Security Command Center performs agentless and log-based monitoring of Compute Engine resources. For recommended responses to these threats, see Respond to Compute Engine threat findings.
Agentless monitoring finding types
The following agentless monitoring detections are available with Virtual Machine Threat Detection:
-
Defense Evasion: Rootkit -
Defense Evasion: Unexpected ftrace handler -
Defense Evasion: Unexpected interrupt handler -
Defense Evasion: Unexpected kernel modules -
Defense Evasion: Unexpected kernel read-only data modification -
Defense Evasion: Unexpected kprobe handler -
Defense Evasion: Unexpected processes in runqueue -
Defense Evasion: Unexpected system call handler -
Execution: cryptocurrency mining combined detection -
Execution: Cryptocurrency Mining Hash Match -
Execution: Cryptocurrency Mining YARA Rule -
Malware: Malicious file on disk -
Malware: Malicious file on disk (YARA)
Log-based finding types
The following log-based detections are available with Event Threat Detection:
-
Brute force SSH -
Impact: Managed Instance Group Autoscaling Set To Maximum -
Lateral Movement: Modified Boot Disk Attached to Instance -
Lateral Movement: OS Patch Execution From Service Account -
Persistence: GCE Admin Added SSH Key -
Persistence: GCE Admin Added Startup Script -
Persistence: Global Startup Script Added -
Privilege Escalation: Global Shutdown Script Added
The following log-based detections are available with Sensitive Actions Service:
What's next
- Learn about Virtual Machine Threat Detection.
- Learn about Event Threat Detection.
- Learn about Sensitive Actions Service.
- Learn how to respond to Compute Engine threats.
- Refer to the Threat findings index.