This document offers informal guidance on how you can respond to findings of suspicious activities in your Cloud Run resources. The recommended steps might not be appropriate for all findings and might impact your operations. Before you take any action, you should investigate the findings; assess the information that you gather; and decide how to respond.
Before you begin
- Review the finding. Note the affected container and the detected binaries, processes, or libraries.
- To learn more about the finding that you're investigating, search for the finding in the Threat findings index.
General recommendations
- Contact the owner of the affected resource.
- View the logs for the potentially compromised Cloud Run service, job, or worker pool.
- For forensic analysis, collect and back up the logs from the affected Cloud Run resource.
- For further investigation, consider using incident response services like Mandiant.
Consider deleting any of the following affected Cloud Run resources:
- Delete the affected service.
- Roll back to a previous service revision, or deploy a new, more secure revision, and then delete the affected revision.
- Delete the affected job.
- Delete the affected worker pool.
- Roll back to a previous worker pool revision, or deploy a new, more secure revision, and then delete the affected revision.
Malicious script or Python code executed
If the script or Python code was making intended changes to the container, deploy a revision to the service that has all the intended changes. Don't rely on a script to make changes after the container is deployed.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.