本文說明 Security Command Center 中的威脅發現項目類型。威脅偵測工具在雲端資源中偵測到潛在威脅時,就會產生威脅發現項目。如需可用威脅發現項目的完整清單,請參閱「威脅發現項目索引」。
總覽
Event Threat Detection 會檢查稽核記錄,偵測是否刪除執行受備份和災難復原服務保護應用程式的主機。刪除主機後,與主機相關聯的應用程式就無法備份。
Event Threat Detection 是這項發現項目的來源。
回應方式
如要回應這項發現項目,請按照下列步驟操作:
步驟 1:查看調查結果詳細資料
- 如「查看發現項目」一文所述,開啟發現項目。
Impact: Deleted Google Cloud Backup and DR host系統會開啟發現項目的詳細資料面板,並顯示「摘要」分頁。 - 在「摘要」分頁中,查看下列各節的資訊:
- 偵測到的內容,尤其是下列欄位:
- 應用程式名稱:連線至 Backup and DR 的資料庫或 VM 名稱
- 主機名稱:連線至備份和災難復原的主機名稱
- 主要主體:成功執行動作的使用者
- 受影響的資源
- 資源顯示名稱:刪除主機的專案
- 相關連結,尤其是下列欄位:
- MITRE ATTACK 方法:連結至 MITRE ATT&CK 文件
- 記錄 URI:開啟 Logs Explorer 的連結
- 偵測到的內容,尤其是下列欄位:
步驟 2:研究攻擊和應變方法
與「主體電子郵件地址」欄位中的服務帳戶擁有者聯絡。 確認正當擁有者是否執行了這項操作。
步驟 3:實作回應
下列應變計畫可能適用於這項發現,但也可能影響作業。 請仔細評估調查期間收集到的資訊,找出解決問題的最佳方式。
- 在執行動作的專案中,前往管理控制台。
- 確認已刪除的主機不再顯示於備份和災難復原主機清單中。
- 選取「新增主機」選項,重新新增已刪除的主機。
發現項目 JSON 範例
以下是發現項目 JSON 的範例。
{ "finding": { "access": { "principalEmail": "USER_EMAIL", "callerIp": "CALLER_IP", "callerIpGeo": { "regionCode": "REGION_CODE" }, "serviceName": "backupdr.googleapis.com", "methodName": "deleteHost", "principalSubject": "user:USER_EMAIL" }, "attackExposure": {}, "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ], "backupCreateTime": "EVENT_TIMESTAMP" }, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID", "category": "Impact: Deleted Google Cloud Backup and DR host", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "EVENT_TIMESTAMP", "database": {}, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "eventTime": "EVENT_TIMESTAMP", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "display_name": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "FOLDER_NAME", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "backup_hosts_delete_host" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "0", "nanos": 0.0 }, "insertId": "INSERT_ID" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1490/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} }, "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.", "backupDisasterRecovery": { "host": "HOST_NAME", "applications": [ "HOST_NAME" ] } } }
後續步驟
- 瞭解如何在 Security Command Center 中處理威脅調查結果。
- 請參閱威脅發現項目索引。
- 瞭解如何透過 Google Cloud 控制台查看發現項目。
- 瞭解產生威脅發現項目的服務。