Detection detects potential modified-boot-disk attacks by examining Cloud Audit Logs for frequent boot disk detachments and re-attachments across Compute Engine instances.

Learn more about Event Threat Detection.

Forseti Security

Forseti Security gives you tools to understand all the resources you have in Google Cloud. The core Forseti modules work together to provide complete information so you can secure resources and minimize security risks.

To display Forseti violation notifications in Security Command Center, follow the Forseti Security Command Center notification guide.

For more information:

Google Cloud Armor

Google Cloud Armor helps protect your application by providing Layer 7 filtering. Google Cloud Armor scrubs incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before it reaches your load-balanced backend services or backend buckets.

Google Cloud Armor exports two findings to Security Command Center:

Virtual Machine Threat Detection

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides threat detection through hypervisor-level instrumentation and persistent disk analysis. VM Threat Detection detects potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments.

VM Threat Detection is part of Security Command Center Premium's threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.

For more information about VM Threat Detection, see VM Threat Detection overview.

VM Threat Detection threat findings

VM Threat Detection can generate the following threat findings.

Cryptocurrency mining threat findings

VM Threat Detection detects the following finding categories through hash matching or YARA rules.

VM Threat Detection cryptocurrency mining threat findings
Category Module Description
Execution: Cryptocurrency Mining Hash Match CRYPTOMINING_HASH Matches memory hashes of running programs against known memory hashes of cryptocurrency mining software.
Execution: Cryptocurrency Mining YARA Rule CRYPTOMINING_YARA Matches memory patterns, such as proof-of-work constants, known to be used by cryptocurrency mining software.
Execution: Cryptocurrency Mining Combined Detection
  • CRYPTOMINING_HASH
  • CRYPTOMINING_YARA
Identifies a threat that was detected by both the CRYPTOMINING_HASH and CRYPTOMINING_YARA modules. For more information, see Combined detections.

Kernel-mode rootkit threat findings

VM Threat Detection analyzes kernel integrity at run time to detect common evasion techniques that are used by malware.

The KERNEL_MEMORY_TAMPERING module detects threats by doing a hash comparison on the kernel code and kernel read-only data memory of a virtual machine.

The KERNEL_INTEGRITY_TAMPERING module detects threats by checking the integrity of important kernel data structures.

VM Threat Detection kernel-mode rootkit threat findings
Category Module Description
Kernel memory tampering
Defense Evasion: Unexpected kernel code modificationPreview KERNEL_MEMORY_TAMPERING Unexpected modifications of kernel code memory are present.
Defense Evasion: Unexpected kernel read-only data modificationPreview KERNEL_MEMORY_TAMPERING Unexpected modifications of kernel read-only data memory are present.
Kernel integrity tampering
Defense Evasion: Unexpected ftrace handlerPreview KERNEL_INTEGRITY_TAMPERING ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
Defense Evasion: Unexpected interrupt handlerPreview KERNEL_INTEGRITY_TAMPERING Interrupt handlers that aren't in the expected kernel or module code regions are present.
Defense Evasion: Unexpected kernel modulesPreview KERNEL_INTEGRITY_TAMPERING Kernel code pages that are not in the expected kernel or module code regions are present.
Defense Evasion: Unexpected kprobe handlerPreview KERNEL_INTEGRITY_TAMPERING kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
Defense Evasion: Unexpected processes in runqueuePreview KERNEL_INTEGRITY_TAMPERING Unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.
Defense Evasion: Unexpected system call handlerPreview KERNEL_INTEGRITY_TAMPERING System call handlers that aren't in the expected kernel or module code regions are present.
Rootkit
Defense Evasion: RootkitPreview
  • KERNEL_MEMORY_TAMPERING
  • KERNEL_INTEGRITY_TAMPERING
A combination of signals matching a known kernel-mode rootkit is present. To receive findings of this category, make sure both modules are enabled.

VM Threat Detection observation finding

VM Threat Detection can generate the following observation finding.

VM Threat Detection observation finding
Category name API name Summary Severity
VMTD disabled VMTD_DISABLED

VM Threat Detection is disabled. Until you enable it, this service can't scan your Compute Engine projects and VM instances for unwanted applications.

This finding is set to INACTIVE after 30 days. After that, this finding isn't generated again.

High

Errors

Error detectors can help you detect errors in your configuration that prevent security sources from generating findings. Error findings are generated by the Security Command Center security source and have the finding class SCC errors.

Inadvertent actions

The following finding categories represent errors possibly caused by unintentional actions.

Inadvertent actions
Category name API name Summary Severity
API disabled API_DISABLED

Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 60 hours

Fix this finding

Critical
Attack path simulation: no resource value configs match any resources APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES

Finding description: Resource value configurations are defined for attack path simulations, but they do not match any resource instances in your environment. The simulations are using the default high-value resource set instead.

This error can have any of the following causes:

  • None of the resource value configurations match any resource instances.
  • One or more resource value configurations that specify NONE override every other valid configuration.
  • All the defined resource value configurations specify a value of NONE.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organizations

Batch scans: Before every attack path simulation.

Fix this finding

Critical
Attack path simulation: resource value assignment limit exceeded APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED

Finding description: In the last attack path simulation, the number of high-value resource instances, as identified by the resource value configurations, exceeded the limit of 1,000 resource instances in a high-value resource set. As a result, Security Command Center excluded the excess number of instances from the high-value resource set.

The total number of matching instances and the total number of instances excluded from the set are identified in the SCC Error finding in the Google Cloud console.

The attack exposure scores on any findings that affect excluded resource instances do not reflect the high-value designation of the resource instances.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organizations

Batch scans: Before every attack path simulation.

Fix this finding

High
Container Threat Detection Image Pull Failure KTD_IMAGE_PULL_FAILURE

Finding description: Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from gcr.io, the Container Registry image host. The image is needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires.

The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error:

Failed to pull image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": rpc error: code = NotFound desc = failed to pull and unpack image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": failed to resolve reference "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00: not found

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every 30 minutes

Fix this finding

Critical
Container Threat Detection Blocked By Admission Controller KTD_BLOCKED_BY_ADMISSION_CONTROLLER

Finding description: Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires.

When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every 30 minutes

Fix this finding

High
Container Threat Detection service account missing permissions KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 30 minutes

Fix this finding

Critical
GKE service account missing permissions GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every week

Fix this finding

High
Misconfigured Cloud Logging Export MISCONFIGURED_CLOUD_LOGGING_EXPORT

Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Batch scans: Every 30 minutes

Fix this finding

High
VPC Service Controls Restriction VPC_SC_RESTRICTION

Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 6 hours

Fix this finding

High
Security Command Center service account missing permissions SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced.

Pricing tier: Premium or Standard

Supported assets

Batch scans: Every 30 minutes

Fix this finding

Critical

For more information, see Security Command Center errors.

What's next