Auf dieser Seite wird gezeigt, wie Sie Ergebnisse des Sensitive Actions Service in der Google Cloud Console prüfen. Außerdem finden Sie Beispiele für Ergebnisse des Sensitive Actions Service.
Sensitive Actions Service ist ein integrierter Dienst von Security Command Center, der erkennt, wenn Aktionen in Ihrer Google Cloud Organisation, in Ihren Ordnern und Projekten ausgeführt werden, die Ihrem Unternehmen schaden könnten, wenn sie von einem böswilligen Akteur ausgeführt werden. Weitere Informationen finden Sie in der Übersicht zum Sensitive Actions Service.
Ergebnisse des Sensitive Actions Service prüfen
Sensitive Actions Service ist immer aktiviert, wenn Sie Security Command Center aktivieren, und kann nicht deaktiviert werden. Weitere Informationen zu den Ergebnistypen des Sensitive Actions Service finden Sie unter Ergebnisse.
Wenn Sensitive Actions Service eine Aktion erkennt, die als sensibel gilt, wird ein Ergebnis und ein Logeintrag erstellt. Sie können das Ergebnis in der Google Cloud Console ansehen. Sie können die Logeinträge in Cloud Logging abfragen. Wenn Sie Sensitive Actions Service testen möchten, führen Sie eine sensible Aktion aus und prüfen Sie, ob das Ergebnis auf der Ergebnisse Seite in der Google Cloud Console angezeigt wird. Weitere Informationen finden Sie unter Sensitive Actions Service testen.
Ergebnisse in Security Command Center prüfen
Die IAM-Rollen für Security Command Center können auf Organisations-, Ordner- oder Projektebene zugewiesen werden. Die Möglichkeit, Ergebnisse, Assets und Sicherheitsquellen anzusehen, zu bearbeiten, zu erstellen oder zu aktualisieren, hängt von der Ebene ab, auf die Sie Zugriff haben. Weitere Informationen zu Security Command Center-Rollen finden Sie unter Zugriffssteuerung.
So prüfen Sie die Ergebnisse des Sensitive Actions Service in der Console:
-
Rufen Sie in der Google Cloud Console die Seite Ergebnisse von Security Command Center auf.
- Wählen Sie Ihr Google Cloud Projekt oder Ihre Organisation aus.
- Wählen Sie im Abschnitt Schnellfilter im Unterabschnitt Anzeigename der Quelle die Option Sensitive Actions Service aus. Die Ergebnisse der Ergebnisabfrage werden aktualisiert und zeigen nur die Ergebnisse aus dieser Quelle.
- Wenn Sie die Details eines bestimmten Ergebnisses aufrufen möchten, klicken Sie in der Spalte Kategorie auf den Namen des Ergebnisses. Der Detailbereich für das Ergebnis wird geöffnet und der Tab Zusammenfassung wird angezeigt.
- Prüfen Sie auf dem Tab Zusammenfassung die Details des Ergebnisses, einschließlich Informationen zu dem, was erkannt wurde, der betroffenen Ressource und – falls verfügbar – Schritten, die Sie zur Behebung des Ergebnisses ausführen können.
- Optional: Klicken Sie auf den Tab JSON, um die vollständige JSON-Definition des Ergebnisses aufzurufen.
Ergebnisse ansehen, die vom selben Akteur verursacht wurden
Wenn Sie untersuchen, ob eine sensible Aktion von einem böswilligen Akteur ausgeführt wurde, sollten Sie nach anderen Ergebnissen suchen, die von diesem Akteur verursacht wurden.
So rufen Sie alle Ergebnisse auf, die vom selben Akteur verursacht wurden:
- Öffnen Sie das Ergebnis und rufen Sie die Details auf.
- Kopieren Sie im Detailbereich mit den Ergebnissen die E‑Mail-Adresse neben Haupt-E‑Mail-Adresse.
- Schließen Sie den Bereich.
Geben Sie im Abfrageeditor die folgende Abfrage ein:
access.principal_email="PRINCIPAL_EMAIL"Ersetzen Sie PRINCIPAL_EMAIL durch die E‑Mail-Adresse, die Sie zuvor kopiert haben. Security Command Center zeigt alle Ergebnisse an, die mit Aktionen verknüpft sind, die von dem angegebenen Akteur ausgeführt wurden.
Ergebnisse in Cloud Logging ansehen
Sensitive Actions Service schreibt für jede sensible Aktion, die der Dienst findet, einen Logeintrag in die Google Cloud Plattformlogs. Diese Logeinträge werden auch dann geschrieben, wenn Sie Security Command Center nicht aktiviert haben.
So rufen Sie die Logeinträge für sensible Aktionen in Cloud Logging auf:
Rufen Sie in der Google Cloud Console den Log-Explorer auf.
Wählen Sie in der Projektauswahl oben auf der Seite das Projekt aus, für das Sie die Logeinträge des Sensitive Actions Service aufrufen möchten. Alternativ können Sie die Organisation auswählen, um Logeinträge auf Organisationsebene aufzurufen.
Geben Sie im Textfeld Abfrage die folgende Ressourcendefinition ein:
resource.type="sensitiveaction.googleapis.com/Location"Klicken Sie auf Abfrage ausführen. Die Tabelle Abfrageergebnisse wird mit allen übereinstimmenden Logeinträgen aktualisiert, die im Zeitraum Ihrer Abfrage geschrieben wurden.
Wenn Sie die Details eines Logeintrags aufrufen möchten, klicken Sie auf eine Tabellenzeile und dann auf Verschachtelte Felder erweitern.
Sie können erweiterte Logabfragen erstellen, um eine Reihe von Logeinträgen aus beliebig vielen Logs anzugeben.
Beispiele für Ergebnisformate
Dieser Abschnitt enthält die JSON-Ausgabe für die Ergebnisse des Sensitive Actions Service wie sie angezeigt werden, wenn Sie Exporte aus der Google Cloud Console oder Listenmethoden in der Security Command Center API ausführen.
Die Ausgabebeispiele enthalten die Felder, die für alle Ergebnisse am häufigsten verwendet werden. Allerdings sind möglicherweise nicht alle Ergebnisse in jedem Ergebnis enthalten. Die tatsächliche Ausgabe hängt von der Konfiguration einer Ressource und der Art und dem Status der Ergebnisse ab.
Wenn Sie sich die Beispielergebnisse ansehen möchten, maximieren Sie einen oder mehrere der folgenden Knoten.
Umgehung von Abwehrmaßnahmen: Organisationsrichtlinie geändert
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "orgpolicy.googleapis.com", "methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Organization Policy Changed", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-27T12:35:30.466Z", "database": {}, "eventTime": "2022-08-27T12:35:30.264Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "IMPAIR_DEFENSES" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "display_name": "", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "change_organization_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661603725", "nanos": 12242032 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Umgehung von Abwehrmaßnahmen: Abrechnungsadministrator entfernen
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Remove Billing Admin", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T14:47:11.752Z", "database": {}, "eventTime": "2022-08-31T14:47:11.256Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "REMOVE", "role": "roles/billing.admin", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "remove_billing_admin" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661957226", "nanos": 356329000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1578/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Auswirkung: GPU-Instanz erstellt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "beta.compute.instances.insert" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Impact: GPU Instance Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-11T19:13:11.134Z", "database": {}, "eventTime": "2022-08-11T19:13:09.885Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "gpu_instance_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1660245184", "nanos": 578768000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Auswirkung: Viele Instanzen erstellt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.insert", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:18:18.112Z", "database": {}, "eventTime": "2022-08-22T21:18:17.759Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203092", "nanos": 314642000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Auswirkung: Viele Instanzen gelöscht
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.delete", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Deleted", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:21:11.432Z", "database": {}, "eventTime": "2022-08-22T21:21:11.144Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_deleted" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203265", "nanos": 669160000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Persistenz: Sensible Rolle hinzufügen
Dieses Ergebnis ist für Aktivierungen auf Projektebene nicht verfügbar.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: Add Sensitive Role", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T17:20:13.305Z", "database": {}, "eventTime": "2022-08-31T17:20:11.929Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "ADD", "role": "roles/editor", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_sensitive_role" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661966410", "nanos": 132148000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Persistenz: Projekt-SSH-Schlüssel hinzugefügt
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.projects.setCommonInstanceMetadata", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Persistence: Project SSH Key Added", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-25T13:24:43.142Z", "database": {}, "eventTime": "2022-08-25T13:24:42.719Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION", "SSH_AUTHORIZED_KEYS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661433879", "nanos": 413362000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Nächste Schritte
- Weitere Informationen zur Funktionsweise des Sensitive Actions Service .
- Weitere Informationen zum Untersuchen und Entwickeln von Reaktionsplänen für Bedrohungen.