Discovery: Agent Engine Unauthorized Service Account API Call

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

An agent identity made an unauthorized cross-project API call. Findings are classified as Low severity by default.

Event Threat Detection is the source of this finding.

How to respond

To respond to this finding, do the following:

Review finding details

1. Open the Discovery: Agent Engine Unauthorized Service Account API Call finding as directed in Reviewing findings. Review the details in the Summary and JSON tabs.

   • What was detected, especially the following fields:
     • Principal email: the account that performed the modification.
     • Method name: the method that was called.
   • Affected resource, especially the following field:
     • Resource display name: the resource that the service account attempted to access or modify.
   • Related links:
     • Cloud Logging URI: link to Logging entries.
     • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.

2. Identify other findings that occurred at a similar time for this resource. Related findings might indicate that this activity was malicious, instead of a failure to follow best practices.

3. Review the settings of the affected resource.

4. Check the logs for the affected resource.

   1. On the Summary tab of the finding details in the Google Cloud console, go to Logs Explorer by clicking the link in the Cloud Logging URI field.
   2. Review the protoPayload.methodName and protoPayload.resourceName fields to understand the API call and the resource it targeted.

   3. Check for other actions taken by the principal by using the following filters:

      • protoPayload.authenticationInfo.principalEmail="PRINCIPAL_EMAIL"
      • protoPayload.methodName="METHOD_NAME"
      • protoPayload.resourceName="RESOURCE_NAME"

      Replace the following:

      • PRINCIPAL_EMAIL: the value that you noted in the Principal email field in the finding details.
      • METHOD_NAME: the value from the Method name field in the finding details.
      • RESOURCE_NAME: the value from the Resource full name field in the finding details.

Research attack and response methods

Review the MITRE ATT&CK framework entry for this finding type: Cloud Infrastructure Discovery.

Implement your response

For response recommendations, see Respond to AI threat findings.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.