本文說明 Security Command Center 中的威脅發現項目類型。威脅偵測工具在雲端資源中偵測到潛在威脅時,就會產生威脅發現項目。如需可用威脅發現項目的完整清單,請參閱威脅發現項目索引。
總覽
系統在組織、資料夾或專案中,偵測到潛在惡意行為人的異常管理活動。異常活動可能是下列任一情況:
- 主體在機構、資料夾或專案中進行新活動
- 主體在機構、資料夾或專案中一段時間未執行的活動
Event Threat Detection 是這項發現項目的來源。
回應方式
如要回應這項發現項目,請按照下列步驟操作:
步驟 1:查看調查結果詳細資料
- 按照「查看發現項目」一文的說明,開啟
Persistence: New API Method發現項目。 在「Summary」(摘要) 分頁的調查結果詳細資料中,請注意下列欄位的值:
- 在「偵測到的內容」下方:
- 主體電子郵件地址:發出呼叫的帳戶
- 服務名稱:動作中使用的 Google Cloud 服務 API 名稱
- 方法名稱:呼叫的方法
- 在「受影響的資源」下方:
- 資源顯示名稱:受影響資源的名稱,可能與機構、資料夾或專案的名稱相同
- 資源路徑:活動發生的資源階層位置
- 在「偵測到的內容」下方:
步驟 2:研究攻擊和應變方法
- 查看這類發現項目 (「持續性」) 的 MITRE ATT&CK 框架項目。
- 調查該項操作是否經過機構、資料夾或專案授權,以及是否由帳戶的合法擁有者執行。組織、資料夾或專案會顯示在「資源路徑」列,帳戶則會顯示在「主體電子郵件」列。
- 如要制定回應計畫,請將調查結果與 MITRE 研究結合。
發現項目 JSON 範例
以下是發現項目 JSON 的範例。
{ "findings": { "access": { "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "US" }, "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME", "principalSubject": "PRINCIPAL_SUBJECT", "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME" }, "assetDisplayName": "ASSET_DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: New API Method", "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] }, "technical": { "contacts": [ { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" }, { "email": "EMAIL_ADDRESS" } ] } }, "createTime": "2023-01-12T10:35:47.381Z", "database": {}, "eventTime": "2023-01-12T10:35:47.270Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "LOW", "sourceDisplayName": "Event Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "RESOURCE_NAME", "display_name": "RESOURCE_DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parent_display_name": "FOLDER_NAME", "type": "RESOURCE_TYPE", "folders": [ { "resourceFolderDisplayName": "FOLDER_NAME", "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER" } ] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1673519681", "nanos": 728289000 }, "insertId": "INSERT_ID" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "SERVICE_NAME", "methodName": "METHOD_NAME" }, "principalEmail": "PRINCIPAL_EMAIL", "callerIp": "IP_ADDRESS", "callerUserAgent": "CALLER_USER_AGENT", "resourceContainer": "projects/PROJECT_NUMBER" } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0003/" } } } }
後續步驟
- 瞭解如何在 Security Command Center 中處理威脅調查結果。
- 請參閱威脅發現項目索引。
- 瞭解如何透過 Google Cloud 控制台查看發現項目。
- 瞭解產生威脅發現項目的服務。