Overview of Event Threat Detection (original) (raw)
Active Scan: Log4j Vulnerable to RCE
Unavailable
Detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners.
Inhibit System Recovery: Deleted Google Cloud Backup and DR host
BACKUP_HOSTS_DELETE_HOST
Cloud Audit Logs:
Backup and DR Service Admin Activity audit logs
A host was deleted from Backup and DR. Applications that are associated with the deleted host might not be protected.
Data Destruction: Google Cloud Backup and DR expire image
BACKUP_EXPIRE_IMAGE
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A user requested the deletion of a backup image from Backup and DR. The deletion of a backup image does not prevent future backups.
Inhibit System Recovery: Google Cloud Backup and DR remove plan
BACKUP_REMOVE_PLAN
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A backup plan with multiple policies for an application was deleted from Backup and DR. The deletion of a backup plan can prevent future backups.
Data Destruction: Google Cloud Backup and DR expire all images
BACKUP_EXPIRE_IMAGES_ALL
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A user requested the deletion of all backup images for a protected application from Backup and DR. The deletion of backup images does not prevent future backups.
Inhibit System Recovery: Google Cloud Backup and DR delete template
BACKUP_TEMPLATES_DELETE_TEMPLATE
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.
Inhibit System Recovery: Google Cloud Backup and DR delete policy
BACKUP_TEMPLATES_DELETE_POLICY
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A Backup and DR policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.
Inhibit System Recovery: Google Cloud Backup and DR delete profile
BACKUP_PROFILES_DELETE_PROFILE
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A Backup and DR profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.
Data Destruction: Google Cloud Backup and DR remove appliance
BACKUP_APPLIANCES_REMOVE_APPLIANCE
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A backup appliance was deleted from Backup and DR. Applications that are associated with the deleted backup appliance might not be protected.
Inhibit System Recovery: Google Cloud Backup and DR delete storage pool
BACKUP_STORAGE_POOLS_DELETE
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
A storage pool, which associates a Cloud Storage bucket with Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.
Impact: Google Cloud Backup and DR reduced backup expiration
BACKUP_REDUCE_BACKUP_EXPIRATION
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
The expiration date for a backup protected by Backup and DR has been reduced.
Impact: Google Cloud Backup and DR reduced backup frequency
BACKUP_REDUCE_BACKUP_FREQUENCY
Cloud Audit Logs:
Backup and DR Admin Activity audit logs
The Backup and DR backup schedule has been modified to reduce backup frequency.
Brute force SSH
BRUTE_FORCE_SSH
Detection of successful brute force of SSH on a host.
Cloud IDS: THREAT_IDENTIFIER
CLOUD_IDS_THREAT_ACTIVITY
Threat events that are detected byCloud IDS.
Cloud IDS detects layer 7 attacks by analyzing mirrored packets and, when a threat event is detected, sends a threat-class finding to Security Command Center. Finding category names start with "Cloud IDS" followed by the Cloud IDS threat identifier.
The Cloud IDS integration with Event Threat Detection does not include Cloud IDS vulnerability detections.
To learn more about Cloud IDS detections, see Cloud IDS Logging information.
Credential Access: External Member Added To Privileged Group
EXTERNAL_MEMBER_ADDED_TO_PRIVILEGED_GROUP
Google Workspace Logs:
Login Audit
Permissions:DATA_READ
Detects events where an external member is added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, seeUnsafe Google Group changes.
Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, seeSensitive IAM roles and permissions.
This finding isn't available for project-level activations.
Credential Access: Privileged Group Opened To Public
PRIVILEGED_GROUP_OPENED_TO_PUBLIC
Google Workspace:
Admin Audit
Permissions:DATA_READ
Detects events where a privileged Google Group (a group granted sensitive roles or permissions) is changed to be accessible to the general public. To learn more, seeUnsafe Google Group changes.
Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, seeSensitive IAM roles and permissions.
This finding isn't available for project-level activations.
Credential Access: Sensitive Role Granted To Hybrid Group
SENSITIVE_ROLE_TO_GROUP_WITH_EXTERNAL_MEMBER
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects events where sensitive roles are granted to a Google Group with external members. To learn more, seeUnsafe Google Group changes.
Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, seeSensitive IAM roles and permissions.
This finding isn't available for project-level activations.
Defense Evasion: Breakglass Workload Deployment Created (Preview)
BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_CREATE
Cloud Audit Logs:
Admin Activity logs
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Defense Evasion: Breakglass Workload Deployment Updated (Preview)
BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_UPDATE
Cloud Audit Logs:
Admin Activity logs
Detects when workloads are updated by using the break-glass flag to overrideBinary Authorization controls.
Defense Evasion: Modify VPC Service Control
DEFENSE_EVASION_MODIFY_VPC_SERVICE_CONTROL
Cloud Audit Logs VPC Service Controls audit logs
Detects a change to an existing VPC Service Controls perimeter that would lead to a reduction in the protection offered by that perimeter.
This finding isn't available for project-level activations.
Discovery: Can get sensitive Kubernetes object check
GKE_CONTROL_PLANE_CAN_GET_SENSITIVE_OBJECT
Cloud Audit Logs:
GKE Data Access logs
A potentially malicious actor attempted to determine what sensitive objects in GKE they can query for, by using the kubectl auth can-i get command. Specifically, the rule detects whether the actor checked for API access on the following objects:
*(all)- cluster-admin
ClusterRole - Secret
Discovery: Service Account Self-Investigation
SERVICE_ACCOUNT_SELF_INVESTIGATION
Cloud Audit Logs:
IAM Data Access audit logs
Permissions:DATA_READ
Detection of an IAM service account credential that is used t investigate the roles and permissions associated with that same service account.
Sensitive roles
Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, seeSensitive IAM roles and permissions.
Evasion: Access from Anonymizing Proxy
ANOMALOUS_ACCESS
Cloud Audit Logs:
Admin Activity logs
Detection of Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses.
Exfiltration: BigQuery Data Exfiltration
DATA_EXFILTRATION_BIG_QUERY
Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:DATA_READ
Detects the following scenarios:
- Resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.
This scenario is indicated by a subrule ofexfil_to_external_tableand a severity ofHIGH. - Attempts to access BigQuery resources that are protected by VPC Service Controls.
This scenario is indicated by a subrule ofvpc_perimeter_violationand a severity ofLOW.
Exfiltration: BigQuery Data Extraction
DATA_EXFILTRATION_BIG_QUERY_EXTRACTION
Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:DATA_READ
Detects the following scenarios:
- A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Cloud Storage bucket outside the organization.
- A BigQuery resource owned by the protected organization is saved, through extraction operations, to a publicly accessible Cloud Storage bucket owned by that organization.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.
Exfiltration: BigQuery Data to Google Drive
DATA_EXFILTRATION_BIG_QUERY_TO_GOOGLE_DRIVE
Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:DATA_READ
Detects the following:
- A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Google Drive folder.
Exfiltration: Move to Public BigQuery resource
DATA_EXFILTRATION_BIG_QUERY_TO_PUBLIC_RESOURCE
Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:DATA_READ
Detects the following:
- A BigQuery resource is saved to a public resource owned by your organization.
Exfiltration: Cloud SQL Data Exfiltration
CLOUDSQL_EXFIL_EXPORT_TO_EXTERNAL_GCS CLOUDSQL_EXFIL_EXPORT_TO_PUBLIC_GCS
Cloud Audit Logs:MySQL data access logs
PostgreSQL data access logs
SQL Server data access logs
Detects the following scenarios:
- Live instance data exported to a Cloud Storage bucket outside of the organization.
- Live instance data exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.
Exfiltration: Cloud SQL Restore Backup to External Organization
CLOUDSQL_EXFIL_RESTORE_BACKUP_TO_EXTERNAL_INSTANCE
Cloud Audit Logs:MySQL admin activity logs
PostgreSQL admin activity logs
SQL Server admin activity logs
Detects events where the backup of a Cloud SQL instance is restored to an instance outside of the organization.
Exfiltration: Cloud SQL Over-Privileged Grant
CLOUDSQL_EXFIL_USER_GRANTED_ALL_PERMISSIONS
Cloud Audit Logs:PostgreSQL data access logs
Note: You must enable the pgAudit extension to use this rule.
Detects events where a Cloud SQL for PostgreSQL user or role has been granted all privileges to a database, or to all tables, procedures, or functions in a schema.
Initial Access: Database Superuser Writes to User Tables
CLOUDSQL_SUPERUSER_WRITES_TO_USER_TABLES
Cloud Audit Logs: Cloud SQL for PostgreSQL data access logs
Cloud SQL for MySQL data access logs
Note: You must enable the pgAudit extension for PostgreSQL or database auditing for MySQL to use this rule.
Detects events where a Cloud SQL superuser (postgres for PostgreSQL servers or root for MySQL users) writes to non-system tables.
Privilege Escalation: AlloyDB Over-Privileged Grant
ALLOYDB_USER_GRANTED_ALL_PERMISSIONS
Cloud Audit Logs: AlloyDB for PostgreSQL data access logs
Note: You must enablethe pgAudit extension to use this rule.
Detects events where an AlloyDB for PostgreSQL user or role has been granted all privileges to a database, or to all tables, procedures, or functions in a schema.
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables
ALLOYDB_SUPERUSER_WRITES_TO_USER_TABLES
Cloud Audit Logs:AlloyDB for PostgreSQL data access logs
Note: You must enablethe pgAudit extension to use this rule.
Detects events where an AlloyDB for PostgreSQL superuser (postgres) writes to non-system tables.
Initial Access: Dormant Service Account Action
DORMANT_SERVICE_ACCOUNT_USED_IN_ACTION
Cloud Audit Logs:Admin Activity logs
Detects events where a dormantuser-managed service account triggered an action. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Privilege Escalation: Dormant Service Account Granted Sensitive Role
DORMANT_SERVICE_ACCOUNT_ADDED_IN_IAM_ROLE
Cloud Audit Logs:IAM Admin Activity audit logs
Detects events where a dormant user-managed service account was granted one or more sensitive IAM roles. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Sensitive roles
Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, seeSensitive IAM roles and permissions.
Persistence: Impersonation Role Granted For Dormant Service Account
DORMANT_SERVICE_ACCOUNT_IMPERSONATION_ROLE_GRANTED
Cloud Audit Logs:IAM Admin Activity audit logs
Detects events where a principal is granted permissions to impersonate a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Initial Access: Dormant Service Account Key Created
DORMANT_SERVICE_ACCOUNT_KEY_CREATED
Cloud Audit Logs:Admin Activity logs
Detects events where a key is created for a dormantuser-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Initial Access: Leaked Service Account Key Used
LEAKED_SA_KEY_USED
Cloud Audit Logs:Admin Activity logs
Data Access logs
Detects events where a leaked service account key is used to authenticate the action. In this context, a leaked service account key is one that was posted on the public internet.
Initial Access: Excessive Permission Denied Actions
EXCESSIVE_FAILED_ATTEMPT
Cloud Audit Logs:Admin Activity logs
Detects events where a principal repeatedly triggers permission denied errors by attempting changes across multiple methods and services.
Impair Defenses: Strong Authentication Disabled
Google Workspace:
Admin Audit
2-step verification was disabled for the organization.
This finding isn't available for project-level activations.
Impair Defenses: Two Step Verification Disabled
Google Workspace Logs:
Login Audit
Permissions:DATA_READ
A user disabled 2-step verification.
This finding isn't available for project-level activations.
Initial Access: Account Disabled Hijacked
Google Workspace Logs:
Login Audit
Permissions:DATA_READ
A user's account was suspended due to suspicious activity.
This finding isn't available for project-level activations.
Initial Access: Disabled Password Leak
ACCOUNT_DISABLED_PASSWORD_LEAK
Google Workspace Logs:
Login Audit
Permissions:DATA_READ
A user's account is disabled because a password leak was detected.
This finding isn't available for project-level activations.
Initial Access: Government Based Attack
Google Workspace Logs:
Login Audit
Permissions:DATA_READ
Government-backed attackers might have tried to compromise a user account or computer.
This finding isn't available for project-level activations.
Initial Access: Log4j Compromise Attempt
Unavailable
Cloud Load Balancing Logs:
Cloud HTTP Load Balancer
Note: You must enable external Application Load Balancer logging to use this rule.
Detects Java Naming and Directory Interface (JNDI)lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. These findings have low severity, because they only indicate a detection or exploit attempt, not a vulnerability or a compromise.
This rule is always on.
Initial Access: Suspicious Login Blocked
Google Workspace Logs:
Login Audit
Permissions:DATA_READ
A suspicious login to a user's account was detected and blocked.
This finding isn't available for project-level activations.
Log4j Malware: Bad Domain
LOG4J_BAD_DOMAIN
Detection of Log4j exploit traffic based on a connection to, or a lookup of, a known domain used in Log4j attacks.
Log4j Malware: Bad IP
LOG4J_BAD_IP
VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of Log4j exploit traffic based on a connection to a known IP address used in Log4j attacks.
Malware: bad domain
MALWARE_BAD_DOMAIN
Detection of malware based on a connection to, or a lookup of, a known bad domain.
Malware: bad IP
MALWARE_BAD_IP
VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of malware based on a connection to a known bad IP address.
Malware: Cryptomining Bad Domain
CRYPTOMINING_POOL_DOMAIN
Detection of cryptomining based on a connection to, or a lookup of, a known mining domain.
Malware: Cryptomining Bad IP
CRYPTOMINING_POOL_IP
VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of cryptomining based on a connection to a known mining IP address.
Persistence: GCE Admin Added SSH Key
GCE_ADMIN_ADD_SSH_KEY
Cloud Audit Logs:
Compute Engine Admin Activity audit logs
Detection of a modification to the Compute Engine instance metadata ssh key value on an established instance (older than 1 week).
Persistence: GCE Admin Added Startup Script
GCE_ADMIN_ADD_STARTUP_SCRIPT
Cloud Audit Logs:
Compute Engine Admin Activity audit logs
Detection of a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week).
Persistence: IAM Anomalous Grant
IAM_ANOMALOUS_GRANT
Cloud Audit Logs: IAM Admin Activity audit logs
This finding includes subrules that provide more specific information about each instance of this finding.
The following list shows all possible subrules:
external_service_account_added_to_policy,external_member_added_to_policy: Detection of privileges granted to IAM users and service accounts that are not members of your organization or, if Security Command Center is activated at the project level only, your project.
Note: If Security Command Center is activated at the organization level at any tier, then this detector uses an organization's existing IAM policies as context. If Security Command Center activation is only at the project level, then the detector uses only the project's IAM policies as context.
If a sensitive IAM grant to an external member occurs, and there are less than three existing IAM policies that are similar to it, this detector generates a finding.
Sensitive roles
Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, seeSensitive IAM roles and permissions.external_member_invited_to_policy: Detects when an external member is invited as the owner of the project through theInsertProjectOwnershipInviteAPI.custom_role_given_sensitive_permissions: Detects when thesetIAMPolicypermission is added to a custom role.service_account_granted_sensitive_role_to_member: Detects when privileged roles are granted to members through a service account. This subrule is triggered by a subset of sensitive roles that include only basic IAM roles and certain data storage roles. For more information, seeSensitive IAM roles and permissions.policy_modified_by_default_compute_service_account: Detects when a default Compute Engine service account is used to modify project IAM settings.
Persistence: Unmanaged Account Granted Sensitive Role (Preview)
UNMANAGED_ACCOUNT_ADDED_IN_IAM_ROLE
Cloud Audit Logs:
IAM Admin Activity audit logs
Detection of a sensitive role being granted to anunmanaged account.
Persistence: New API Method
ANOMALOUS_BEHAVIOR_NEW_API_METHOD
Cloud Audit Logs:
Admin Activity logs
Detection of anomalous usage of Google Cloud services by IAM service accounts.
Persistence: New Geography
IAM_ANOMALOUS_BEHAVIOR_IP_GEOLOCATION
Cloud Audit Logs:
Admin Activity logs
Detection of IAM user and service accounts accessing Google Cloud from anomalous locations, based on the geolocation of the requesting IP addresses.
This finding isn't available for project-level activations.
Persistence: New User Agent
IAM_ANOMALOUS_BEHAVIOR_USER_AGENT
Cloud Audit Logs:
Admin Activity logs
Detection of IAM service accounts accessing Google Cloud from anomalous or suspicious user agents.
This finding isn't available for project-level activations.
Persistence: SSO Enablement Toggle
Google Workspace:
Admin Audit
The Enable SSO (single sign-on) setting on the admin account was disabled.
This finding isn't available for project-level activations.
Persistence: SSO Settings Changed
Google Workspace:
Admin Audit
The SSO settings for the admin account were changed.
This finding isn't available for project-level activations.
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
ANOMALOUS_SA_DELEGATION_IMPERSONATION_OF_SA_ADMIN_ACTIVITY
Cloud Audit Logs:
Admin Activity logs
Detects when a potentially anomalousimpersonated service account is used for an administrative activity.
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
ANOMALOUS_SA_DELEGATION_MULTISTEP_ADMIN_ACTIVITY
Cloud Audit Logs:
Admin Activity logs
Detects when an anomalous multistep delegated request is found for an administrative activity.
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
ANOMALOUS_SA_DELEGATION_MULTISTEP_DATA_ACCESS
Cloud Audit Logs:
Data Access logs
Detects when an anomalous multistep delegated request is found for a data access activity.
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
ANOMALOUS_SA_DELEGATION_IMPERSONATOR_ADMIN_ACTIVITY
Cloud Audit Logs:
Admin Activity logs
Detects when a potentially anomalouscaller/impersonator in a delegation chain is used for an administrative activity.
Privilege Escalation: Anomalous Service Account Impersonator for Data Access
ANOMALOUS_SA_DELEGATION_IMPERSONATOR_DATA_ACCESS
Cloud Audit Logs:
Data Access logs
Detects when a potentially anomalouscaller/impersonator in a delegation chain is used for a data access activity.
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
GKE_CONTROL_PLANE_EDIT_SENSITIVE_RBAC_OBJECT
Cloud Audit Logs:
GKE Admin Activity logs
To escalate privilege, a potentially malicious actor attempted to modify aClusterRole, RoleBinding, or ClusterRoleBinding role-based access control (RBAC) object of the sensitive cluster-admin role by using a PUT or PATCH request.
Privilege Escalation: Create Kubernetes CSR for master cert
GKE_CONTROL_PLANE_CSR_FOR_MASTER_CERT
Cloud Audit Logs:
GKE Admin Activity logs
A potentially malicious actor created a Kubernetes master certificate signing request (CSR), which gives them cluster-admin access.
Privilege Escalation: Creation of sensitive Kubernetes bindings
GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING
Cloud Audit Logs:
IAM Admin Activity audit logs
To escalate privilege, a potentially malicious actor attempted to create a newRoleBinding or ClusterRoleBinding object for the cluster-admin role.
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
GKE_CONTROL_PLANE_GET_CSR_WITH_COMPROMISED_BOOTSTRAP_CREDENTIALS
Cloud Audit Logs:
GKE Data Access logs
A potentially malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials.
Privilege Escalation: Launch of privileged Kubernetes container
GKE_CONTROL_PLANE_LAUNCH_PRIVILEGED_CONTAINER
Cloud Audit Logs:
GKE Admin Activity logs
A potentially malicious actor created a Pod that contains privileged containers or containers with privilege escalation capabilities.
A privileged container has the privileged field set to true. A container with privilege escalation capabilities has theallowPrivilegeEscalation field set to true. For more information, see the SecurityContext v1 core API reference in the Kubernetes documentation.
Persistence: Service Account Key Created
SERVICE_ACCOUNT_KEY_CREATION
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the creation of a service account key. Service account keys are long-lived credentials that increase the risk of unauthorized access to Google Cloud resources.
Privilege Escalation: Global Shutdown Script Added
GLOBAL_SHUTDOWN_SCRIPT_ADDED
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a global shutdown script is added to a project.
Persistence: Global Startup Script Added
GLOBAL_STARTUP_SCRIPT_ADDED
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a global startup script is added to a project.
Defense Evasion: Organization-Level Service Account Token Creator Role Added
ORG_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when the Service Account Token Creator IAM role is granted at the organization level.
Defense Evasion: Project-Level Service Account Token Creator Role Added
PROJECT_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when the Service Account Token Creator IAM role is granted at the project level.
Lateral Movement: OS Patch Execution From Service Account
OS_PATCH_EXECUTION_FROM_SERVICE_ACCOUNT
Cloud Audit Logs.
IAM Admin Activity audit logs
Detects when a service account uses theCompute Engine Patch feature to update the operating system of any currently running Compute Engine instance.
Lateral Movement: Modified Boot Disk Attached to Instance (Preview)
MODIFY_BOOT_DISK_ATTACH_TO_INSTANCE
Cloud Audit Logs:
Compute Engine audit logs
Detects when a boot disk is detached from one Compute Engine instance and attached to another, which could indicate a malicious attempt to compromise the system using a modified boot disk.
Credential Access: Secrets Accessed In Kubernetes Namespace
SECRETS_ACCESSED_IN_KUBERNETES_NAMESPACE
Cloud Audit Logs:
GKE Data Access logs
Detects when secrets or service account tokens are accessed by a service account in the current Kubernetes namespace.
Resource Development: Offensive Security Distro Activity
OFFENSIVE_SECURITY_DISTRO_ACTIVITY
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects successful Google Cloud resource manipulations from known penetration testing or offensive security distros.
Privilege Escalation: New Service Account is Owner or Editor
SERVICE_ACCOUNT_EDITOR_OWNER
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a new service account is created with Editor or Owner roles for a project.
Discovery: Information Gathering Tool Used
INFORMATION_GATHERING_TOOL_USED
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the use of ScoutSuite, a cloud security auditing tool that is known to be used by threat actors.
Privilege Escalation: Suspicious Token Generation
SUSPICIOUS_TOKEN_GENERATION_IMPLICIT_DELEGATION
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when the iam.serviceAccounts.implicitDelegation permission is abused to generate access tokens from a more privileged service account.
Privilege Escalation: Suspicious Token Generation
SUSPICIOUS_TOKEN_GENERATION_SIGN_JWT
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a service account uses the serviceAccounts.signJwt method to generate an access token for another service account.
Privilege Escalation: Suspicious Token Generation
SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_OPENID
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects cross-project use of the iam.serviceAccounts.getOpenIdToken IAM permission.
This finding isn't available for project-level activations.
Privilege Escalation: Suspicious Token Generation
SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_ACCESS_TOKEN
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects cross-project use of the iam.serviceAccounts.getAccessToken IAM permission.
This finding isn't available for project-level activations.
Privilege Escalation: Suspicious Cross-Project Permission Use
SUSPICIOUS_CROSS_PROJECT_PERMISSION_DATAFUSION
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects cross-project use of the datafusion.instances.create IAM permission.
This finding isn't available for project-level activations.
Command and Control: DNS Tunneling
DNS_TUNNELING_IODINE_HANDSHAKE
Detects the handshake of the DNS tunneling tool Iodine.
Defense Evasion: VPC Route Masquerade Attempt
VPC_ROUTE_MASQUERADE
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the manual creation of VPC routes masquerading as Google Cloud default routes, allowing egress traffic to external IP addresses.
Impact: Billing Disabled
BILLING_DISABLED_SINGLE_PROJECT
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when billing has been disabled for a project.
Impact: Billing Disabled
BILLING_DISABLED_MULTIPLE_PROJECTS
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when billing has been disabled for multiple projects in an organization within a short time period.
Impact: VPC Firewall High Priority Block
VPC_FIREWALL_HIGH_PRIORITY_BLOCK
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a VPC firewall rule that blocks all traffic is added at priority 0.
Impact: VPC Firewall Mass Rule DeletionTemporarily unavailable
VPC_FIREWALL_MASS_RULE_DELETION
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the mass deletion of VPC firewall rules by non-service accounts.
This rule is temporarily unavailable. To monitor updates to your firewall rules, use the Cloud audit logs.
Impact: Service API Disabled
SERVICE_API_DISABLED
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a Google Cloud service API is disabled in a production environment.
Impact: Managed Instance Group Autoscaling Set To Maximum
MIG_AUTOSCALING_SET_TO_MAX
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a managed instance group is configured for maximum autoscaling.
Discovery: Unauthorized Service Account API Call
UNAUTHORIZED_SERVICE_ACCOUNT_API_CALL
Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a service account makes an unauthorized cross-project API call.
Defense Evasion: Anonymous Sessions Granted Cluster Admin Access
ANONYMOUS_SESSIONS_GRANTED_CLUSTER_ADMIN
Cloud Audit Logs:
GKE Admin Activity logs
Detects the creation of a role-based access control (RBAC)ClusterRoleBinding object adding theroot-cluster-admin-binding behavior to anonymous users.
Initial Access: Anonymous GKE Resource Created from the Internet (Preview)
GKE_RESOURCE_CREATED_ANONYMOUSLY_FROM_INTERNET
Cloud Audit Logs:
GKE Admin Activity logs
Detects resource creation events from effectively anonymous internet users.
Initial Access: GKE Resource Modified Anonymously from the Internet (Preview)
GKE_RESOURCE_MODIFIED_ANONYMOUSLY_FROM_INTERNET
Cloud Audit Logs:
GKE Admin Activity logs
Detects resource manipulation events from effectively anonymous internet users.
Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access (Preview)
GKE_ANONYMOUS_USERS_GRANTED_ACCESS
Cloud Audit Logs:
GKE Admin Activity logs
Someone created an RBAC binding that references one of the following users or groups:
system:anonymoussystem:unauthenticatedsystem:authenticated
These users and groups are effectively anonymous and should be avoided when creating role bindings or cluster role bindings to any RBAC roles. Review the binding to ensure that it is necessary. If the binding isn't necessary, remove it.
Execution: Suspicious Exec or Attach to a System Pod (Preview)
GKE_SUSPICIOUS_EXEC_ATTACH
Cloud Audit Logs:
GKE Admin Activity logs
Someone used the exec or attach commands to get a shell or execute a command on a container running in the kube-system namespace. These methods are sometimes used for legitimate debugging purposes. However, thekube-system namespace is intended for system objects created by Kubernetes, and unexpected command execution or shell creation should be reviewed.
Privilege Escalation: Workload Created with a Sensitive Host Path Mount (Preview)
GKE_SENSITIVE_HOSTPATH
Cloud Audit Logs:
GKE Admin Activity logs
Someone created a workload that contains a hostPath volume mount to a sensitive path on the host node's file system. Access to these paths on the host filesystem can be used to access privileged or sensitive information on the node and for container escapes. If possible, don't allow any hostPath volumes in your cluster.
Privilege Escalation: Workload with shareProcessNamespace enabled (Preview)
GKE_SHAREPROCESSNAMESPACE_POD
Cloud Audit Logs:
GKE Admin Activity logs
Someone deployed a workload with the shareProcessNamespace option set totrue, allowing all containers to share the same Linux process namespace. This could allow an untrusted or compromised container to escalate privileges by accessing and controlling environment variables, memory, and other sensitive data from processes running in other containers.
Privilege Escalation: ClusterRole with Privileged Verbs (Preview)
GKE_CLUSTERROLE_PRIVILEGED_VERBS
Cloud Audit Logs:
GKE Admin Activity logs
Someone created an RBAC ClusterRole that contains the bind,escalate, or impersonate verbs. A subject that's bound to a role with these verbs can impersonate other users with higher privileges, bind to additional Roles or ClusterRoles that contain additional permissions, or modify their own ClusterRole permissions. This might lead to those subjects gaining cluster-admin privileges.
Privilege Escalation: ClusterRoleBinding to Privileged Role (Preview)
GKE_CRB_CLUSTERROLE_AGGREGATION_CONTROLLER
Cloud Audit Logs:
GKE Admin Activity logs
Someone created an RBAC ClusterRoleBinding that references the defaultsystem🎮clusterrole-aggregation-controller ClusterRole. This default ClusterRole has theescalate verb, which allows subjects to modify the privileges of their own roles, allowing for privilege escalation.
Defense Evasion: Manually Deleted Certificate Signing Request (CSR) (Preview)
GKE_MANUALLY_DELETED_CSR
Cloud Audit Logs:
GKE Admin Activity logs
Someone manually deleted a certificate signing request (CSR). CSRs are automatically removed by a garbage collection controller, but malicious actors might manually delete them to evade detection. If the deleted CSR was for an approved and issued certificate, the potentially malicious actor now has an additional authentication method to access the cluster. The permissions associated with the certificate vary depending on which subject they included, but can be highly privileged. Kubernetes does not support certificate revocation.
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR) (Preview)
GKE_APPROVE_CSR_FORBIDDEN
Cloud Audit Logs:
GKE Admin Activity logs
Someone attempted to manually approve a certificate signing request (CSR) but the action failed. Creating a certificate for cluster authentication is a common method for attackers to create persistent access to a compromised cluster. The permissions associated with the certificate vary depending on which subject they included, but can be highly privileged.
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR) (Preview)
GKE_CSR_APPROVED
Cloud Audit Logs:
GKE Admin Activity logs
Someone manually approved a certificate signing request (CSR). Creating a certificate for cluster authentication is a common method for attackers to create persistent access to a compromised cluster. The permissions associated with the certificate vary depending on which subject they included, but can be highly privileged.
Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments (Preview)
GKE_REVERSE_SHELL_POD
Cloud Audit Logs:
GKE Admin Activity logs
Someone created a Pod that contains commands or arguments commonly associated with areverse shell. Attackers use reverse shells to expand or maintain their initial access to a cluster and to execute arbitrary commands.
Defense Evasion: Potential Kubernetes Pod Masquerading (Preview)
GKE_POD_MASQUERADING
Cloud Audit Logs:
GKE Admin Activity logs
Someone deployed a Pod with a naming convention similar to the default workloads that GKE creates for regular cluster operation. This technique is calledmasquerading.
Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape (Preview)
GKE_SUSPICIOUS_EXPLOIT_POD
Cloud Audit Logs:
GKE Admin Activity logs
Someone deployed a Pod with a naming convention similar to common tools used for container escapes or to execute other attacks on the cluster.
Impact: Suspicious Kubernetes Container Names - Coin Mining (Preview)
GKE_SUSPICIOUS_CRYPTOMINING_POD
Cloud Audit Logs:
GKE Admin Activity logs
Someone deployed a Pod with a naming convention similar to common cryptocurrency coin miners. This may be an attempt by an attacker who has achieved initial access to the cluster to use the cluster's resources for cryptocurrency mining.
Execution: Workload triggered in sensitive namespace (Preview)
GKE_SENSITIVE_NAMESPACE_WORKLOAD_TRIGGERED
Cloud Audit Logs:
GKE Admin Activity logs
Someone deployed a workload (for example, a Pod or Deployment) in the kube-system or kube-public namespaces. These namespaces are critical for GKE cluster operations, and unauthorized workloads could compromise cluster stability or security.
Execution: GKE launch excessively capable container (Preview)
GKE_EXCESSIVELY_CAPABLE_CONTAINER_CREATED
Cloud Audit Logs:
GKE Admin Activity logs
Someone created a container with one or more of the following capabilities in a cluster with an elevated security context:
CAP_SYS_MODULECAP_SYS_RAWIOCAP_SYS_PTRACECAP_SYS_BOOTCAP_DAC_READ_SEARCHCAP_NET_ADMINCAP_BPFThese capabilities can be used to escape from containers. Use caution when provisioning these capabilities.
Persistence: GKE Webhook Configuration Detected (Preview)
GKE_WEBHOOK_CONFIG_CREATED
Cloud Audit Logs:
GKE Admin Activity logs
A webhook configuration has been detected in your GKE cluster. Webhooks can intercept and modify Kubernetes API requests, potentially allowing attackers to persist within your cluster or manipulate resources.
Defensive Evasion: Static Pod Created (Preview)
GKE_STATIC_POD_CREATED
Cloud Audit Logs:
GKE Admin Activity logs
Someone created a static Pod in your GKE cluster. Static Pods run directly on the node and bypass the Kubernetes API server, which makes them more difficult to monitor and control. Attackers can use static Pods to evade detection or maintain persistence.
Initial Access: Successful API call made from a TOR proxy IP (Preview)
GKE_TOR_PROXY_IP_REQUEST
Cloud Audit Logs:
GKE Admin Activity logs
A successful API call was made to your GKE cluster from an IP address associated with the Tor network. Tor provides anonymity, which attackers often exploit to hide their identity.
Initial Access: GKE NodePort service created (Preview)
GKE_NODEPORT_SERVICE_CREATED
Cloud Audit Logs:
GKE Admin Activity logs
Someone created a NodePort service. NodePort services expose Pods directly on a node's IP address and static port, which make the Pods accessible from outside the cluster. This can introduce a significant security risk because it could allow an attacker to exploit vulnerabilities in the exposed service to gain access to the cluster or sensitive data.
Impact: GKE kube-dns modification detected (Preview)
GKE_KUBE_DNS_MODIFICATION
Cloud Audit Logs:
GKE Admin Activity logs
Someone modified the kube-dns configuration in your GKE cluster. GKE kube-dns is a critical component of your cluster's networking, and its misconfiguration could lead to a security breach.