This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
An agent identity used the
serviceAccounts.signJwt method to generate an access token for
another service account. Findings are classified as Low
severity by default.
Event Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
Review finding details
Open the
Privilege Escalation: Agent Engine Suspicious Token Generationfinding as directed in Reviewing findings. Review the details in the Summary and JSON tabs.- What was detected, especially the following fields:
- Principal email: the account that called
signJwt. - Method name: the method that was called (
iam.serviceAccounts.signJwt).
- Principal email: the account that called
- Affected resource, especially the following field:
- Resource display name: the resource that the service account attempted to access or modify.
- Related links:
- Cloud Logging URI: link to Logging entries.
- MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
- What was detected, especially the following fields:
Identify other findings that occurred at a similar time for this resource. Related findings might indicate that this activity was malicious, instead of a failure to follow best practices.
Review the settings of the affected resource.
Check the logs for the affected resource.
- On the Summary tab of the finding details in the Google Cloud console, go to Logs Explorer by clicking the link in the Cloud Logging URI field.
Check for other actions taken by the principal by using the following filters:
protoPayload.authenticationInfo.principalEmail="PRINCIPAL_EMAIL"
Replace
PRINCIPAL_EMAILwith the value that you noted in the Principal email field in the finding details.
Research attack and response methods
Review the MITRE ATT&CK framework entry for this finding type: Steal Application Access Token.
Implement your response
For response recommendations, see Respond to AI threat findings.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.