Cette page explique comment examiner les résultats du service Actions sensibles dans la Google Cloud console et comprend des exemples de résultats du service Actions sensibles.
Le service Actions sensibles est un service intégré de Security Command Center qui détecte les actions effectuées dans votre Google Cloud organisation, vos dossiers et vos projets qui pourraient nuire à votre entreprise si elles étaient effectuées par une personne malveillante. Pour en savoir plus, consultez la présentation du service Actions sensibles.
Examiner les résultats du service Actions sensibles
Le service Actions sensibles est toujours activé lorsque vous activez Security Command Center et ne peut pas être désactivé. Pour en savoir plus sur les types de résultats du service Actions sensibles, consultez la section Résultats.
Lorsque le service Actions sensibles détecte une action considérée comme sensible, il crée un résultat et une entrée de journal. Vous pouvez afficher le résultat dans la Google Cloud console. Vous pouvez interroger les entrées de journal dans Cloud Logging. Pour tester le service Actions sensibles, effectuez une action sensible et assurez-vous que le résultat s'affiche sur la page Résultats de la Google Cloud console. Pour en savoir plus, consultez la section Tester le service Actions sensibles.
Examiner les résultats dans Security Command Center
Les rôles IAM pour Security Command Center peuvent être accordés au niveau de l'organisation, du dossier ou du projet. Votre capacité à afficher, modifier, créer ou mettre à jour les résultats, les éléments et les sources de sécurité dépend du niveau pour lequel vous disposez d'un accès. Pour en savoir plus sur les rôles Security Command Center, consultez la page Contrôle des accès.
Pour examiner les résultats du service Actions sensibles dans la console, procédez comme suit :
-
Dans la Google Cloud console, accédez à la page Résultats de Security Command Center.
- Sélectionnez votre Google Cloud projet ou votre organisation.
- Dans la sous-section Nom à afficher pour la source de la section Filtres rapides , sélectionnez Service Actions sensibles. Les résultats de la requête sont mis à jour pour n'afficher que les résultats de cette source.
- Pour afficher les détails d'un résultat spécifique, cliquez sur son nom dans la colonne Catégorie. Le panneau de détails du résultat s'ouvre et affiche l'onglet Résumé.
- Dans l'onglet Résumé , examinez les détails du résultat, y compris les informations sur ce qui a été détecté, la ressource concernée et, le cas échéant, les étapes à suivre pour corriger le résultat.
- Facultatif : Pour afficher la définition JSON complète du résultat, cliquez sur l'onglet JSON.
Afficher les résultats causés par le même acteur
Lorsque vous déterminez si une action sensible a été effectuée par un acteur malveillant, envisagez de rechercher d'autres résultats causés par cet acteur.
Pour afficher tous les résultats causés par le même acteur, procédez comme suit :
- Ouvrez le résultat et affichez ses détails.
- Dans le volet des détails du résultat, copiez l'adresse e-mail située à côté de Adresse e-mail principale.
- Fermez le volet.
Dans Query editor (éditeur de requête), saisissez la requête suivante :
access.principal_email="PRINCIPAL_EMAIL"Remplacez PRINCIPAL_EMAIL par l'adresse e-mail que vous avez copiée précédemment. Security Command Center affiche tous les résultats associés aux actions effectuées par l'acteur que vous avez spécifié.
Afficher les résultats dans Cloud Logging
Le service Actions sensibles écrit une entrée de journal dans les Google Cloud journaux de la plate-forme pour chaque action sensible qu'il trouve. Ces entrées de journal sont écrites même si vous n'avez pas activé Security Command Center.
Pour afficher les entrées de journal des actions sensibles dans Cloud Logging, procédez comme suit :
Accédez à l'explorateur de journaux dans la Google Cloud console.
Dans le sélecteur de projet en haut de la page, sélectionnez le projet pour lequel vous souhaitez afficher les entrées de journal du service Actions sensibles. Vous pouvez également sélectionner l'organisation pour afficher les entrées de journal au niveau de l'organisation.
Dans la zone de texte Requête, saisissez la définition de ressource suivante :
resource.type="sensitiveaction.googleapis.com/Location"Cliquez sur Exécuter la requête. La table Résultats de la requête est mise à jour avec toutes les entrées de journal correspondantes écrites au cours de la période de votre requête.
Pour afficher les détails d'une entrée de journal, cliquez sur une ligne du tableau, puis sur Développer les champs imbriqués.
Vous pouvez créer des requêtes de journaux avancées pour spécifier un ensemble d'entrées de journal à partir d'un nombre quelconque de journaux.
Exemples de formats de résultat
Cette section inclut la sortie JSON pour les résultats du service Actions sensibles tels qu'ils apparaissent lorsque vous créez des exportations à partir de la Google Cloud console ou exécutez des méthodes de liste dans l'API Security Command Center.
Les exemples de sortie contiennent les champs les plus courants de tous les résultats. Cependant, tous les champs peuvent ne pas apparaître dans tous les résultats. Le résultat réel dépend de la configuration d'une ressource ainsi que du type et de l'état des résultats.
Pour afficher des exemples de résultats, développez un ou plusieurs des nœuds suivants.
Éviction de défense : règle d'administration modifiée
Ce résultat n'est pas disponible pour les activations au niveau d'un projet.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "orgpolicy.googleapis.com", "methodName": "google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Organization Policy Changed", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-27T12:35:30.466Z", "database": {}, "eventTime": "2022-08-27T12:35:30.264Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "IMPAIR_DEFENSES" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention", "display_name": "", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "change_organization_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" }, { "gcpResourceName": "//orgpolicy.googleapis.com/organizations/ORGANIZATION_ID/policies/storage.publicAccessPrevention" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661603725", "nanos": 12242032 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1562/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-27T12:35:25.012242032Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Éviction de défense : suppression de l'administrateur de la facturation
Ce résultat n'est pas disponible pour les activations au niveau d'un projet.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Remove Billing Admin", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T14:47:11.752Z", "database": {}, "eventTime": "2022-08-31T14:47:11.256Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "REMOVE", "role": "roles/billing.admin", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "remove_billing_admin" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661957226", "nanos": 356329000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1578/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T14:47:06.356329Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Impact : instance GPU créée
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "beta.compute.instances.insert" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Impact: GPU Instance Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-11T19:13:11.134Z", "database": {}, "eventTime": "2022-08-11T19:13:09.885Z", "exfiltration": {}, "findingClass": "OBSERVATION", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "gpu_instance_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1660245184", "nanos": 578768000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-11T19:13:04.578768Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Impact : nombreuses instances créées
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.insert", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Created", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:18:18.112Z", "database": {}, "eventTime": "2022-08-22T21:18:17.759Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "RESOURCE_HIJACKING" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_created" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203092", "nanos": 314642000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:18:12.314642Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Impact : nombreuses instances supprimées
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIpGeo": {}, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.delete", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Impact: Many Instances Deleted", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-22T21:21:11.432Z", "database": {}, "eventTime": "2022-08-22T21:21:11.144Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME", "display_name": "VM_INSTANCE_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Instance", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "many_instances_deleted" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661203265", "nanos": 669160000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-22T21:21:05.669160Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Persistance : ajout d'un rôle sensible
Ce résultat n'est pas disponible pour les activations au niveau d'un projet.
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": {}, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "principalSubject": "user:PRINCIPAL_EMAIL" }, "assetDisplayName": "organizations/ORGANIZATION_ID", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: Add Sensitive Role", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-31T17:20:13.305Z", "database": {}, "eventTime": "2022-08-31T17:20:11.929Z", "exfiltration": {}, "findingClass": "OBSERVATION", "iamBindings": [ { "action": "ADD", "role": "roles/editor", "member": "user:PRINCIPAL_ACCOUNT_CHANGED" } ], "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "display_name": "ORGANIZATION_NAME", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "google.cloud.resourcemanager.Organization", "folders": [] }, "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_sensitive_role" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1661966410", "nanos": 132148000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-31T17:20:10.132148Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project=" } ], "relatedFindingUri": {} } } }
Persistance : clé SSH de projet ajoutée
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "PRINCIPAL_IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.projects.setCommonInstanceMetadata", "principalSubject": "user:USER_EMAIL" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "category": "Persistence: Project SSH Key Added", "contacts": { "technical": { "contacts": [ { "email": "EMAIL_ADDRESS_1" }, { "email": "EMAIL_ADDRESS_2" }, ] } }, "createTime": "2022-08-25T13:24:43.142Z", "database": {}, "eventTime": "2022-08-25T13:24:42.719Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION", "SSH_AUTHORIZED_KEYS" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SENSITIVE_ACTIONS_INSTANCE_NUMBER", "parentDisplayName": "Sensitive Actions", "resourceName": "//compute.googleapis.com/projects/PROJECT_ID", "severity": "LOW", "sourceDisplayName": "Sensitive Actions", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID", "display_name": "PROJECT_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.compute.Project", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1661433879", "nanos": 413362000 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/004/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-08-25T13:24:39.413362Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID" } ], "relatedFindingUri": {} } } }
Étape suivante
- Découvrez comment fonctionne le service Actions sensibles.
- Découvrez comment examiner et développer des plans d'intervention sur les menaces.