Dokumen ini menjelaskan jenis temuan ancaman di Security Command Center. Temuan ancaman dihasilkan oleh detektor ancaman saat mendeteksi potensi ancaman di resource cloud Anda. Untuk daftar lengkap temuan ancaman yang tersedia, lihat Indeks temuan ancaman.
Ringkasan
Layanan atau tugas Cloud Run dibuat atau direvisi dengan menambahkan image Docker yang diketahui buruk dan dapat melakukan penambangan kripto.
Event Threat Detection adalah sumber temuan ini.
Cara merespons
Rencana respons berikut mungkin sesuai untuk temuan ini, tetapi juga dapat memengaruhi operasi. Evaluasi dengan cermat informasi yang Anda kumpulkan dalam penyelidikan untuk menentukan cara terbaik dalam menyelesaikan temuan.
Untuk merespons temuan ini, lakukan hal berikut:
- Periksa image container untuk menentukan apakah hal ini diharapkan.
- Hapus container yang terganggu dan ganti dengan container baru.
Contoh JSON temuan
Berikut adalah contoh JSON temuan.
{ "finding": { "access": { "callerIpGeo": {}, "serviceName": "run.googleapis.com", "methodName": "/Services.DeleteService" }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Execution: Cryptomining Docker Image", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "contacts": { "security": { "contacts": [ { "email": "EMAIL_ADDRESS" } ] } }, "containers": [ { "imageId": "CONTAINER_IMAGE_ID", "createTime": "1970-01-01T00:00:00Z" } ], "createTime": "2025-05-06T01:06:10.340Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-06T01:06:09.037Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-06T01:05:31.417999Z" } } ], "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "DEPLOY_CONTAINER" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "securityPosture": {}, "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "displayName": "PROJECT_ID", "type": "google.cloud.resourcemanager.Project", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "cloudresourcemanager.googleapis.com", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "parentDisplayName": "FOLDER_NAME", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_NAME" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_NAME" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_cryptomining_docker_images" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/namespaces/PROJECT_ID/services/SERVICE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1746493531", "nanos": 417999000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/system_event" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1610/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
Langkah berikutnya
- Pelajari cara menggunakan temuan ancaman di Security Command Center.
- Lihat Indeks temuan ancaman.
- Pelajari cara meninjau temuan melalui Google Cloud konsol.
- Pelajari tentang layanan yang menghasilkan temuan ancaman.