This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Anomalous access from an anonymous proxy is detected by examining Cloud Audit Logs for Google Cloud service modifications that originated from an IP address associated with the Tor network.
Event Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
- Open an Evasion: Access from Anonymizing Proxyfinding, as directed in Reviewing findings. The panel for the finding details opens, displaying the Summary tab.
- On the Summary tab of the finding details panel, review the listed values in the following sections: - What was detected, especially the following fields:
- Principal email: the account that made the changes (a potentially compromised account).
- IP: The proxy IP address where the changes are conducted from.
 
- Affected resource
- Related links, especially the following fields:
- Cloud Logging URI: link to Logging entries.
- MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
- Related findings: links to any related findings.
 
 
- What was detected, especially the following fields:
- Optionally, click the JSON tab to view additional finding fields. 
Step 2: Research attack and response methods
- Review the MITRE ATT&CK framework entry for this finding type: Proxy: Multi-hop Proxy.
- Contact the owner of the account in the principalEmailfield. Confirm whether the action was conducted by the legitimate owner.
- To develop a response plan, combine your investigation results with MITRE research.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.