이 페이지는 Cloud Translation API를 통해 번역되었습니다.

Event Threat Detection 사용

이 페이지에서는 Google Cloud 콘솔에서 Event Threat Detection 발견 항목을 검토하는 방법을 설명하고 Event Threat Detection 발견 항목의 예시를 보여줍니다.

Event Threat Detection은 조직 또는 프로젝트의 Cloud Logging 로깅 스트림을 모니터링하고 거의 실시간으로 위협을 탐지하는 기본 제공 서비스입니다. 조직 수준에서 Security Command Center를 활성화하면 Event Threat Detection에서 조직의 Google Workspace 로깅 스트림도 모니터링할 수 있습니다. 자세한 내용은 Event Threat Detection 개요를 참조하세요.

발견 항목 검토

Event Threat Detection 발견 항목을 보려면 Security Command Center 서비스 설정에서 서비스를 사용 설정해야 합니다. Event Threat Detection을 사용 설정하면 Event Threat Detection에서 특정 로그를 스캔하여 발견 항목을 생성합니다. Event Threat Detection에서 스캔할 수 있는 일부 로그는 기본적으로 사용 중지되어 있으므로 사용 설정해야 할 수 있습니다.

Event Threat Detection에서 사용하는 기본 제공 감지 규칙과 Event Threat Detection에서 스캔하는 로그에 대한 자세한 내용은 다음 주제를 참조하세요.

Security Command Center에서 Event Threat Detection 발견 항목을 볼 수 있습니다. 로그를 작성하도록 지속적 내보내기를 구성한 경우 Cloud Logging에서도 발견 항목을 볼 수 있습니다. Cloud Logging으로 지속적으로 내보내기를 수행하는 것은 조직 수준에서 Security Command Center를 활성화한 경우에만 사용할 수 있습니다. 발견 항목을 생성하고 구성을 확인하려면 의도적으로 감지기를 트리거하고 Event Threat Detection를 테스트하면 됩니다.

Event Threat Detection 활성화는 몇 초 이내에 실행됩니다. 감지 지연 시간은 일반적으로 Security Command Center에서 발견 항목을 사용할 수 있을 때 로그가 기록되는 시점부터 15분 미만입니다. 지연 시간에 대한 자세한 내용은 Security Command Center 지연 시간 개요를 참조하세요.

Security Command Center에서 발견 항목 검토

Security Command Center의 IAM 역할은 조직, 폴더, 프로젝트 수준에서 부여할 수 있습니다. 발견 사항, 애셋, 보안 소스를 보거나 수정하거나 만들거나 업데이트할 수 있는 기능은 액세스 권한이 부여된 수준에 따라 다릅니다. Security Command Center 역할에 대해 자세히 알아보려면 액세스 제어를 참조하세요.

Google Cloud 콘솔에서 발견 항목을 검토하려면 다음 절차를 따르세요.

Google Cloud 콘솔에서 Security Command Center 발견 사항 페이지로 이동합니다.
발견 항목으로 이동
필요한 경우 Google Cloud 프로젝트 또는 조직을 선택합니다.
빠른 필터 섹션의 소스 표시 이름 하위 섹션에서 다음 중 하나를 선택하거나 모두 선택합니다.
- Event Threat Detection: 기본 제공 Event Threat Detection 감지기에서 생성한 발견 항목을 필터링합니다.
- Event Threat Detection 커스텀 모듈: Event Threat Detection용 커스텀 모듈에서 생성한 발견 항목을 필터링합니다.
테이블에 Event Threat Detection 발견 항목이 채워집니다.
특정 발견 항목의 세부정보를 보려면 Category에서 '발견 항목 이름'을 클릭합니다. 발견 항목 세부정보 창이 확장되어 다음이 포함된 정보가 표시됩니다.
- 이벤트가 발생한 시점
- 발견 항목 데이터의 소스
- 감지 심각도(예: High)
- Gmail 사용자에게 Identity and Access Management(IAM) 역할 추가와 같이 수행된 작업
- 기본 이메일 옆에 나열된 작업을 수행한 사용자
동일한 사용자의 작업으로 인해 발생한 모든 발견 항목을 표시하려면 다음 안내를 따르세요.
1. 발견 항목 세부정보 창에서 기본 이메일 옆의 이메일 주소를 복사합니다.
2. 창을 닫습니다.
3. 쿼리 편집기에서 다음 쿼리를 입력합니다.
```
access.principal_email="USER_EMAIL" 
```
  USER_EMAIL을 이전에 복사한 이메일 주소로 바꿉니다.
  
  Security Command Center에는 지정한 사용자가 수행한 작업과 관련된 모든 발견 항목이 표시됩니다.

Cloud Logging에서 발견 항목 보기

로그를 작성하도록 지속적 내보내기를 구성하면 Cloud Logging에서 Event Threat Detection 발견 항목을 볼 수 있습니다. 이 기능은 조직 수준에서 Security Command Center 프리미엄 등급을 활성화한 경우에만 사용할 수 있습니다.

Cloud Logging에서 Event Threat Detection 발견 항목을 보려면 다음을 수행합니다.

Google Cloud 콘솔에서 로그 탐색기로 이동합니다.

로그 탐색기로 이동
Event Threat Detection 로그를 저장할 Google Cloud 프로젝트 또는 기타 Google Cloud 리소스를 선택합니다.
쿼리 창을 사용하여 다음 방법 중 하나로 쿼리를 빌드합니다.
- 모든 리소스 목록에서 다음을 수행합니다.
  1. Threat Detector를 선택하여 모든 감지기 목록을 표시합니다.
  2. 모든 감지기의 발견 항목을 보려면 all detection_name을 선택합니다. 특정 감지기의 발견 항목을 보려면 해당 이름을 선택합니다.
  3. 적용을 클릭합니다. 쿼리 결과 테이블이 선택한 로그로 업데이트됩니다.
- 쿼리 편집기에 다음 쿼리를 입력하고 쿼리 실행을 클릭합니다.
```
resource.type="threat_detector"
```
  쿼리 결과 테이블이 선택한 로그로 업데이트됩니다.
로그를 보려면 표 행을 선택한 다음 중첩된 필드 확장을 클릭합니다.

고급 로그 쿼리를 만들어 원하는 수의 로그에서 로그 항목 집합을 지정할 수 있습니다.

발견 항목 형식 예시

이 섹션에서는 Event Threat Detection 발견 항목의 JSON 출력 예시를 제공합니다. Google Cloud 콘솔을 사용하여 발견 항목을 내보내거나 Security Command Center API 또는 Google Cloud CLI를 사용하여 발견 항목을 나열하면 이 출력이 표시됩니다.

이 페이지의 예시에는 다양한 유형의 발견 항목이 표시되어 있습니다. 각 예시에는 해당 유형의 발견 항목과 가장 관련이 있는 필드만 포함됩니다. 발견 사항에서 사용할 수 있는 필드의 전체 목록은 Finding 리소스에 관한 Security Command Center API 문서를 참고하세요.

발견 항목의 예를 보려면 다음 노드 중 하나 이상을 펼칩니다.

활성 스캔: RCE에 취약한 Log4j

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",     "state": "ACTIVE",     "category": "Active Scan: Log4j Vulnerable to RCE",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "ruleName": "log4j_scan_success"       },       "detectionPriority": "HIGH",       "affectedResources": [{         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }, {         "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"       }],       "evidence": [{         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1639701222",             "nanos": 7.22988344E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "scannerDomain": "SCANNER_DOMAIN",         "sourceIp": "SOURCE_IP_ADDRESS",         "vpcName": "default"       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1210/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-17T00:33:42.722988344Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"         }],         "relatedFindingUri": {         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-12-17T00:33:42.722Z",     "createTime": "2021-12-17T00:33:44.633Z",     "severity": "HIGH",     "workflowState": "NEW",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT"   },   "resource": {     "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parentDisplayName": "PROJECT_ID",     "type": "google.compute.Instance",     "folders": [{       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",       "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"     }],     "displayName": "INSTANCE_ID"   } }

무작위 공격: SSH

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "state": "ACTIVE",       "category": "Brute Force: SSH",       "sourceProperties": {         "evidence": [           {             "sourceLogId": {               "projectId": "PROJECT_ID",               "timestamp": {                 "nanos": 0.0,                 "seconds": "65"               },               "insertId": "INSERT_ID",               "resourceContainer": "projects/PROJECT_ID"             }           }         ],         "properties": {           "projectId": "PROJECT_ID",           "zone": "us-west1-a",           "instanceId": "INSTANCE_ID",           "attempts": [             {               "sourceIp": "SOURCE_IP_ADDRESS",               "username": "PROJECT_ID",               "vmName": "INSTANCE_ID",               "authResult": "SUCCESS"             },             {               "sourceIp": "SOURCE_IP_ADDRESS",               "username": "PROJECT_ID",               "vmName": "INSTANCE_ID",               "authResult": "FAIL"             },             {               "sourceIp": "SOURCE_IP_ADDRESS",               "username": "PROJECT_ID",               "vmName": "INSTANCE_ID",               "authResult": "FAIL"             }           ]         },         "detectionPriority": "HIGH",         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1078/003/"           }         },         "detectionCategory": {           "technique": "brute_force",           "indicator": "flow_log",           "ruleName": "ssh_brute_force"         },         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           }         ]       },       "severity": "HIGH",       "eventTime": "1970-01-01T00:00:00Z",       "createTime": "1970-01-01T00:00:00Z"     }  }

Cloud IDS

{   "finding": {     "access": {},     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",     "category": "Cloud IDS: THREAT_ID",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "connections": [       {         "destinationIp": "IP_ADDRESS",         "destinationPort": PORT,         "sourceIp": "IP_ADDRESS",         "sourcePort": PORT,         "protocol": "PROTOCOL"       }     ],     "createTime": "TIMESTAMP",     "database": {},     "description": "This signature detects a payload in HTTP traffic which could possibly be malicious.",     "eventTime": "TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {},     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_DISPLAY_NAME",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "ctd-engprod-project",     "parent_name": "//cloudresourcemanager.googleapis.com/folders/PARENT_NUMBER",     "parent_display_name": "PARENT_DISPLAY_NAME",     "folders": [       {         "resource_folder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",         "resource_folder_display_name": "FOLDER_DISPLAY_NAME"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "cloud_ids_threat_activity"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "TIMESTAMP",             "nanos": TIMESTAMP           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LOGGING_QUERY_URI"         }       ],       "relatedFindingUri": {}     },     "description": "THREAT_DESCRIPTION"   } }

방어 회피: breakglass 워크로드 배포 생성됨

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "k8s.io",       "methodName": "io.k8s.core.v1.pods.create"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Defense Evasion: Breakglass Workload Deployment Created",     "cloudDlpInspection": {},     "containers": [       {         "name": "test-container",         "uri": "test-image"       }     ],     "createTime": "2023-03-24T17:38:45.756Z",     "database": {},     "eventTime": "2023-03-24T17:38:45.709Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,     "indicator": {},     "kernelRootkit": {},     "kubernetes": {       "pods": [         {           "ns": "NAMESPACE",           "name": "POD_NAME",           "labels": [             {               "name": "image-policy.k8s.io/break-glass",               "value": "true"             }           ],           "containers": [             {               "name": "CONTAINER_NAME",               "uri": "CONTAINER_URI"             }           ]         }       ]     },     "mitreAttack": {       "primaryTactic": "DEFENSE_EVASION",       "primaryTechniques": [         "ABUSE_ELEVATION_CONTROL_MECHANISM"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",     "display_name": "default",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "parent_display_name": "CLUSTER_NAME",     "type": "k8s.io.Namespace",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1548/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     },     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "binary_authorization_breakglass_workload",       "subRuleName": "create"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1679679521",             "nanos": 141571000           },           "insertId": "INSERT_ID"         }       }     ]   } }

방어 회피: breakglass 워크로드 배포 업데이트됨

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "k8s.io",       "methodName": "io.k8s.core.v1.pods.update"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Defense Evasion: Breakglass Workload Deployment Updated",     "cloudDlpInspection": {},     "containers": [       {         "name": "test-container",         "uri": "test-image"       }     ],     "createTime": "2023-03-24T17:38:45.756Z",     "database": {},     "eventTime": "2023-03-24T17:38:45.709Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd,     "indicator": {},     "kernelRootkit": {},     "kubernetes": {       "pods": [         {           "ns": "NAMESPACE",           "name": "POD_NAME",           "labels": [             {               "name": "image-policy.k8s.io/break-glass",               "value": "true"             }           ],           "containers": [             {               "name": "CONTAINER_NAME",               "uri": "CONTAINER_URI"             }           ]         }       ]     },     "mitreAttack": {       "primaryTactic": "DEFENSE_EVASION",       "primaryTechniques": [         "ABUSE_ELEVATION_CONTROL_MECHANISM"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE",     "display_name": "default",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "parent_display_name": "CLUSTER_NAME",     "type": "k8s.io.Namespace",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1548/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     },     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "binary_authorization_breakglass_workload",       "subRuleName": "update"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME/k8s/namespaces/NAMESPACE"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1679679521",             "nanos": 141571000           },           "insertId": "INSERT_ID"         }       }     ]   } }

방어 회피: VPC 서비스 제어 수정

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",     "state": "ACTIVE",     "category": "Defense Evasion: Modify VPC Service Control",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "modify_auth_process",         "indicator": "audit_log",         "ruleName": "vpcsc_changes",         "subRuleName": "reduce_perimeter_protection"       },       "detectionPriority": "LOW",       "affectedResources": [         {           "gcpResourceName": "//accesscontextmanager.googleapis.com/accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER"         },         {           "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"         }       ],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1633625631",             "nanos": 1.78978E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "name": "accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER",         "policyLink": "LINK_TO_VPC_SERVICE_CONTROLS",         "delta": {           "restrictedResources": [{             "resourceName": "PROJECT_NAME",             "action": "REMOVE"           }],           "restrictedServices": [{             "serviceName": "SERVICE_NAME",             "action": "REMOVE"           }],           "allowedServices": [{             "serviceName": "SERVICE_NAME",             "action": "ADD"           }],           "accessLevels": [{             "policyName": "ACCESS_LEVEL_POLICY",             "action": "ADD"           }]         }       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": ""https://attack.mitre.org/techniques/T1556/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }]       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-10-07T16:53:53.875Z",     "createTime": "2021-10-07T16:53:54.411Z",     "severity": "MEDIUM",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT",     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP",       "callerIpGeo": {},       "serviceName": "accesscontextmanager.googleapis.com",       "methodName": "google.identity.accesscontextmanager.v1.AccessContextManager.UpdateServicePerimeter"     }   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "type": "google.cloud.resourcemanager.Organization",     "displayName": "RESOURCE_DISPLAY_NAME"   } }

검색: 민감한 Kubernetes 객체 확인 가능

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "US"       },       "serviceName": "k8s.io",       "methodName": "io.k8s.authorization.v1.selfsubjectaccessreviews.create"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",     "category": "Discovery: Can get sensitive Kubernetes object check",     "contacts": {       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2022-10-08T01:39:42.957Z",     "database": {},     "eventTime": "2022-10-08T01:39:40.632Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "indicator": {},     "kubernetes": {       "accessReviews": [         {           "name": "secrets-1665218000",           "resource": "secrets",           "verb": "get"         }       ]     },     "mitreAttack": {},     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/03f466dc25a8496693b7482304fb2e7f",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "severity": "LOW",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "display_name": "CLUSTER_NAME",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parent_display_name": "PROJECT_ID",     "type": "google.container.Cluster",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "gke_control_plane",       "subRuleName": "can_get_sensitive_object"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//k8s.io/authorization.k8s.io/v1/selfsubjectaccessreviews"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1665193180",             "nanos": 632000000           },           "insertId": "84af497e-b00e-4cf2-8715-3ae7031880cf"         }       }     ],     "properties": {},     "findingId": "03f466dc25a8496693b7482304fb2e7f",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/tactics/TA0007/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T01:39:40.632Z%22%0AinsertId%3D%2284af497e-b00e-4cf2-8715-3ae7031880cf%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     }   } }

탐색: 서비스 계정 자체 조사

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "state": "ACTIVE",     "category": "Discovery: Service Account Self-Investigation",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "discovery",         "indicator": "audit_log",         "ruleName": "iam_anomalous_behavior",         "subRuleName": "service_account_gets_own_iam_policy"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1619200104",             "nanos": 9.08E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceAccountGetsOwnIamPolicy": {           "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com",           "projectId": "PROJECT_ID",           "callerIp": "IP_ADDRESS",           "callerUserAgent": "CALLER_USER_AGENT",           "rawUserAgent": "RAW_USER_AGENT"         }       },       "contextUris": {         "mitreUri": {           "displayName": "Permission Groups Discovery: Cloud Groups",           "url": "https://attack.mitre.org/techniques/T1069/003/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "LOGGING_LINK"         }]       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-04-23T17:48:24.908Z",     "createTime": "2021-04-23T17:48:26.922Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parentDisplayName": "ORGANIZATION_NAME",     "type": "google.cloud.resourcemanager.Project"   } }

삭제: 익명처리 프록시에서 액세스

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "state": "ACTIVE",     "category": "Evasion: Access from Anonymizing Proxy",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "persistence",         "indicator": "audit_log",         "ruleName": "proxy_access"       },       "detectionPriority": "MEDIUM",       "affectedResources": [{         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1633625631",             "nanos": 1.78978E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "changeFromBadIp": {           "principalEmail": "PRINCIPAL_EMAIL",           "ip": "SOURCE_IP_ADDRESS"         }       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1090/003/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:53:51.178978Z%22%0AinsertId%3D%22-INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }]       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-10-07T16:53:53.875Z",     "createTime": "2021-10-07T16:53:54.411Z",     "severity": "MEDIUM",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parentDisplayName": "PARENT_NAME",     "type": "google.cloud.resourcemanager.Project",     "displayName": "PROJECT_ID"   } }

실행: 암호화폐 채굴 Docker 이미지

    {       "finding": {         "access": {           "callerIpGeo": {},           "serviceName": "run.googleapis.com",           "methodName": "/Services.DeleteService"         },         "application": {},         "attackExposure": {},         "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",         "category": "Execution: Cryptomining Docker Image",         "chokepoint": {},         "cloudDlpDataProfile": {},         "cloudDlpInspection": {},         "contacts": {           "security": {             "contacts": [               {                 "email": "EMAIL_ADDRESS"               }             ]           }         },         "containers": [           {             "imageId": "CONTAINER_IMAGE_ID",             "createTime": "1970-01-01T00:00:00Z"           }         ],         "createTime": "2025-05-06T01:06:10.340Z",         "database": {},         "dataProtectionKeyGovernance": {},         "eventTime": "2025-05-06T01:06:09.037Z",         "exfiltration": {},         "findingClass": "THREAT",         "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",         "indicator": {},         "kernelRootkit": {},         "kubernetes": {},         "logEntries": [           {             "cloudLoggingEntry": {               "insertId": "INSERT_ID",               "logId": "cloudaudit.googleapis.com/system_event",               "resourceContainer": "projects/PROJECT_ID",               "timestamp": "2025-05-06T01:05:31.417999Z"             }           }         ],         "mitreAttack": {           "primaryTactic": "EXECUTION",           "primaryTechniques": [             "DEPLOY_CONTAINER"           ]         },         "mute": "UNDEFINED",         "muteInfo": {           "staticMute": {             "state": "UNDEFINED",             "applyTime": "1970-01-01T00:00:00Z"           }         },         "muteUpdateTime": "1970-01-01T00:00:00Z",         "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",         "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",         "parentDisplayName": "Event Threat Detection",         "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "securityPosture": {},         "severity": "HIGH",         "state": "ACTIVE",         "vulnerability": {},         "externalSystems": {}       },       "resource": {         "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "displayName": "PROJECT_ID",         "type": "google.cloud.resourcemanager.Project",         "cloudProvider": "GOOGLE_CLOUD_PLATFORM",         "service": "cloudresourcemanager.googleapis.com",         "gcpMetadata": {           "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",           "projectDisplayName": "PROJECT_ID",           "parent": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",           "parentDisplayName": "FOLDER_NAME",           "folders": [             {               "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",               "resourceFolderDisplayName": "FOLDER_NAME"             }           ],           "organization": "organizations/ORGANIZATION_ID"         },         "resourcePath": {           "nodes": [             {               "nodeType": "GCP_PROJECT",               "id": "projects/PROJECT_NUMBER",               "displayName": "PROJECT_ID"             },             {               "nodeType": "GCP_FOLDER",               "id": "folders/FOLDER_NUMBER",               "displayName": "FOLDER_NAME"             },             {               "nodeType": "GCP_ORGANIZATION",               "id": "organizations/ORGANIZATION_ID"             }           ]         },         "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"       },       "sourceProperties": {         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "ruleName": "cloud_run_cryptomining_docker_images"         },         "detectionPriority": "HIGH",         "affectedResources": [           {             "gcpResourceName": "//run.googleapis.com/namespaces/PROJECT_ID/services/SERVICE_NAME"           },           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           }         ],         "evidence": [           {             "sourceLogId": {               "projectId": "PROJECT_ID",               "resourceContainer": "projects/PROJECT_ID",               "timestamp": {                 "seconds": "1746493531",                 "nanos": 417999000               },               "insertId": "INSERT_ID",               "logId": "cloudaudit.googleapis.com/system_event"             }           }         ],         "properties": {},         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1610/"           },           "cloudLoggingQueryUri": [             {               "displayName": "Cloud Logging Query Link",               "url": "LINK_TO_LOG_QUERY"             }           ],           "relatedFindingUri": {}         }       }     }

유출: BigQuery 데이터 무단 반출

이 발견 항목에는 다음 두 가지 하위 규칙 중 하나가 포함될 수 있습니다.

exfil_to_external_table, 심각도 HIGH
vpc_perimeter_violation, 심각도 LOW

다음은 하위 규칙 exfil_to_external_table의 JSON을 보여주는 예시입니다.

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "bigquery.googleapis.com",       "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Exfiltration: BigQuery Data Exfiltration",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "2023-05-30T15:49:59.709Z",     "database": {},     "eventTime": "2023-05-30T15:49:59.432Z",     "exfiltration": {       "sources": [         {           "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"         }       ],       "targets": [         {           "name": "//bigquery.googleapis.com/projects/TARGET_PROJECT_ID/datasets/TARGET_DATASET_ID/tables/TARGET_TABLE_ID"         }       ]     },     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "EXFILTRATION",       "primaryTechniques": [         "EXFILTRATION_OVER_WEB_SERVICE",         "EXFILTRATION_TO_CLOUD_STORAGE"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "HIGH",     "state": "ACTIVE",     "vulnerability": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",     "parent_display_name": "FOLDER_NAME",     "type": "google.cloud.resourcemanager.Project",     "folders": [       {         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID",         "resourceFolderDisplayName": "FOLDER_NAME"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "technique": "org_exfiltration",       "indicator": "audit_log",       "ruleName": "big_query_exfil",       "subRuleName": "exfil_to_external_table"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1685461795",             "nanos": 341527000           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {       "dataExfiltrationAttempt": {         "jobState": "SUCCEEDED",         "jobLink": "https://console.cloud.google.com/bigquery?j=bq:BIGQUERY_JOB_LOCATION:BIGQUERY_JOB_ID&project=PROJECT_ID&page=queryresults",         "job": {           "projectId": "PROJECT_ID",           "jobId": "BIGQUERY_JOB_ID",           "location": "BIGQUERY_JOB_LOCATION"         },         "query": "QUERY",         "sourceTables": [           {             "resourceUri": "https://console.cloud.google.com/bigquery?p=PROJECT_ID&d=DATASET_ID&t=TABLE_ID&page=table",             "projectId": "PROJECT_ID",             "datasetId": "DATASET_ID",             "tableId": "TABLE_ID"           }         ],         "destinationTables": [           {             "resourceUri": "https://console.cloud.google.com/bigquery?p=TARGET_PROJECT_ID&d=TARGET_DATASET_ID&t=TARGET_TABLE_ID&page=table",             "projectId": "TARGET_PROJECT_ID",             "datasetId": "TARGET_DATASET_ID",             "tableId": "TARGET_TABLE_ID"           }         ],         "userEmail": "e2etest@PROJECT_ID.iam.gserviceaccount.com"       },       "principalEmail": "PRINCIPAL_EMAIL"     },     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1567/002/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-05-30T15:49:55.341527Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     }   } }

유출: BigQuery 데이터 추출

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",     "state": "ACTIVE",     "category": "Exfiltration: BigQuery Data Extraction",     "sourceProperties": {       "affectedResources": [         {           "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"         }       ],       "detectionCategory": {         "technique": "storage_bucket_exfiltration",         "indicator": "audit_log",         "ruleName": "big_query_exfil",         "subRuleName": "exfil_to_cloud_storage"       },       "detectionPriority": "LOW",       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1567/002/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "LOGGING_LINK"         }],         "relatedFindingUri": {           "displayName": "Related BigQuery Exfiltration Extraction findings",           "url": "RELATED_FINDINGS_LINK"         }       },       "evidence": [{         "sourceLogId": {           "projectId": PROJECT_ID,           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "extractionAttempt": {           "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",           "job": {             "projectId": "SOURCE_PROJECT_ID",             "jobId": "JOB_ID",             "location": "US"           },           "sourceTable": {             "projectId": "DESTINATION_PROJECT_ID",             "datasetId": "DATASET_ID",             "tableId": "TABLE_ID",             "resourceUri": "FULL_URI"           },           "destinations": [             {               "originalUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",               "collectionType": "GCS_BUCKET",               "collectionName": "TARGET_GCS_BUCKET_NAME",               "objectName": "TARGET_FILE_NAME"             }           ]         },         "principalEmail": "PRINCIPAL_EMAIL"       },       "findingId": "FINDING_ID"     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2022-03-31T21:22:11.359Z",     "createTime": "2022-03-31T21:22:12.689Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT",     "mitreAttack": {       "primaryTactic": "EXFILTRATION",       "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]     },     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP",       "callerIpGeo": {       },       "serviceName": "bigquery.googleapis.com",       "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"     },     "exfiltration": {       "sources": [         {           "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"         }       ],       "targets": [         {           "name": "TARGET_GCS_URI"         }       ]     }   },   "resource": {     "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",     "parentDisplayName": "PROJECT_ID:DATASET_ID",     "type": "google.cloud.bigquery.Table",     "folders": [{       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",       "resourceFolderDisplayName": "FOLDER_NAME"     }],     "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"   } }

유출: Google Drive에 대한 BigQuery 데이터

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resource_name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",     "state": "ACTIVE",     "category": "Exfiltration: BigQuery Data to Google Drive",     "sourceProperties": {       "affectedResources": [{         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "detectionCategory": {         "technique": "google_drive_exfiltration",         "indicator": "audit_log",         "ruleName": "big_query_exfil",         "subRuleName": "exfil_to_google_drive"       },       "detectionPriority": "LOW",       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1567/002/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "LOGGING_LINK"         }],         "relatedFindingUri": {           "displayName": "Related BigQuery Exfiltration to Google Drive findings",           "url": "RELATED_FINDINGS_LINK"         }       },       "evidence": [{         "sourceLogId": {           "projectId": PROJECT_ID,           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"        }       }],       "properties": {         "extractionAttempt": {           "jobLink": "https://console.cloud.google.com/bigquery?j=JOB_ID&project=SOURCE_PROJECT_ID&page=queryresults",           "job": {             "projectId": "SOURCE_PROJECT_ID",             "jobId": "JOB_ID",             "location": "US"           },           "sourceTable": {             "projectId": "DESTINATION_PROJECT_ID",             "datasetId": "DATASET_ID",             "tableId": "TABLE_ID",             "resourceUri": "FULL_URI"           },           "destinations": [             {               "originalUri": "gdrive://TARGET_GOOGLE_DRIVE_FOLDER/TARGET_GOOGLE_DRIVE_FILE_NAME",               "collectionType": "GDRIVE",               "collectionName": "TARGET_GOOGLE_DRIVE_FOLDER",               "objectName": "TARGET_GOOGLE_DRIVE_FILE_NAME"             }           ]         },         "principalEmail": "PRINCIPAL_EMAIL"       },       "findingId": "FINDING_ID"     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2022-03-31T21:20:18.408Z",     "createTime": "2022-03-31T21:20:18.715Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT",     "mitreAttack": {       "primaryTactic": "EXFILTRATION",       "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]     },     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP",       "callerIpGeo": {       },       "serviceName": "bigquery.googleapis.com",       "methodName": "google.cloud.bigquery.v2.JobService.InsertJob"     },     "exfiltration": {       "sources": [         {           "name": "//bigquery.googleapis.com/projects/SOURCE_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID"         }       ],       "targets": [         {           "name": "TARGET_GOOGLE_DRIVE_URI"         }       ]     }   },   "resource": {     "name": "//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_ID",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER/datasets/DATASET_ID",     "parentDisplayName": "PROJECT_ID:DATASET_ID",     "type": "google.cloud.bigquery.Table",     "folders": [{       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",       "resourceFolderDisplayName": "FOLDER_NAME"     }],     "displayName": "PROJECT_ID:DATASET_ID.TABLE_ID"   } }

유출: Cloud SQL 데이터 무단 반출

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",       "state": "ACTIVE",       "category": "Exfiltration: CloudSQL Data Exfiltration",       "sourceProperties": {         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "technique": "storage_bucket_exfiltration",           "indicator": "audit_log",           "ruleName": "cloudsql_exfil",           "subRuleName": "export_to_public_gcs"         },         "detectionPriority": "HIGH",         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           },           {             "gcpResourceName": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME           },           {             "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"           }         ],         "evidence": [{           "sourceLogId": {             "projectId": PROJECT_ID,             "resourceContainer": "projects/PROJECT_ID",             "timestamp": {               "seconds": "0",               "nanos": 0.0             },             "insertId": "INSERT_ID"           }         }],         "properties": {           "exportToGcs": {             "principalEmail": "PRINCIPAL_EMAIL",             "cloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",             "gcsUri": "gs://TARGET_GCS_BUCKET_NAME/TARGET_FILE_NAME",             "bucketAccess": "PUBLICLY_ACCESSIBLE",             "bucketResource": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",             "exportScope": "WHOLE_INSTANCE"           }         },         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1567/002/"           },           "cloudLoggingQueryUri": [{             "displayName": "Cloud Logging Query Link",             "url": "LOGGING_LINK"           }],           "relatedFindingUri": {             "displayName": "Related CloudSQL Exfiltration findings",             "url": "RELATED_FINDINGS_LINK"           }         }       },       "securityMarks": {         "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"       },       "eventTime": "2021-10-11T16:32:59.828Z",       "createTime": "2021-10-11T16:33:00.229Z",       "severity": "HIGH",       "workflowState": "NEW",       "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"       "mute": "UNDEFINED",       "findingClass": "THREAT",       "mitreAttack": {         "primaryTactic": "EXFILTRATION",         "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]       },       "access": {         "principalEmail": "PRINCIPAL_EMAIL",         "callerIp": "IP",         "callerIpGeo": {         },         "serviceName": "cloudsql.googleapis.com",         "methodName": "cloudsql.instances.export"       },       "exfiltration": {         "sources": [           {             "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",             "components": []           }         ],         "targets": [           {             "name": "//storage.googleapis.com/TARGET_GCS_BUCKET_NAME",             "components": [               "TARGET_FILE_NAME"             ]           }         ]       },     },     "resource": {       "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",       "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "type": "google.cloud.sql.Instance",       "folders": [{         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",         "resourceFolderDisplayName": "FOLDER_NAME"       }],       "displayName": "INSTANCE_NAME"     } }

유출: CloudSQL 초과 권한 부여

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",       "state": "ACTIVE",       "category": "Exfiltration: CloudSQL Over-Privileged Grant",       "sourceProperties": {         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "ruleName": "cloudsql_exfil",           "subRuleName": "user_granted_all_permissions"         },         "detectionPriority": "LOW",         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           },           {             "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"           }         ],         "evidence": [{           "sourceLogId": {             "projectId": "PROJECT_ID",             "resourceContainer": "projects/PROJECT_ID",             "timestamp": {               "seconds": "0",               "nanos": 0.0             },             "insertId": "INSERT_ID"           }         }],         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1567/002/"           },           "cloudLoggingQueryUri": [{             "displayName": "Cloud Logging Query Link",             "url": "LOGGING_LINK"           }],           "relatedFindingUri": {             "displayName": "Related CloudSQL Exfiltration findings",             "url": "RELATED_FINDINGS_LINK"           }         }       },       "eventTime": "2022-01-19T21:36:07.901Z",       "createTime": "2022-01-19T21:36:08.695Z",       "severity": "LOW",       "workflowState": "NEW",       "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"       "mute": "UNDEFINED",       "findingClass": "THREAT",       "mitreAttack": {         "primaryTactic": "EXFILTRATION",         "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE"]       },       "database": {         "displayName": "DATABASE_NAME",         "userName": "USER_NAME",         "query": QUERY",         "grantees": [GRANTEE],       },       "access": {         "serviceName": "cloudsql.googleapis.com",         "methodName": "cloudsql.instances.query"       }     },     "resource": {       "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",       "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "type": "google.cloud.sql.Instance",       "folders": [{         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",         "resourceFolderDisplayName": "FOLDER_ID"       }],       "displayName": "INSTANCE_NAME"     } }

유출: 외부 조직으로 CloudSQL 복원 백업

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resource_name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",       "state": "ACTIVE",       "category": "Exfiltration: CloudSQL Restore Backup to External Organization",       "sourceProperties": {         "sourceId": {           "projectNumber": "SOURCE_PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "technique": "backup_exfiltration",           "indicator": "audit_log",           "ruleName": "cloudsql_exfil",           "subRuleName": "restore_to_external_instance"         },         "detectionPriority": "HIGH",         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER"           },           {             "gcpResourceName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"           },           {             "gcpResourceName": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"           },         ],         "evidence": [{           "sourceLogId": {             "projectId": "SOURCE_PROJECT_ID",             "resourceContainer": "projects/SOURCE_PROJECT_ID",             "timestamp": {               "seconds": "0",               "nanos": 0.0             },             "insertId": "INSERT_ID"           }         }],         "properties": {           "restoreToExternalInstance": {             "principalEmail": "PRINCIPAL_EMAIL",             "sourceCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",             "backupId": "BACKUP_ID",             "targetCloudsqlInstanceResource": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"           }         },         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1567/002/"           },           "cloudLoggingQueryUri": [{             "displayName": "Cloud Logging Query Link",             "url": "LOGGING_LINK"           }],           "relatedFindingUri": {             "displayName": "Related CloudSQL Exfiltration findings",             "url": "RELATED_FINDINGS_LINK"           }         }       },       "securityMarks": {         "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"       },       "eventTime": "2022-01-19T21:36:07.901Z",       "createTime": "2022-01-19T21:36:08.695Z",       "severity": "HIGH",       "workflowState": "NEW",       "canonicalName": "projects/SOURCE_PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"       "mute": "UNDEFINED",       "findingClass": "THREAT",       "mitreAttack": {         "primaryTactic": "EXFILTRATION",         "primaryTechniques": ["EXFILTRATION_OVER_WEB_SERVICE", "EXFILTRATION_TO_CLOUD_STORAGE"]       },       "access": {         "principalEmail": "PRINCIPAL_EMAIL",         "callerIp": "IP",         "callerIpGeo": {         },         "serviceName": "cloudsql.googleapis.com",         "methodName": "cloudsql.instances.restoreBackup"       },       "exfiltration": {         "sources": [           {             "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME"           }         ],         "targets": [           {             "name": "//cloudsql.googleapis.com/projects/TARGET_PROJECT_ID/instances/TARGET_INSTANCE_NAME"           }         ]       }     },     "resource": {       "name": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME/backupRuns/BACKUP_ID",       "projectName": "//cloudresourcemanager.googleapis.com/projects/SOURCE_PROJECT_NUMBER",       "projectDisplayName": "SOURCE_PROJECT_ID",       "parentName": "//cloudsql.googleapis.com/projects/SOURCE_PROJECT_ID/instances/SOURCE_INSTANCE_NAME",       "parentDisplayName": "SOURCE_INSTANCE_NAME",       "type": "google.cloud.sql.Instance",       "folders": [{         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",         "resourceFolderDisplayName": "FOLDER_ID"       }],       "displayName": "mysql-backup-restore-instance"     } }

영향: 암호화폐 채굴 명령어

{   "finding": {     "access": {       "callerIpGeo": {},       "serviceName": "run.googleapis.com",       "methodName": "/Jobs.CreateJob"     },     "application": {},     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",     "category": "Impact: Cryptomining Commands",     "chokepoint": {},     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "containers": [       {         "imageId": "CONTAINER_IMAGE_ID",         "labels": [           {             "name": "command",             "value": "getblockchaininfo"           }         ],         "createTime": "1970-01-01T00:00:00Z"       }     ],     "createTime": "2025-05-06T01:19:09.854Z",     "database": {},     "dataProtectionKeyGovernance": {},     "eventTime": "2025-05-06T01:19:08.853Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "logEntries": [       {         "cloudLoggingEntry": {           "insertId": "INSERT_ID",           "logId": "cloudaudit.googleapis.com/system_event",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": "2025-05-06T01:18:02.533391Z"         }       }     ],     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "RESOURCE_HIJACKING"       ]     },     "mute": "UNDEFINED",     "muteInfo": {       "staticMute": {         "state": "UNDEFINED",         "applyTime": "1970-01-01T00:00:00Z"       }     },     "muteUpdateTime": "1970-01-01T00:00:00Z",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "securityPosture": {},     "severity": "HIGH",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "displayName": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "cloudProvider": "GOOGLE_CLOUD_PLATFORM",     "service": "cloudresourcemanager.googleapis.com",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parent": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",       "parentDisplayName": "FOLDER_NAME",       "folders": [         {           "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",           "resourceFolderDisplayName": "FOLDER_NAME"         }       ],       "organization": "organizations/ORGANIZATION_ID"     },     "resourcePath": {       "nodes": [         {           "nodeType": "GCP_PROJECT",           "id": "projects/PROJECT_NUMBER",           "displayName": "PROJECT_ID"         },         {           "nodeType": "GCP_FOLDER",           "id": "folders/FOLDER_NUMBER",           "displayName": "FOLDER_NAME"         },         {           "nodeType": "GCP_ORGANIZATION",           "id": "organizations/ORGANIZATION_ID"         }       ]     },     "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "cloud_run_jobs_cryptomining_commands"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//run.googleapis.com/namespaces/PROJECT_ID/jobs/JOB_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1746494282",             "nanos": 533391000           },           "insertId": "INSERT_ID",           "logId": "cloudaudit.googleapis.com/system_event"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1496/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     }   } }

영향: Google Cloud 백업 및 DR 백업이 삭제됨

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackup",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Deleted Google Cloud Backup and DR Backup",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A backup stored in a backup vault has been manually deleted. The backup was stored in REGION",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "DATA_DESTRUCTION"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_delete_vault_backup"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/locations/REGION/backupVaults/VAULT_ID/dataSources/DATA_SOURCE_NAME/backups/BACKUP_ID"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1485/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A backup stored in a backup vault has been manually deleted. The backup was stored in REGION"   } }

영향: Google Cloud 백업 및 DR 호스트가 삭제됨

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "deleteHost",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "host": "HOST_NAME",       "applications": [         "HOST_NAME"       ],       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Deleted Google Cloud Backup and DR host",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_hosts_delete_host"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A host was deleted from the Google Cloud Backup and DR Service. Applications that are associated with the deleted host might not be protected.",     "backupDisasterRecovery": {       "host": "HOST_NAME",       "applications": [         "HOST_NAME"       ]     }   } }

영향: Google Cloud 백업 및 DR 계획 연결이 삭제됨

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackupPlanAssociation",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Deleted Google Cloud Backup and DR plan association",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A backup plan has been removed from a workload. Backups are no longer scheduled on the workload. The resource(s) affected are in REGION",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_delete_backup_plan_association     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/backupPlanAssociations/BACKUP_PLAN_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A backup plan has been removed from a workload. Backups are no longer scheduled on the workload. The resource(s) affected are in REGION"   } }

영향: Google Cloud 백업 및 DR Vault가 삭제됨

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "google.cloud.backupdr.v1.BackupDR.DeleteBackupVault",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Deleted Google Cloud Backup and DR Vault",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A Backup Vault has been deleted from the Google Cloud Backup and DR Service. The affected Backup Vault was hosted in VAULT_LOCATION",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_delete_vault"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER/locations/REGION/backupVaults/VAULT_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "The expiration date for a backup has been reduced. The affected Backup Vault was hosted in REGION"   } }

영향: Google Cloud 백업 및 DR 삭제 정책

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "deletePolicy",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "policies": [         "DeleteMe"       ],       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR delete policy",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_template_delete_policy"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A Google Cloud Backup and DR Service policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.",     "backupDisasterRecovery": {       "policies": [         "POLICY_NAME"       ]     }   } }

영향: Google Cloud 백업 및 DR 삭제 프로필

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "deleteSlp",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "profile": "PROFILE_NAME",       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR delete profile",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_template_delete_profile"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A Google Cloud Backup and DR Service profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.",     "backupDisasterRecovery": {       "profile": "PROFILE_NAME"     }   } }

영향: Google Cloud 백업 및 DR 스토리지 풀 삭제

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "deleteDiskPool",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "storagePool": "STORAGE_POOL_NAME",       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR delete storage pool",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_storage_pools_delete"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A storage pool, which associates a Cloud Storage bucket with Google Cloud Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.",     "backupDisasterRecovery": {       "storagePool": "STORAGE_POOL_NAME"     }   } }

영향: Google Cloud 백업 및 DR 삭제 템플릿

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "deleteSlt",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "backupTemplate": "TEMPLATE_NAME",       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR delete template",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_template_delete_template"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.",     "backupDisasterRecovery": {       "backupTemplate": "TEMPLATE_NAME"     }   } }

영향: Google Cloud 백업 및 DR에서 모든 이미지를 만료

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "backupdr.googleapis.com",       "methodName": "expireBackups",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR expire all images",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "DATA_DESTRUCTION"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "HIGH",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_expire_images_all"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1485/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A user requested the deletion of all backup images for a protected application from the Google Cloud Backup and DR Service. The deletion of backup images does not prevent future backups."   } }

영향: Google Cloud 백업 및 DR에서 이미지가 만료됨

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "expireBackup",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "backupTemplate": "TEMPLATE_NAME",       "policies": [         "POLICY_NAME"       ],       "profile": "PROFILE_NAME",       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR expire image",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "DATA_DESTRUCTION"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "HIGH",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_expire_image"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1485/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A user requested the deletion of a backup image from the Google Cloud Backup and DR Service. The deletion of a backup image does not prevent future backups.",     "backupDisasterRecovery": {       "backupTemplate": "TEMPLATE_NAME",       "policies": [         "POLICY_NAME"       ],       "profile": "PROFILE_NAME"     }   } }

영향: Google Cloud 백업 및 DR의 백업 만료일이 앞당겨짐

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "updateBackup",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR reduced backup expiration",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "The expiration date for a backup has been reduced.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_reduce_backup_expiration"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "The expiration date for a backup has been reduced."   } }

영향: Google Cloud 백업 및 DR의 백업 빈도 감소

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "updatePolicy",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR reduced backup frequency",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "The backup schedule has been modified to reduce backup frequency.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_reduce_backup_frequency"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "The backup schedule has been modified to reduce backup frequency.",   } }

영향: Google Cloud 백업 및 DR을 통해 어플라이언스 삭제

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "CALLER_IP",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "deleteCluster",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "appliance": "APPLIANCE_NAME",       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Impact: Google Cloud Backup and DR remove appliance",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "DATA_DESTRUCTION"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "HIGH",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_appliances_remove_appliance"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1485/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A backup appliance was deleted from Google Cloud Backup and DR Service. Applications that are associated with the deleted backup appliance might not be protected.",     "backupDisasterRecovery": {       "appliance": "APPLIANCE_NAME"     }   } }

시스템 복구 차단: Google Cloud 백업 및 DR 삭제 계획

{   "finding": {     "access": {       "principalEmail": "USER_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "backupdr.googleapis.com",       "methodName": "deleteSla",       "principalSubject": "user:USER_EMAIL"     },     "attackExposure": {},     "backupDisasterRecovery": {       "applications": [         "HOST_NAME"       ],       "backupCreateTime": "EVENT_TIMESTAMP"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/FINDING_LOCATION/findings/FINDING_ID",     "category": "Inhibit System Recovery: Google Cloud Backup and DR remove plan",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "EVENT_TIMESTAMP",     "database": {},     "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "IMPACT",       "primaryTechniques": [         "INHIBIT_SYSTEM_RECOVERY"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "HIGH",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "type": "google.cloud.resourcemanager.Project",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "FOLDER_NAME",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "backup_remove_plan"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//backupdr.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "0",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1490/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {}     },     "description": "A backup plan with multiple policies for an application was deleted from the Google Cloud Backup and DR Service. The deletion of a backup plan can prevent future backups.",     "backupDisasterRecovery": {       "applications": [         "HOST_NAME"       ]     }   } }

초기 액세스: 계정 사용 중지됨 계정 도용

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",     "state": "ACTIVE",     "category": "Initial Access: Account Disabled Hijacked",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "valid_accounts",         "indicator": "audit_log",         "ruleName": "account_disabled_hijacked"       },       "detectionPriority": "MEDIUM",       "affectedResources": [{         "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1624034293",             "nanos": 6.78E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "login.googleapis.com",         "methodName": "google.login.LoginService.accountDisabledHijacked",         "ssoState": "UNKNOWN",         "principalEmail": "PRINCIPAL_EMAIL"       },       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1078/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-18T16:38:13.678Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }],         "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-06-18T16:38:13.678Z",     "createTime": "2021-06-18T16:38:16.508Z",     "severity": "MEDIUM",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"   } }

초기 액세스: 사용자 테이블에 대한 데이터베이스 수퍼유저 작성

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resource_name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",       "state": "ACTIVE",       "category": "Initial Access: Database Superuser Writes to User Tables",       "sourceProperties": {         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "ruleName": "cloudsql_superuser_writes_to_user_tables",         },         "detectionPriority": "LOW",         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           },           {             "gcpResourceName": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME"           }         ],         "evidence": [{           "sourceLogId": {             "projectId": "PROJECT_ID",             "resourceContainer": "projects/PROJECT_ID",             "timestamp": {               "seconds": "0",               "nanos": 0.0             },             "insertId": "INSERT_ID"           }         }],         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1567/002/"           },           "cloudLoggingQueryUri": [{             "displayName": "Cloud Logging Query Link",             "url": "LOGGING_LINK"           }],           "relatedFindingUri": {             "displayName": "Related CloudSQL Exfiltration findings",             "url": "RELATED_FINDINGS_LINK"           }         }       },       "eventTime": "2022-01-19T21:36:07.901Z",       "createTime": "2022-01-19T21:36:08.695Z",       "severity": "LOW",       "workflowState": "NEW",       "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"       "mute": "UNDEFINED",       "findingClass": "THREAT",       "mitreAttack": {         "primaryTactic": "INITIAL_ACCESS",         "primaryTechniques": ["DEFAULT_ACCOUNTS"]       },       "database": {         "displayName": "DATABASE_NAME",         "userName": "USER_NAME",         "query": QUERY",       },       "access": {         "serviceName": "cloudsql.googleapis.com",         "methodName": "cloudsql.instances.query"       }     },     "resource": {       "name": "//cloudsql.googleapis.com/projects/PROJECT_ID/instances/INSTANCE_NAME",       "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parentName": "//cloudsql.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "type": "google.cloud.sql.Instance",       "folders": [{         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",         "resourceFolderDisplayName": "FOLDER_ID"       }],       "displayName": "INSTANCE_NAME"     } }

초기 액세스: 사용 중지됨 비밀번호 유출

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",     "state": "ACTIVE",     "category": "Initial Access: Disabled Password Leak",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "valid_accounts",         "indicator": "audit_log",         "ruleName": "disabled_password_leak"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1626462896",             "nanos": 6.81E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "login.googleapis.com",         "methodName": "google.login.LoginService.accountDisabledPasswordLeak",         "ssoState": "UNKNOWN",         "principalEmail": "PRINCIPAL_EMAIL"       },       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1078/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-16T19:14:56.681Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }],         "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-07-16T19:14:56.681Z",     "createTime": "2021-07-16T19:15:00.430Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT",     "indicator": {     }   },   "resource": {     "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"   } }

초기 액세스: 휴면 서비스 계정 작업

{  "findings": {    "access": {      "principalEmail": "DORMANT_SERVICE_ACCOUNT",      "callerIp": "IP_ADDRESS,      "callerIpGeo": {         "regionCode": "US"       },      "serviceName": "SERVICE_NAME",      "methodName": "METHOD_NAME"    },    "assetDisplayName": "ASSET_DISPLAY_NAME",    "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "category": "Initial Access: Dormant Service Account Action",    "contacts": {      "security": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      },      "technical": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      }    },    "createTime": "2023-01-12T10:35:47.381Z",    "database": {},    "eventTime": "2023-01-12T10:35:47.270Z",    "exfiltration": {},    "findingClass": "THREAT",    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",    "indicator": {},    "kernelRootkit": {},    "kubernetes": {},    "mitreAttack": {     "primaryTactic": "INITIAL_ACCESS",     "primaryTechniques": [       "VALID_ACCOUNTS",       "CLOUD_ACCOUNTS"       ]    },    "mute": "UNDEFINED",    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",    "parentDisplayName": "Event Threat Detection",    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "severity": "HIGH",    "sourceDisplayName": "Event Threat Detection",    "state": "ACTIVE",    "vulnerability": {},    "workflowState": "NEW"  },  "resource": {    "name": "RESOURCE_NAME",    "display_name": "RESOURCE_DISPLAY_NAME",    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "project_display_name": "PROJECT_ID",    "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",    "parent_display_name": "FOLDER_NAME",    "type": "RESOURCE_TYPE",    "folders": [      {        "resourceFolderDisplayName": "FOLDER_NAME",        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"      }    ]  },  "sourceProperties": {    "sourceId": {      "projectNumber": "PROJECT_NUMBER",      "customerOrganizationNumber": "ORGANIZATION_NUMBER"    },    "detectionCategory": {      "technique": "persistence",      "indicator": "audit_log",      "ruleName": "dormant_sa_used_in_action",    },    "detectionPriority": "HIGH",    "affectedResources": [      {        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"      }    ],    "evidence": [      {        "sourceLogId": {          "projectId": "PROJECT_ID",          "resourceContainer": "projects/PROJECT_ID",          "timestamp": {            "seconds": "1673519681",            "nanos": 728289000          },          "insertId": "INSERT_ID"        }      }    ],    "properties": {},    "findingId": "FINDING_ID",    "contextUris": {      "mitreUri": {        "displayName": "MITRE Link",        "url": "https://attack.mitre.org/tactics/TA0003/"      }    }  } }

초기 액세스: AI 서비스의 휴면 서비스 계정 활동

{  "findings": {    "access": {      "principalEmail": "DORMANT_SERVICE_ACCOUNT",      "callerIp": "IP_ADDRESS,      "callerIpGeo": {         "regionCode": "US"       },      "serviceName": "aiplatform.googleapis.com",      "methodName": "METHOD_NAME"    },    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "category": "Initial Access: Dormant Service Account Activity in AI Service",    "contacts": {      "security": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      },      "technical": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      }    },    "createTime": "2023-01-12T10:35:47.381Z",    "database": {},    "eventTime": "2023-01-12T10:35:47.270Z",    "exfiltration": {},    "findingClass": "THREAT",    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",    "indicator": {},    "kernelRootkit": {},    "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "muteInfo": {       "staticMute": {         "state": "UNDEFINED",         "applyTime": "1970-01-01T00:00:00Z"       }     },     "domains": [       {         "category": "AI"       },       {         "category": "IDENTITY_AND_ACCESS"       }     ],     "aiModel": {       "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",       "deploymentPlatform": "VERTEX_AI"     },    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",    "parentDisplayName": "Event Threat Detection",    "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",    "severity": "HIGH",    "state": "ACTIVE",    "vulnerability": {},    "workflowState": "NEW"  },  "resource": {    "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",    "gcpMetadata": {      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",      "projectDisplayName": "PROJECT_ID",      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",      "parentDisplayName": "PROJECT_ID",      "organization": "organizations/ORGANIZATION_ID"    },    "type": "google.aiplatform.Model",    "folders": []  },  "sourceProperties": {    "sourceId": {      "projectNumber": "PROJECT_NUMBER",      "customerOrganizationNumber": "ORGANIZATION_NUMBER"    },    "detectionCategory": {      "ruleName": "ai_dormant_sa_used_in_action",    },    "detectionPriority": "HIGH",    "affectedResources": [      {        "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"      },      {        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"      }    ],    "evidence": [      {        "sourceLogId": {          "projectId": "PROJECT_ID",          "resourceContainer": "projects/PROJECT_ID",          "timestamp": {            "seconds": "1673519681",            "nanos": 728289000          },          "insertId": "INSERT_ID"        }      }    ],    "properties": {},    "findingId": "FINDING_ID",    "contextUris": {      "mitreUri": {        "displayName": "MITRE Link",        "url": "https://atlas.mitre.org/techniques/AML.T0012/"      }    }  } }

초기 액세스: 휴면 서비스 계정 키 생성됨

{  "findings": {    "access": {      "principalEmail": "PRINCIPAL_EMAIL",      "callerIp": "IP_ADDRESS,      "callerIpGeo": {         "regionCode": "US"       },      "serviceName": "iam.googleapis.com",      "methodName": "google.iam.admin.v1.CreateServiceAccountKey"    },    "assetDisplayName": "ASSET_DISPLAY_NAME",    "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "category": "Initial Access: Dormant Service Account Key Created",    "contacts": {      "security": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      },      "technical": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      }    },    "createTime": "2023-01-12T10:35:47.381Z",    "database": {},    "eventTime": "2023-01-12T10:35:47.270Z",    "exfiltration": {},    "findingClass": "THREAT",    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",    "indicator": {},    "kernelRootkit": {},    "kubernetes": {},    "mitreAttack": {     "primaryTactic": "INITIAL_ACCESS",     "primaryTechniques": [       "VALID_ACCOUNTS",       "CLOUD_ACCOUNTS"       ]    },    "mute": "UNDEFINED",    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",    "parentDisplayName": "Event Threat Detection",    "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",    "severity": "HIGH",    "sourceDisplayName": "Event Threat Detection",    "state": "ACTIVE",    "vulnerability": {},    "workflowState": "NEW"  },  "resource": {    "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID/keys/SERVICE_ACCOUNT_KEY_ID",    "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL/keys/SERVICE_ACCOUNT_KEY_ID",    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "project_display_name": "PROJECT_ID",    "parent_name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",    "parent_display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",    "type": "google.iam.ServiceAccountKey",    "folders": [      {        "resourceFolderDisplayName": "FOLDER_NAME",        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"      }    ]  },  "sourceProperties": {    "sourceId": {      "projectNumber": "PROJECT_NUMBER",      "customerOrganizationNumber": "ORGANIZATION_NUMBER"    },    "detectionCategory": {      "ruleName": "key_created_on_dormant_sa"    },    "detectionPriority": "HIGH",    "affectedResources": [      {        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"      }    ],    "evidence": [      {        "sourceLogId": {          "projectId": "PROJECT_ID",          "resourceContainer": "projects/PROJECT_ID",          "timestamp": {            "seconds": "1673519681",            "nanos": 728289000          },          "insertId": "INSERT_ID"        }      }    ],    "properties": {},    "findingId": "FINDING_ID",    "contextUris": {      "mitreUri": {        "displayName": "MITRE Link",        "url": "https://attack.mitre.org/tactics/TA0003/"      }    }  } }

초기 액세스: 과도한 권한 거부 작업

{  "findings": {    "access": {      "principalEmail": "PRINCIPAL_EMAIL",      "callerIp": "IP_ADDRESS,      "callerIpGeo": {         "regionCode": "US"       },      "serviceName": "SERVICE_NAME",      "methodName": "METHOD_NAME",      "principalSubject": "PRINCIPAL_SUBJECT",      "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"    },    "assetDisplayName": "ASSET_DISPLAY_NAME",    "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "category": "Initial Access: Excessive Permission Denied Actions",    "contacts": {      "security": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      },      "technical": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      }    },    "createTime": "2023-01-12T10:35:47.381Z",    "database": {},    "eventTime": "2023-01-12T10:35:47.270Z",    "exfiltration": {},    "findingClass": "THREAT",    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",    "indicator": {},    "kernelRootkit": {},    "kubernetes": {},    "mitreAttack": {},    "mute": "UNDEFINED",    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",    "parentDisplayName": "Event Threat Detection",    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "severity": "LOW",    "sourceDisplayName": "Event Threat Detection",    "state": "ACTIVE",    "vulnerability": {},    "workflowState": "NEW"  },  "resource": {    "name": "RESOURCE_NAME",    "display_name": "RESOURCE_DISPLAY_NAME",    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "project_display_name": "PROJECT_ID",    "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",    "parent_display_name": "FOLDER_NAME",    "type": "RESOURCE_TYPE",    "folders": [      {        "resourceFolderDisplayName": "FOLDER_NAME",        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"      }    ]  },  "sourceProperties": {    "sourceId": {      "projectNumber": "PROJECT_NUMBER",      "customerOrganizationNumber": "ORGANIZATION_NUMBER"    },    "detectionCategory": {      "technique": "persistence",      "indicator": "audit_log",      "ruleName": "anomalous_behavior",      "subRuleName": "new_api_method"    },    "detectionPriority": "LOW",    "affectedResources": [      {        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"      }    ],    "evidence": [      {        "sourceLogId": {          "projectId": "PROJECT_ID",          "resourceContainer": "projects/PROJECT_ID",          "timestamp": {            "seconds": "1673519681",            "nanos": 728289000          },          "insertId": "INSERT_ID"        }      }    ],    "properties": {      "failedActions": [         {           "methodName": "SetIamPolicy",           "serviceName": "iam.googleapis.com",           "attemptTimes": "7",           "lastOccurredTime": "2023-03-15T17:35:18.771219Z"         },         {           "methodName": "iam.googleapis.com",           "serviceName": "google.iam.admin.v1.CreateServiceAccountKey",           "attemptTimes": "3",           "lastOccurredTime": "2023-03-15T05:36:14.954701Z"         }       ]    },    "findingId": "FINDING_ID",    "contextUris": {      "mitreUri": {        "displayName": "MITRE Link",        "url": "https://attack.mitre.org/techniques/T1078/004/"      }    }  } }

초기 액세스: 정부 기반 공격

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",     "state": "ACTIVE",     "category": "Initial Access: Government Based Attack",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "valid_accounts",         "indicator": "audit_log",         "ruleName": "government_based_attack"       },       "detectionPriority": "HIGH",       "affectedResources": [{         "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1624061458",             "nanos": 7.4E7           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "login.googleapis.com",         "methodName": "google.login.LoginService.govAttackWarning",         "ssoState": "UNKNOWN",         "principalEmail": "PRINCIPAL_EMAIL"       },       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1078/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-19T00:10:58.074Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }],         "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-06-19T00:10:58.074Z",     "createTime": "2021-06-19T00:11:01.760Z",     "severity": "HIGH",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"   } }

초기 액세스: 유출된 서비스 계정 키 사용됨

{  "findings": {    "access": {      "principalEmail": "SERVICE_ACCOUNT",      "callerIp": "IP_ADDRESS,      "callerIpGeo": {         "regionCode": "US"       },      "serviceName": "SERVICE_NAME",      "methodName": "METHOD_NAME"      "serviceAccountKeyName": "LEAKED_SERVICE_ACCOUNT_KEY"    },    "assetDisplayName": "ASSET_DISPLAY_NAME",    "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "category": "Initial Access: Leaked Service Account Key Used",    "contacts": {      "security": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          }        ]      },      "technical": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          }        ]      }    },    "createTime": "2023-07-18T10:35:47.381Z",    "database": {},    "eventTime": "2023-07-18T10:35:47.270Z",    "exfiltration": {},    "findingClass": "THREAT",    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",    "indicator": {},    "kernelRootkit": {},    "kubernetes": {},    "mitreAttack": {     "primaryTactic": "INITIAL_ACCESS",     "primaryTechniques": [       "VALID_ACCOUNTS",       "CLOUD_ACCOUNTS"       ]    },    "mute": "UNDEFINED",    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",    "parentDisplayName": "Event Threat Detection",    "resourceName": "AFFECTED_RESOURCE",    "severity": "HIGH",    "sourceDisplayName": "Event Threat Detection",    "state": "ACTIVE",    "vulnerability": {},    "workflowState": "NEW"  },  "resource": {    "name": "RESOURCE_NAME",    "display_name": "RESOURCE_DISPLAY_NAME",    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "project_display_name": "PROJECT_ID",  },  "sourceProperties": {    "sourceId": {      "projectNumber": "PROJECT_NUMBER",      "customerOrganizationNumber": "ORGANIZATION_NUMBER"    },    "detectionCategory": {      "ruleName": "leaked_sa_key_used"    },    "detectionPriority": "HIGH",    "affectedResources": [      {        "gcpResourceName": "GOOGLE_RESOURCE"      }    ],    "evidence": [      {        "sourceLogId": {          "projectId": "PROJECT_ID",          "resourceContainer": "projects/PROJECT_ID",          "timestamp": {            "seconds": "1673519681",            "nanos": 728289000          },          "insertId": "INSERT_ID"        }      }    ],    "properties": {},    "findingId": "FINDING_ID",    "contextUris": {      "mitreUri": {        "displayName": "MITRE Link",        "url": "https://attack.mitre.org/techniques/T1078/004/"      }    }  },  "description": "A leaked service account key is used, the key is leaked at LEAKED_SOURCE_URL" }

초기 액세스: Log4j 손상 시도

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "state": "ACTIVE",     "category": "Initial Access: Log4j Compromise Attempt",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "ruleName": "log4j_compromise_attempt"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1639690492",             "nanos": 9.13836E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "loadBalancerName": "LOAD_BALANCER_NAME",         "requestUrl": "REQUEST_URL?${jndi:ldap://google.com}"       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1190/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-12-16T21:34:52.913836Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"         }],         "relatedFindingUri": {         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-12-16T21:34:52.913Z",     "createTime": "2021-12-16T21:34:55.022Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",     "parentDisplayName": "FOLDER_DISPLAY_NAME",     "type": "google.cloud.resourcemanager.Project",     "folders": [{       "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMNER",       "resourceFolderDisplayName": "FOLDER_DISPLAY_NAME"     }],     "displayName": "PROJECT_ID"   } }

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",     "state": "ACTIVE",     "category": "Initial Access: Suspicious Login Blocked",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "valid_accounts",         "indicator": "audit_log",         "ruleName": "suspicious_login"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "projectId": "0",           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1621637767",             "nanos": 0.0           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "login.googleapis.com",         "methodName": "google.login.LoginService.suspiciousLogin",         "ssoState": "UNKNOWN",         "principalEmail": "PRINCIPAL_EMAIL"       },       "contextUris": {        "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1078/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T22:56:07Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"         }],         "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-05-21T22:56:07Z",     "createTime": "2021-05-27T02:36:07.382Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"   } }

측면 이동: 인스턴스에 연결된 수정된 부팅 디스크

{   "finding": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIpGeo": {},       "serviceName": "compute.googleapis.com",       "methodName": "v1.compute.instances.attachDisk",     },     "application": {},     "attackExposure": {},     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",     "category": "Lateral Movement: Modify Boot Disk Attaching to Instance",     "cloudDlpDataProfile": {},     "cloudDlpInspection": {},     "createTime": "2024-02-01T23:55:17.589Z",     "database": {},     "eventTime": "2024-02-01T23:55:17.396Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "logEntries": [       {         "cloudLoggingEntry": {           "insertId": "INSERT_ID",           "logId": "cloudaudit.googleapis.com/activity",           "resourceContainer": "projects/PROJECT_NUMBER",           "timestamp": "2024-02-01T23:55:15.017887Z"         }       }     ],     "mitreAttack": {       "primaryTactic": "TACTIC_UNSPECIFIED"     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/locations/LOCATION",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",     "securityPosture": {},     "severity": "LOW",     "state": "ACTIVE",     "vulnerability": {},     "externalSystems": {}   },   "resource": {     "name": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",     "displayName": "INSTANCE_ID",     "type": "google.compute.Instance",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_NUMBER",       "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_NUMBER,       "folders": [         {           "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",           "resourceFolderDisplayName": "FOLDER_NUMBER"         }       ],       "organization": "organizations/ORGANIZATION_NUMBER"     }   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "modify_boot_disk",       "subRuleName": "attach_to_instance"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       },       {         "gcpResourceName": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/INSTANCE_ID"       },       {         "gcpResourceName": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_NUMBER",           "resourceContainer": "PROJECT_NUMBER",           "timestamp": {             "seconds": "1706831715",             "nanos": 17887000           },           "insertId": "INSERT_ID",           "logId": "cloudaudit.googleapis.com/activity"         }       }     ],     "properties": {       "diskId": "https://www.googleapis.com/compute/v1/projects/PROJECT_NUMBER/zones/ZONE_ID/disks/DISK_ID",       "targetInstance": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",       "workerInstances": [         "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID"       ],       "bootDiskPayloads": [         {           "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",           "operation": "MODIFY_BOOT_DISK_ATTACH",           "principalEmail": "PRINCIPAL_EMAIL",           "eventTime": "2024-02-01T23:55:06.706640Z"         },         {           "instanceId": "projects/PROJECT_NUMBER/zones/ZONE_ID/instances/INSTANCE_ID",           "operation": "MODIFY_BOOT_DISK_DETACH",           "principalEmail": "PRINCIPAL_EMAIL",           "eventTime": "2024-02-01T23:55:05.608631Z"         }       ]     },     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1570/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222024-02-01T23:55:15.017887Z%22%0AinsertId%3D%22INSERT_ID?project=PROJECT_NUMBER"         }       ],       "relatedFindingUri": {}     }   } }

멀웨어: 불량 도메인

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "state": "ACTIVE",       "category": "Malware: Bad Domain",       "sourceProperties": {         "sourceId": {           "customerOrganizationNumber": "ORGANIZATION_ID",           "projectNumber": "PROJECT_NUMBER"         },         "affectedResources": [{           "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"         }],         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1568/"           },          "virustotalIndicatorQueryUri": [             {               "displayName": "VirusTotal Domain Link",               "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"             }           ]         },         "evidence": [           {             "sourceLogId": {               "projectId": "PROJECT_ID",               "timestamp": {                 "nanos": 0.0,                 "seconds": "0"               },               "insertId": "INSERT_ID",               "resourceContainer": "projects/PROJECT_ID"             }           }         ],         "properties": {           "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",           "domains": [             "DOMAIN"           ],           "network": {             "location": "REGION",             "project": "PROJECT_ID"           },           "dnsContexts": [             {               "authAnswer": true,               "sourceIp": "IP_ADDRESS",               "queryName": "DOMAIN",               "queryType": "AAAA",               "responseCode": "NOERROR",               "responseData": [                 {                   "domainName": "DOMAIN.",                   "ttl": 299,                   "responseClass": "IN",                   "responseType": "AAAA",                   "responseValue": "IP_ADDRESS"                 }               ]             }           ]         },         "detectionPriority": "HIGH",         "detectionCategory": {           "technique": "C2",           "indicator": "domain",           "subRuleName": "google_intel",           "ruleName": "bad_domain"         }       },       "severity": "HIGH",       "eventTime": "1970-01-01T00:00:00Z",       "createTime": "1970-01-01T00:00:00Z"     }  }

멀웨어: 불량 IP

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "state": "ACTIVE",       "category": "Malware: Bad IP",       "sourceProperties": {         "evidence": [           {             "sourceLogId": {               "projectId": "PROJECT_ID",               "timestamp": {                 "nanos": 0.0,                 "seconds": "0"               },               "insertId": "INSERT_ID",               "resourceContainer": "projects/PROJECT_ID"             }           }         ],         "properties": {           "ips": [             "SOURCE_IP_ADDRESS",             "DESTINATION_IP_ADDRESS"           ],           "ipConnection": {             "srcIp": "SOURCE_IP_ADDRESS",             "srcPort": SOURCE_PORT,             "destIp": "DESTINATION_IP_ADDRESS",             "destPort": DESTINATION_PORT,             "protocol": 6           },           "network": {             "project": "PROJECT_ID",             "location": "ZONE",             "subnetworkId": "SUBNETWORK_ID",             "subnetworkName": "default"           },           "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"         },         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/tactics/TA0011/"           },           "virustotalIndicatorQueryUri": [             {               "displayName": "VirusTotal IP Link",               "url": "https://www.virustotal.com/gui/ip-address/SOURCE_IP_ADDRESS/detection"             },             {               "displayName": "VirusTotal IP Link",               "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"             }           ]         },         "detectionCategory": {           "technique": "C2",           "indicator": "ip",           "ruleName": "bad_ip",           "subRuleName": "google_intel"         },         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           }         ]       },       "severity": "LOW",       "eventTime": "1970-01-01T00:00:00Z",       "createTime": "1970-01-01T00:00:00Z"     } }

멀웨어: 암호화폐 채굴 불량 도메인

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "state": "ACTIVE",     "category": "Malware: Cryptomining Bad Domain",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "cryptomining",         "indicator": "domain",         "ruleName": "bad_domain",         "subRuleName": "cryptomining"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1636566099",             "nanos": 5.41483849E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "domains": ["DOMAIN"],         "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",         "network": {           "project": "PROJECT_ID",           "location": "ZONE"         },         "dnsContexts": [{           "authAnswer": true,           "sourceIp": "SOURCE_IP_ADDRESS",           "queryName": "DOMAIN",           "queryType": "A",           "responseCode": "NXDOMAIN"         }],         "vpc": {           "vpcName": "default"         }       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1496/"         },         "virustotalIndicatorQueryUri": [{           "displayName": "VirusTotal Domain Link",           "url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"         }],         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"         }],         "relatedFindingUri": {         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-11-10T17:41:41.594Z",     "createTime": "2021-11-10T17:41:42.014Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT",     "indicator": {       "domains": ["DOMAIN"]     }   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parentDisplayName": "PARENT_NAME",     "type": "google.cloud.resourcemanager.Project",     "displayName": "PROJECT_ID"   } }

멀웨어: 암호화폐 채굴 불량 IP

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "state": "ACTIVE",     "category": "Malware: Cryptomining Bad IP",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "cryptomining",         "indicator": "ip",         "ruleName": "bad_ip",         "subRuleName": "cryptomining"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1636566005",             "nanos": 9.74622832E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "ips": ["DESTINATION_IP_ADDRESS"],         "instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",         "network": {           "project": "PROJECT_ID",           "location": "ZONE",           "subnetworkId": "SUBNETWORK_ID",           "subnetworkName": "default"         },         "ipConnection": {           "srcIp": "SOURCE_IP_ADDRESS",           "destIp": "DESTINATION_IP_ADDRESS",           "protocol": 1.0         },         "indicatorContext": [{           "ipAddress": "DESTINATION_IP_ADDRESS",           "countryCode": "FR",           "reverseDnsDomain": "REVERSE_DNS_DOMAIN",           "carrierName": "CARRIER_NAME",           "organizationName": "ORGANIZATION_NAME",           "asn": "AUTONOMOUS_SYSTEM_NUMBERS"         }],         "srcVpc": {         },         "destVpc": {           "projectId": "PROJECT_ID",           "vpcName": "default",           "subnetworkName": "default"         }       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1496/"         },         "virustotalIndicatorQueryUri": [{           "displayName": "VirusTotal IP Link",           "url": "https://www.virustotal.com/gui/ip-address/DESTINATION_IP_ADDRESS/detection"         }],         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-11-10T17:40:05.974622832Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"         }],         "relatedFindingUri": {         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-11-10T17:40:38.048Z",     "createTime": "2021-11-10T17:40:38.472Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "mute": "UNDEFINED",     "findingClass": "THREAT",     "indicator": {       "ipAddresses": ["DESTINATION_IP_ADDRESS"]     }   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "projectDisplayName": "PROJECT_ID",     "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parentDisplayName": "PARENT_NAME",     "type": "google.cloud.resourcemanager.Project",     "displayName": "PROJECT_ID"   } }

멀웨어: 발신 DoS

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",       "state": "ACTIVE",       "category": "Malware: Outgoing DoS",       "sourceProperties": {         "evidence": [           {             "sourceLogId": {               "timestamp": {                 "nanos": 0.0,                 "seconds": "0"               },               "resourceContainer": "projects/PROJECT_ID"             }           }         ],         "properties": {           "sourceInstanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",           "ipConnection": {             "srcIp": "SOURCE_IP_ADDRESS",             "srcPort": SOURCE_PORT,             "destIp": "DESTINATION_IP_ADDRESS",             "destPort": DESTINATION_PORT,             "protocol": 17           }         },         "detectionPriority": "HIGH",         "sourceId": {           "organizationNumber": "ORGANIZATION_ID",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "affectedResources": [{           "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"         }],         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1498/"           }         },         "detectionCategory": {           "technique": "malware",           "indicator": "flow_log",           "ruleName": "outgoing_dos"         }       },       "severity": "HIGH",       "eventTime": "1970-01-01T00:00:00Z",       "createTime": "1970-01-01T00:00:00Z"     } }

지속성: GCE 관리자가 SSH 키를 추가함

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",     "category": "Persistence: GCE Admin Added SSH Key",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "persistence",         "indicator": "audit_log",         "ruleName": "gce_admin"         "subRuleName": "instance_add_ssh_key"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "0",           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1621624109",             "nanos": 3.73721E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "callerIp": "IP_ADDRESS",         "principalEmail": "PRINCIPAL_EMAIL",         "gceInstanceId": "GCE_INSTANCE_ID",         "projectId": "PROJECT_ID",         "metadataKeyOperation": "ADDED",         "callerUserAgent": "USER_AGENT",       },       "contextUris": {       "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1543/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"         }]       }     },   "resource": {     "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",   } }

지속성: GCE 관리자가 시작 스크립트를 추가함

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",     "category": "Persistence: GCE Admin Added Startup Script",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "persistence",         "indicator": "audit_log",         "ruleName": "gce_admin"         "subRuleName": "instance_add_startup_script"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "0",           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1621624109",             "nanos": 3.73721E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "callerIp": "IP_ADDRESS",         "principalEmail": "PRINCIPAL_EMAIL",         "gceInstanceId": "GCE_INSTANCE_ID",         "projectId": "PROJECT_ID",         "metadataKeyOperation": "ADDED",         "callerUserAgent": "USER_AGENT",       },       "contextUris": {       "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1543/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"         }]       }     },   "resource": {     "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/GCE_INSTANCE_NAME",   } }

지속성: IAM 비정상적인 권한 부여

IAM Anomalous Grant 발견 항목은 이 발견 항목의 각 인스턴스에 대한 더 구체적인 정보를 제공하는 하위 규칙이 포함되어 있다는 점에서 독특합니다. 이 발견 항목의 심각도 분류는 하위 규칙에 따라 다르며 하위 규칙마다 다른 응답이 필요할 수 있습니다.

다음 목록에는 가능한 모든 하위 규칙과 심각도가 나와 있습니다.

external_service_account_added_to_policy: HIGH

HIGH: 매우 중요한 역할이 부여되었거나 조직 수준에서 중간 민감도 역할이 부여된 경우. 자세한 내용은 매우 중요한 역할을 참조하세요.
MEDIUM: 중간 민감도 역할이 부여된 경우. 자세한 내용은 중간 민감도 역할을 참조하세요.

external_member_invited_to_policy: HIGH
external_member_added_to_policy:
- HIGH: 매우 중요한 역할이 부여되었거나 조직 수준에서 중간 민감도 역할이 부여된 경우. 자세한 내용은 매우 중요한 역할을 참조하세요.
- MEDIUM: 중간 민감도 역할이 부여된 경우. 자세한 내용은 중간 민감도 역할을 참조하세요.
custom_role_given_sensitive_permissions: MEDIUM
service_account_granted_sensitive_role_to_member: HIGH
policy_modified_by_default_compute_service_account: HIGH

발견 항목에 포함되는 JSON 필드는 발견 항목 카테고리마다 다를 수 있습니다. 예를 들어 다음 JSON에는 보안 계정에 대한 필드가 포함되어 있습니다. 발견 항목 카테고리가 서비스 계정과 관련이 없으면 해당 필드가 JSON에 포함되지 않습니다.

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "SERVICE_NAME",       "methodName": "METHOD_NAME",       "principalSubject": "PRINCIPAL_SUBJECT",       "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"     },     "assetDisplayName": "ASSET_DISPLAY_NAME",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Persistence: IAM Anomalous Grant",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS_1"           },           {             "email": "EMAIL_ADDRESS_2"           }         ]       },       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS_3"           },           {             "email": "EMAIL_ADDRESS_4           }         ]       }     },     "createTime": "CREATE_TIMESTAMP",     "database": {},     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "iamBindings": [       {         "action": "ADD",         "role": "IAM_ROLE",         "member": "serviceAccount:ACCOUNT_NAME"       }     ],     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS",         "CLOUD_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "RESOURCE_FULL_NAME",     "severity": "SEVERITY_CLASSIFICATION",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "RESOURCE_FULL_NAME",     "display_name": "RESOURCE_DISPLAY_NAME",     "project_name": "//RESOURCE/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "RESOURCE_PARENT_NAME",     "parent_display_name": "PARENT_DISPLAY_NAME",     "type": "RESOURCE_TYPE",     "folders": [       {         "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",         "resourceFolder": "RESOURCE_FOLDER_ID"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "technique": "persistence",       "indicator": "audit_log",       "ruleName": "iam_anomalous_grant",       "subRuleName": "TYPE_OF_ANOMALOUS_GRANT"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1678897327",             "nanos": 26483000           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {       "sensitiveRoleGrant": {         "principalEmail": "PRINCIPAL_EMAIL",         "bindingDeltas": [           {             "action": "ADD",             "role": "roles/GRANTED_ROLE",             "member": "serviceAccount:SERVICE_ACCOUNT_NAME",           }         ],         "members": [           "serviceAccount:SERVICE_ACCOUNT_NAME"         ]       }     },     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ],       "relatedFindingUri": {         "displayName": "Related Anomalous Grant Findings",         "url": "LINK_TO_RELATED_FINDING"       }     }   } }

지속성: 새로운 AI API 메서드

{     "findings": {         "access": {          "principalEmail": "PRINCIPAL_EMAIL",          "callerIp": "IP_ADDRESS,          "callerIpGeo": {             "regionCode": "US"           },          "serviceName": "aiplatform.googleapis.com",          "methodName": "METHOD_NAME",          "principalSubject": "PRINCIPAL_SUBJECT",          "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"         },         "assetDisplayName": "ASSET_DISPLAY_NAME",         "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",         "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",         "category": "Persistence: New AI API Method",         "contacts": {          "security": {            "contacts": [              {                "email": "EMAIL_ADDRESS"              },              {                "email": "EMAIL_ADDRESS"              },              {                "email": "EMAIL_ADDRESS"              }            ]          },          "technical": {            "contacts": [              {                "email": "EMAIL_ADDRESS"              },              {                "email": "EMAIL_ADDRESS"              },              {                "email": "EMAIL_ADDRESS"              }            ]          }         },         "createTime": "2023-01-12T10:35:47.381Z",         "database": {},         "eventTime": "2023-01-12T10:35:47.270Z",         "exfiltration": {},         "findingClass": "THREAT",         "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",         "indicator": {},         "kernelRootkit": {},         "kubernetes": {},         "mitreAttack": {           "primaryTactic": "PERSISTENCE",         },         "muteInfo": {           "staticMute": {             "state": "UNDEFINED",             "applyTime": "1970-01-01T00:00:00Z"           }         },         "domains": [           {             "category": "AI"           },           {             "category": "IDENTITY_AND_ACCESS"           }         ],         "aiModel": {           "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",           "deploymentPlatform": "VERTEX_AI"         },         "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",         "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",         "parentDisplayName": "Event Threat Detection",         "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "severity": "LOW",         "state": "ACTIVE",         "vulnerability": {},         "workflowState": "NEW"     },     "resource": {         "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",         "gcpMetadata": {           "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",           "projectDisplayName": "PROJECT_ID",           "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",           "parentDisplayName": "PROJECT_ID",           "organization": "organizations/ORGANIZATION_ID"         },         "type": "google.aiplatform.Model",         "folders": []     },     "sourceProperties": {         "sourceId": {          "projectNumber": "PROJECT_NUMBER",          "customerOrganizationNumber": "ORGANIZATION_NUMBER"         },         "detectionCategory": {          "ruleName": "ai_anomalous_behavior_new_api_method",         },         "detectionPriority": "LOW",         "affectedResources": [           {             "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"           },           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           }         ],         "evidence": [          {            "sourceLogId": {              "projectId": "PROJECT_ID",              "resourceContainer": "projects/PROJECT_ID",              "timestamp": {                "seconds": "1673519681",                "nanos": 728289000              },              "insertId": "INSERT_ID"            }          }         ],         "properties": {          "newApiMethod": {            "newApiMethod": {              "serviceName": "SERVICE_NAME",              "methodName": "METHOD_NAME"            },            "principalEmail": "PRINCIPAL_EMAIL",            "callerIp": "IP_ADDRESS",            "callerUserAgent": "CALLER_USER_AGENT",            "resourceContainer": "projects/PROJECT_NUMBER"          }         },         "findingId": "FINDING_ID",         "contextUris": {          "mitreUri": {            "displayName": "MITRE Link",            "url": "https://attack.mitre.org/tactics/TA0003/"          }         }     } }

지속성: 새로운 API 메서드

{  "findings": {    "access": {      "principalEmail": "PRINCIPAL_EMAIL",      "callerIp": "IP_ADDRESS,      "callerIpGeo": {         "regionCode": "US"       },      "serviceName": "SERVICE_NAME",      "methodName": "METHOD_NAME",      "principalSubject": "PRINCIPAL_SUBJECT",      "serviceAccountKeyName": "SERVICE_ACCOUNT_KEY_NAME"    },    "assetDisplayName": "ASSET_DISPLAY_NAME",    "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "category": "Persistence: New API Method",    "contacts": {      "security": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      },      "technical": {        "contacts": [          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          },          {            "email": "EMAIL_ADDRESS"          }        ]      }    },    "createTime": "2023-01-12T10:35:47.381Z",    "database": {},    "eventTime": "2023-01-12T10:35:47.270Z",    "exfiltration": {},    "findingClass": "THREAT",    "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",    "indicator": {},    "kernelRootkit": {},    "kubernetes": {},    "mitreAttack": {},    "mute": "UNDEFINED",    "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",    "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",    "parentDisplayName": "Event Threat Detection",    "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "severity": "LOW",    "sourceDisplayName": "Event Threat Detection",    "state": "ACTIVE",    "vulnerability": {},    "workflowState": "NEW"  },  "resource": {    "name": "RESOURCE_NAME",    "display_name": "RESOURCE_DISPLAY_NAME",    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",    "project_display_name": "PROJECT_ID",    "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",    "parent_display_name": "FOLDER_NAME",    "type": "RESOURCE_TYPE",    "folders": [      {        "resourceFolderDisplayName": "FOLDER_NAME",        "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"      }    ]  },  "sourceProperties": {    "sourceId": {      "projectNumber": "PROJECT_NUMBER",      "customerOrganizationNumber": "ORGANIZATION_NUMBER"    },    "detectionCategory": {      "technique": "persistence",      "indicator": "audit_log",      "ruleName": "anomalous_behavior",      "subRuleName": "new_api_method"    },    "detectionPriority": "LOW",    "affectedResources": [      {        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"      }    ],    "evidence": [      {        "sourceLogId": {          "projectId": "PROJECT_ID",          "resourceContainer": "projects/PROJECT_ID",          "timestamp": {            "seconds": "1673519681",            "nanos": 728289000          },          "insertId": "INSERT_ID"        }      }    ],    "properties": {      "newApiMethod": {        "newApiMethod": {          "serviceName": "SERVICE_NAME",          "methodName": "METHOD_NAME"        },        "principalEmail": "PRINCIPAL_EMAIL",        "callerIp": "IP_ADDRESS",        "callerUserAgent": "CALLER_USER_AGENT",        "resourceContainer": "projects/PROJECT_NUMBER"      }    },    "findingId": "FINDING_ID",    "contextUris": {      "mitreUri": {        "displayName": "MITRE Link",        "url": "https://attack.mitre.org/tactics/TA0003/"      }    }  } }

지속성: 새로운 지역

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//k8s.io/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-cscc-security-tools-default-pool-7c5d7b59-bn2h",     "state": "ACTIVE",     "category": "Persistence: New Geography",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "persistence",         "indicator": "audit_log",         "ruleName": "iam_anomalous_behavior",         "subRuleName": "ip_geolocation"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "RESOURCE_NAME"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1617994703",             "nanos": 5.08853E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "anomalousLocation": {           "anomalousLocation": "BE",           "callerIp": "IP_ADDRESS",           "principalEmail": "PRINCIPAL_EMAIL",           "notSeenInLast": "2592000s",           "typicalGeolocations": [{             "country": {               "identifier": "US"             }           }]         }       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1078/004/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-04-09T18:58:23.508853Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"         }]       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-04-09T18:59:43.860Z",     "createTime": "2021-04-09T18:59:44.440Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"   },   "resource": {     "name": "RESOURCE_NAME"   } }

지속성: AI 서비스의 새로운 지역

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "state": "ACTIVE",     "category": "Persistence: New Geography for AI Service",     "serviceName": "aiplatform.googleapis.com",     "methodName": "METHOD_NAME",     "mitreAttack": {       "primaryTactic": "PERSISTENCE",       "primaryTechniques": [         "CLOUD_ACCOUNTS"       ]     },     "domains": [       {         "category": "AI"       },       {         "category": "IDENTITY_AND_ACCESS"       }     ],     "aiModel": {       "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",       "deploymentPlatform": "VERTEX_AI"     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-04-09T18:59:43.860Z",     "createTime": "2021-04-09T18:59:44.440Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "organization": "organizations/ORGANIZATION_ID"     },     "type": "google.aiplatform.Model",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "ai_iam_anomalous_behavior_ip_geolocation"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/004/"       }     }   } }

지속성: 새로운 사용자 에이전트

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID9",     "resourceName": "//monitoring.googleapis.com/projects/PROJECT_ID",     "state": "ACTIVE",     "category": "Persistence: New User Agent",     "sourceProperties": {       "sourceId": {         "projectNumber": "PROJECT_NUMBER",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "persistence",         "indicator": "audit_log",         "ruleName": "iam_anomalous_behavior",         "subRuleName": "user_agent"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//monitoring.googleapis.com/projects/PROJECT_ID"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }],       "evidence": [{         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1614736482",             "nanos": 9.76209552E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "anomalousSoftware": {           "anomalousSoftwareClassification": ["USER_AGENT"],           "behaviorPeriod": "2592000s",           "callerUserAgent": "USER_AGENT",           "principalEmail": "USER_EMAIL@PROJECT_ID.iam.gserviceaccount.com"         }       },       "findingId": "FINDING_ID",       "contextUris": {         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-03-03T01:54:42.976209552Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project\u003dPROJECT_ID"         }]       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-03-03T01:54:47.681Z",     "createTime": "2021-03-03T01:54:49.154Z",     "severity": "HIGH",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID"   },   "resource": {     "name": "//monitoring.googleapis.com/projects/PROJECT_ID"   } }

지속성: SSO 사용 설정 전환

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",     "state": "ACTIVE",     "category": "Persistence: SSO Enablement Toggle",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "account_manipulation",         "indicator": "audit_log",         "ruleName": "sso_enablement_toggle"       },       "detectionPriority": "HIGH",       "affectedResources": [{         "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "projectId": "0",           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1622829313",             "nanos": 3.42104E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "admin.googleapis.com",         "methodName": "google.admin.AdminService.toggleSsoEnabled",         "ssoState": "ENABLED",         "domainName": "ORGANIZATION_NAME"       },       "contextUris": {       "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1098/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-04T17:55:13.342104Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"         }],         "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-06-04T17:55:13.342Z",     "createTime": "2021-06-04T17:55:15.900Z",     "severity": "HIGH",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"   } }

지속성: SSO 설정이 변경됨

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings",     "state": "ACTIVE",     "category": "Persistence: SSO Settings Changed",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "account_manipulation",         "indicator": "audit_log",         "ruleName": "sso_settings_changed"       },       "detectionPriority": "HIGH",       "affectedResources": [         {           "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"         },         {           "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"         }       ],       "evidence": [{         "sourceLogId": {           "projectId": "0",           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1621624109",             "nanos": 3.73721E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "admin.googleapis.com",         "methodName": "google.admin.AdminService.changeSsoSettings",         "domainName": "ORGANIZATION_NAME"       },       "contextUris": {       "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1098/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"         }],         "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-05-21T19:08:29.373Z",     "createTime": "2021-05-27T11:36:24.429Z",     "severity": "HIGH",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/domainSettings"   } }

지속성: 강력한 인증이 사용 중지됨

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings",     "state": "ACTIVE",     "category": "Persistence: Strong Authentication Disabled",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "impair_defenses",         "indicator": "audit_log",         "ruleName": "enforce_strong_authentication"       },       "detectionPriority": "MEDIUM",       "affectedResources": [{         "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1623952110",             "nanos": 6.51337E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "admin.googleapis.com",         "methodName": "google.admin.AdminService.enforceStrongAuthentication",         "principalEmail": "PRINCIPAL_EMAIL"       },       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1562/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-06-17T17:48:30.651337Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }], "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-06-17T17:48:30.651Z",     "createTime": "2021-06-17T17:48:33.574Z",     "severity": "MEDIUM",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/securitySettings"   } }

지속성: 2단계 인증이 사용 중지됨

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID",     "state": "ACTIVE",     "category": "Persistence: Two Step Verification Disabled",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "impair_defenses",         "indicator": "audit_log",         "ruleName": "two_step_verification_disabled"       },       "detectionPriority": "LOW",       "affectedResources": [{         "gcpResourceName": "//login.googleapis.com/organizations/ORGANIZATION_ID"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1626391356",             "nanos": 5.96E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "serviceName": "login.googleapis.com",         "methodName": "google.login.LoginService.2svDisable",         "ssoState": "UNKNOWN",         "principalEmail": "PRINCIPAL_EMAIL"       },       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": "https://attack.mitre.org/techniques/T1556/006/"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-07-15T23:22:36.596Z%22%0AinsertId%3D%INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }],         "workspacesUri": {           "displayName": "Workspaces Link",           "url": "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#2sv_disable"         }       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-07-15T23:22:36.596Z",     "createTime": "2021-07-15T23:22:40.079Z",     "severity": "LOW",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT",     "indicator": {     }   },   "resource": {     "name": "//login.googleapis.com/organizations/ORGANIZATION_ID"   } }

권한 에스컬레이션: 사용자 테이블에 대한 AlloyDB 데이터베이스 수퍼유저 작성

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",       "state": "ACTIVE",       "category": "Privilege Escalation: AlloyDB Database Superuser Writes to User Tables",       "sourceProperties": {         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "ruleName": "alloydb_user_granted_all_permissions",         },         "detectionPriority": "LOW",         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           },           {             "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"           }         ],         "evidence": [{           "sourceLogId": {             "projectId": "PROJECT_ID",             "resourceContainer": "projects/PROJECT_ID",             "timestamp": {               "seconds": "0",               "nanos": 0.0             },             "insertId": "INSERT_ID"           }         }],         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1078/001/"           },           "cloudLoggingQueryUri": [{             "displayName": "Cloud Logging Query Link",             "url": "LOGGING_LINK"           }]         }       },       "eventTime": "EVENT_TIMESTAMP",,       "createTime": "CREATE_TIMESTAMP",,       "severity": "LOW",       "workflowState": "NEW",       "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"       "mute": "UNDEFINED",       "findingClass": "THREAT",       "mitreAttack": {           "primaryTactic": "PRIVILEGE_ESCALATION",           "primaryTechniques": [             "VALID_ACCOUNTS"           ],           "additionalTactics": [             "PERSISTENCE"           ],           "additionalTechniques": [             "ACCOUNT_MANIPULATION"           ]         },       "database": {         "displayName": "DATABASE_NAME",         "userName": "USER_NAME",         "query": QUERY",       },       "access": {         "serviceName": "alloydb.googleapis.com",         "methodName": "alloydb.instances.query"       }     },     "resource": {       "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",       "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",       "type": "google.alloydb.Instance",       "cloudProvider": "GOOGLE_CLOUD_PLATFORM",       "service": "alloydb.googleapis.com",       "location": "REGION",       "gcpMetadata": {         "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "projectDisplayName": "PROJECT_ID",         "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "parentDisplayName": "PROJECT_ID",         "folders": [           {             "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",             "resourceFolderDisplayName": FOLDER_NAME           }         ],         "organization": "organizations/ORGANIZATION_ID"       },       "resourcePath": {         "nodes": [           {             "nodeType": "GCP_PROJECT",             "id": "projects/PROJECT_NUMBER",             "displayName": "PROJECT_ID"           },           {             "nodeType": "GCP_FOLDER",             "id": "folders/FOLDER_NUMBER",             "displayName": "FOLDER_NAME"           },           {             "nodeType": "GCP_ORGANIZATION",             "id": "organizations/ORGANIZATION_ID"           }         ]       },       "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"     } }

권한 에스컬레이션: AlloyDB 초과 권한 부여

{     "finding": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",       "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",       "resource_name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",       "state": "ACTIVE",       "category": "Privilege Escalation: AlloyDB Over-Privileged Grant",       "sourceProperties": {         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "ruleName": "alloydb_user_granted_all_permissions",         },         "detectionPriority": "LOW",         "affectedResources": [           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           },           {             "gcpResourceName": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME"           }         ],         "evidence": [{           "sourceLogId": {             "projectId": "PROJECT_ID",             "resourceContainer": "projects/PROJECT_ID",             "timestamp": {               "seconds": "0",               "nanos": 0.0             },             "insertId": "INSERT_ID"           }         }],         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1078/001/"           },           "cloudLoggingQueryUri": [{             "displayName": "Cloud Logging Query Link",             "url": "LOGGING_LINK"           }]         }       },       "eventTime": "EVENT_TIMESTAMP",,       "createTime": "CREATE_TIMESTAMP",,       "severity": "LOW",       "workflowState": "NEW",       "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"       "mute": "UNDEFINED",       "findingClass": "THREAT",       "mitreAttack": {           "primaryTactic": "PRIVILEGE_ESCALATION",           "primaryTechniques": [             "VALID_ACCOUNTS"           ],           "additionalTactics": [             "PERSISTENCE"           ],           "additionalTechniques": [             "ACCOUNT_MANIPULATION"           ]         },       "database": {         "displayName": "DATABASE_NAME",         "userName": "USER_NAME",         "query": QUERY",         "grantees": [GRANTEE],       },       "access": {         "serviceName": "alloydb.googleapis.com",         "methodName": "alloydb.instances.query"       }     },     "resource": {       "name": "//alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",       "displayName": "projects/PROJECT_ID/locations/REGION/clusters/CLUSTER/instances/INSTANCE_NAME",       "type": "google.alloydb.Instance",       "cloudProvider": "GOOGLE_CLOUD_PLATFORM",       "service": "alloydb.googleapis.com",       "location": "REGION",       "gcpMetadata": {         "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "projectDisplayName": "PROJECT_ID",         "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",         "parentDisplayName": "PROJECT_ID",         "folders": [           {             "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",             "resourceFolderDisplayName": FOLDER_NAME           }         ],         "organization": "organizations/ORGANIZATION_ID"       },       "resourcePath": {         "nodes": [           {             "nodeType": "GCP_PROJECT",             "id": "projects/PROJECT_NUMBER",             "displayName": "PROJECT_ID"           },           {             "nodeType": "GCP_FOLDER",             "id": "folders/FOLDER_NUMBER",             "displayName": "FOLDER_NAME"           },           {             "nodeType": "GCP_ORGANIZATION",             "id": "organizations/ORGANIZATION_ID"           }         ]       },       "resourcePathString": "organizations/ORGANIZATION_ID/folders/FOLDER_NUMBER/projects/PROJECT_NUMBER"     } }

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 서비스 계정 가장

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "storage.googleapis.com",       "methodName": "storage.buckets.list",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "assetDisplayName": "PROJECT_ID",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "ORGANIZATION",     "type": "google.cloud.resourcemanager.Project",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "anomalous_sa_delegation_impersonation_of_sa_admin_activity"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//storage.googleapis.com/"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/"       }     }   } }

권한 에스컬레이션: AI 관리자 활동을 위한 비정상적인 서비스 계정 가장

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "aiplatform.googleapis.com",       "methodName": "METHOD_NAME",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "PRIVILEGE_ESCALATION",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "muteInfo": {       "staticMute": {         "state": "UNDEFINED",         "applyTime": "1970-01-01T00:00:00Z"       }     },     "domains": [       {         "category": "AI"       },       {         "category": "IDENTITY_AND_ACCESS"       }     ],     "aiModel": {       "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",       "deploymentPlatform": "VERTEX_AI"     },     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "organization": "organizations/ORGANIZATION_ID"     },     "type": "google.aiplatform.Model",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "ai_anomalous_sa_delegation_impersonation_of_sa_admin_activity"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/"       }     }   } }

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 다단계 서비스 계정 위임

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "storage.googleapis.com",       "methodName": "storage.buckets.list",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "assetDisplayName": "PROJECT_ID",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "ORGANIZATION",     "type": "google.cloud.resourcemanager.Project",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "anomalous_sa_delegation_multistep_admin_activity"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//storage.googleapis.com/"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/"       }     }   } }

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 다단계 서비스 계정 위임

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "aiplatform.googleapis.com",       "methodName": "METHOD_NAME",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "muteInfo": {       "staticMute": {         "state": "UNDEFINED",         "applyTime": "1970-01-01T00:00:00Z"       }     },     "domains": [       {         "category": "AI"       },       {         "category": "IDENTITY_AND_ACCESS"       }     ],     "aiModel": {       "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",       "deploymentPlatform": "VERTEX_AI"     },     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "severity": "MEDIUM",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "organization": "organizations/ORGANIZATION_ID"     },     "type": "google.aiplatform.Model",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "ai_anomalous_sa_delegation_multistep_admin_activity"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://atlas.mitre.org/techniques/AML.T0012/"       }     }   } }

권한 에스컬레이션: AI 데이터 액세스를 위한 비정상적인 다단계 서비스 계정 위임

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "aiplatform.googleapis.com",       "methodName": "METHOD_NAME",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "muteInfo": {       "staticMute": {         "state": "UNDEFINED",         "applyTime": "1970-01-01T00:00:00Z"       }     },     "domains": [       {         "category": "AI"       },       {         "category": "IDENTITY_AND_ACCESS"       }     ],     "aiModel": {       "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",       "deploymentPlatform": "VERTEX_AI"     },     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "organization": "organizations/ORGANIZATION_ID"     },     "type": "google.aiplatform.Model",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "ai_anomalous_sa_delegation_multistep_data_access"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://atlas.mitre.org/techniques/AML.T0012/"       }     }   } }

권한 에스컬레이션: 데이터 액세스를 위한 비정상적인 다단계 서비스 계정 위임

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "storage.googleapis.com",       "methodName": "storage.buckets.list",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "assetDisplayName": "PROJECT_ID",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "ORGANIZATION",     "type": "google.cloud.resourcemanager.Project",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "anomalous_sa_delegation_multistep_data_access"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//storage.googleapis.com/"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/"       }     }   } }

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 서비스 계정 가장

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "storage.googleapis.com",       "methodName": "storage.buckets.list",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "assetDisplayName": "PROJECT_ID",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "ORGANIZATION",     "type": "google.cloud.resourcemanager.Project",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "anomalous_sa_delegation_impersonator_admin_activity"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//storage.googleapis.com/"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/"       }     }   } }

권한 에스컬레이션: AI 관리자 활동을 위한 비정상적인 서비스 계정 가장

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "aiplatform.googleapis.com",       "methodName": "METHOD_NAME",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "assetDisplayName": "PROJECT_ID",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "muteInfo": {       "staticMute": {         "state": "UNDEFINED",         "applyTime": "1970-01-01T00:00:00Z"       }     },     "domains": [       {         "category": "AI"       },       {         "category": "IDENTITY_AND_ACCESS"       }     ],     "aiModel": {       "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",       "deploymentPlatform": "VERTEX_AI"     },     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "organization": "organizations/ORGANIZATION_ID"     },     "type": "google.aiplatform.Model",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "ai_anomalous_sa_delegation_impersonator_admin_activity"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://atlas.mitre.org/techniques/AML.T0012/"       }     }   } }

권한 에스컬레이션: AI 데이터 액세스를 위한 비정상적인 서비스 계정 가장

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "aiplatform.googleapis.com",       "methodName": "METHOD_NAME",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "muteInfo": {       "staticMute": {         "state": "UNDEFINED",         "applyTime": "1970-01-01T00:00:00Z"       }     },     "domains": [       {         "category": "AI"       },       {         "category": "IDENTITY_AND_ACCESS"       }     ],     "aiModel": {       "name": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",       "deploymentPlatform": "VERTEX_AI"     },     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "displayName": "projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME",     "gcpMetadata": {       "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "projectDisplayName": "PROJECT_ID",       "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",       "parentDisplayName": "PROJECT_ID",       "organization": "organizations/ORGANIZATION_ID"     },     "type": "google.aiplatform.Model",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "ai_anomalous_sa_delegation_impersonator_data_access"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//aiplatform.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1/models/MODEL_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://atlas.mitre.org/techniques/AML.T0012/"       }     }   } }

권한 에스컬레이션: 데이터 액세스를 위한 비정상적인 서비스 계정 가장

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "storage.googleapis.com",       "methodName": "storage.buckets.list",       "serviceAccountDelegationInfo": [         {           "principalEmail": "PRINCIPAL_EMAIL"         },         {           "principalEmail": "PRINCIPAL_EMAIL"         }       ]     },     "assetDisplayName": "PROJECT_ID",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Anomalous Service Account Impersonator for Data Access",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2023-02-09T03:26:04.611Z",     "database": {},     "eventTime": "2023-02-09T03:26:05.403Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "MEDIUM",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_ID",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",     "parent_display_name": "ORGANIZATION",     "type": "google.cloud.resourcemanager.Project",     "folders": []   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "anomalous_sa_delegation_impersonator_data_access"     },     "detectionPriority": "MEDIUM",     "affectedResources": [       {         "gcpResourceName": "//storage.googleapis.com/"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1675913160",             "nanos": 929341814           },           "insertId": "o5ii7hddddd"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/"       }     }   } }

권한 에스컬레이션: 민감한 Kubernetes RBAC 객체 변경사항

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "US"       },       "serviceName": "k8s.io",       "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.update"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",     "category": "Privilege Escalation: Changes to sensitive Kubernetes RBAC objects",     "contacts": {       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2022-10-07T07:42:36.536Z",     "database": {},     "eventTime": "2022-10-07T07:42:06.044Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "indicator": {},     "kubernetes": {       "bindings": [         {           "name": "cluster-admin",           "role": {             "kind": "CLUSTER_ROLE",             "name": "cluster-admin"           },           "subjects": [             {               "kind": "USER",               "name": "testUser-1665153212"             }           ]         }       ]     },     "mitreAttack": {},     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/05b52fe8267d44bdb33c89367f0dd11a",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "severity": "LOW",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "display_name": "CLUSTER_NAME",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parent_display_name": "PROJECT_ID",     "type": "google.container.Cluster",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "gke_control_plane",       "subRuleName": "edit_sensitive_rbac_object"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1665128526",             "nanos": 44146000           },           "insertId": "5d80de5c-84b8-4f42-84c7-6b597162e00a"         }       }     ],     "properties": {},     "findingId": "05b52fe8267d44bdb33c89367f0dd11a",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/tactics/TA0004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-07T07:42:06.044146Z%22%0AinsertId%3D%225d80de5c-84b8-4f42-84c7-6b597162e00a%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     }   } }

권한 에스컬레이션: 마스터 인증서에 대한 Kubernetes CSR 만들기

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "US"       },       "serviceName": "k8s.io",       "methodName": "io.k8s.certificates.v1.certificatesigningrequests.create"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",     "category": "Privilege Escalation: Create Kubernetes CSR for master cert",     "contacts": {       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2022-10-08T14:38:12.501Z",     "database": {},     "eventTime": "2022-10-08T14:37:46.944Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "indicator": {},     "kubernetes": {},     "mitreAttack": {},     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/0562169c2e3b44879030a7369dbf839c",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "severity": "HIGH",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "display_name": "CLUSTER_NAME",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parent_display_name": "PROJECT_ID",     "type": "google.container.Cluster",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "gke_control_plane",       "subRuleName": "csr_for_master_cert"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests/node-csr-fake-master"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1665239866",             "nanos": 944045000           },           "insertId": "4d17b41e-7f56-43dc-9b72-abcbdc64f101"         }       }     ],     "properties": {},     "findingId": "0562169c2e3b44879030a7369dbf839c",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/tactics/TA0004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T14:37:46.944045Z%22%0AinsertId%3D%224d17b41e-7f56-43dc-9b72-abcbdc64f101%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     }   } }

권한 에스컬레이션: 민감한 Kubernetes 바인딩 만들기

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "US"       },       "serviceName": "k8s.io",       "methodName": "io.k8s.authorization.rbac.v1.clusterrolebindings.create"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",     "category": "Privilege Escalation: Creation of sensitive Kubernetes bindings",     "contacts": {       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2022-10-11T09:29:44.425Z",     "database": {},     "eventTime": "2022-10-11T09:29:26.309Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "indicator": {},     "kubernetes": {       "bindings": [         {           "name": "cluster-admin",           "role": {             "kind": "CLUSTER_ROLE",             "name": "cluster-admin"           }         }       ]     },     "mitreAttack": {},     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/02dcbf565d9d4972a126ac3c38fd4295",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "severity": "LOW",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "display_name": "CLUSTER_NAME",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parent_display_name": "PROJECT_ID",     "type": "google.container.Cluster",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "gke_control_plane",       "subRuleName": "create_sensitive_binding"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1665480566",             "nanos": 309136000           },           "insertId": "e4b2fb24-a118-4d74-80ea-2ec069251321"         }       }     ],     "properties": {},     "findingId": "02dcbf565d9d4972a126ac3c38fd4295",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/tactics/TA0004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-11T09:29:26.309136Z%22%0AinsertId%3D%22e4b2fb24-a118-4d74-80ea-2ec069251321%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     }   } }

권한 에스컬레이션: 기본 Compute Engine 서비스 계정 SetIAMPolicy

    {       "finding": {         "access": {           "principalEmail": "PROJECT_NUMBER[email protected]",           "callerIp": "IP_ADDRESS",           "callerIpGeo": {             "regionCode": "REGION_CODE"           },           "userAgent": "USER_AGENT",           "serviceName": "run.googleapis.com",           "methodName": "google.cloud.run.v1.Services.SetIamPolicy",           "principalSubject": "serviceAccount:PROJECT_NUMBER[email protected]",           "serviceAccountDelegationInfo": [             {               "principalEmail": "service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com"             }           ]         },         "application": {},         "attackExposure": {},         "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID",         "category": "Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy",         "chokepoint": {},         "cloudDlpDataProfile": {},         "cloudDlpInspection": {},         "createTime": "2025-05-27T20:36:26.627Z",         "database": {},         "dataProtectionKeyGovernance": {},         "eventTime": "2025-05-27T20:36:26.527Z",         "exfiltration": {},         "findingClass": "THREAT",         "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",         "indicator": {},         "kernelRootkit": {},         "kubernetes": {},         "logEntries": [           {             "cloudLoggingEntry": {               "insertId": "INSERT_ID",               "logId": "cloudaudit.googleapis.com/activity",               "resourceContainer": "projects/PROJECT_ID",               "timestamp": "2025-05-27T20:35:26.897015Z"             }           }         ],         "mitreAttack": {           "primaryTactic": "PRIVILEGE_ESCALATION",           "primaryTechniques": [             "ADDITIONAL_CLOUD_ROLES"           ]         },         "mute": "UNDEFINED",         "muteInfo": {           "staticMute": {             "state": "UNDEFINED",             "applyTime": "1970-01-01T00:00:00Z"           }         },         "muteUpdateTime": "1970-01-01T00:00:00Z",         "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",         "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",         "parentDisplayName": "Event Threat Detection",         "resourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME",         "securityPosture": {},         "severity": "LOW",         "state": "ACTIVE",         "vulnerability": {},         "externalSystems": {}       },       "resource": {         "name": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME",         "displayName": "SERVICE_NAME",         "type": "google.run.Service",         "cloudProvider": "GOOGLE_CLOUD_PLATFORM",         "service": "run.googleapis.com",         "location": "REGION",         "gcpMetadata": {           "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",           "projectDisplayName": "PROJECT_ID",           "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",           "parentDisplayName": "PROJECT_ID",           "organization": "organizations/ORGANIZATION_ID"         },         "resourcePath": {           "nodes": [             {               "nodeType": "GCP_PROJECT",               "id": "projects/PROJECT_NUMBER",               "displayName": "PROJECT_ID"             },             {               "nodeType": "GCP_ORGANIZATION",               "id": "organizations/ORGANIZATION_ID"             }           ]         },         "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_NUMBER"       },       "sourceProperties": {         "sourceId": {           "projectNumber": "PROJECT_NUMBER",           "customerOrganizationNumber": "ORGANIZATION_ID"         },         "detectionCategory": {           "ruleName": "cloud_run_services_set_iam_policy"         },         "detectionPriority": "LOW",         "affectedResources": [           {             "gcpResourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME"           },           {             "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"           }         ],         "evidence": [           {             "sourceLogId": {               "projectId": "PROJECT_ID",               "resourceContainer": "projects/PROJECT_ID",               "timestamp": {                 "seconds": "1748378126",                 "nanos": 897015000               },               "insertId": "INSERT_ID",               "logId": "cloudaudit.googleapis.com/activity"             }           }         ],         "properties": {},         "findingId": "FINDING_ID",         "contextUris": {           "mitreUri": {             "displayName": "MITRE Link",             "url": "https://attack.mitre.org/techniques/T1098/003/"           },           "cloudLoggingQueryUri": [             {               "displayName": "Cloud Logging Query Link",               "url": "LINK_TO_LOG_QUERY"             }           ],           "relatedFindingUri": {}         }       }     }

권한 에스컬레이션: 휴면 서비스 계정에 민감한 역할 부여

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "cloudresourcemanager.googleapis.com",       "methodName": "SetIamPolicy",     },     "assetDisplayName": "ASSET_DISPLAY_NAME",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Dormant Service Account Granted Sensitive Role",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS_1"           },           {             "email": "EMAIL_ADDRESS_2"           }         ]       },       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS_3"           },           {             "email": "EMAIL_ADDRESS_4           }         ]       }     },     "createTime": "CREATE_TIMESTAMP",     "database": {},     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "iamBindings": [       {         "action": "ADD",         "role": "SENSITIVE_IAM_ROLE",         "member": "serviceAccount:DORMANT_SERVICE_ACCOUNT"       }     ],     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS",         "CLOUD_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "RESOURCE_FULL_NAME",     "severity": "SEVERITY_CLASSIFICATION",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "RESOURCE_FULL_NAME",     "display_name": "RESOURCE_DISPLAY_NAME",     "project_name": "//RESOURCE/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "RESOURCE_PARENT_NAME",     "parent_display_name": "PARENT_DISPLAY_NAME",     "type": "RESOURCE_TYPE",     "folders": [       {         "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",         "resourceFolder": "RESOURCE_FOLDER_ID"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "sensitive_role_added_to_dormant_sa"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1678897327",             "nanos": 26483000           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ]     }   } }

권한 에스컬레이션: 권한 있는 그룹에 추가된 외부 구성원

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME",     "state": "ACTIVE",     "category": "Privilege Escalation: External Member Added To Privileged Group",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "persistence",         "indicator": "audit_log",         "ruleName": "external_member_added_to_privileged_group"       },       "detectionPriority": "HIGH",       "affectedResources": [{         "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1633622881",             "nanos": 6.73869E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "externalMemberAddedToPrivilegedGroup": {           "principalEmail": "PRINCIPAL_EMAIL",           "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",           "externalMember": "user:EXTERNAL_EMAIL",           "sensitiveRoles": [{             "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",             "roleName": ["ROLES"]           }]         }       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": " https://attack.mitre.org/techniques/T1078"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-07T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }]       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-10-07T16:08:03.888Z",     "createTime": "2021-10-07T16:08:04.516Z",     "severity": "HIGH",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME"   } }

권한 에스컬레이션: 손상된 부트스트랩 사용자 인증 정보로 Kubernetes CSR 가져오기

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "US"       },       "serviceName": "k8s.io",       "methodName": "io.k8s.certificates.v1.certificatesigningrequests.list"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",     "category": "Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials",     "contacts": {       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2022-10-12T12:28:11.480Z",     "database": {},     "eventTime": "2022-10-12T12:28:08.597Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "indicator": {},     "kubernetes": {},     "mitreAttack": {},     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/025e0ba774da4d678883257cd125fc43",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "severity": "HIGH",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "display_name": "CLUSTER_NAME",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parent_display_name": "PROJECT_ID",     "type": "google.container.Cluster",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "gke_control_plane",       "subRuleName": "get_csr_with_compromised_bootstrap_credentials"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//k8s.io/certificates.k8s.io/v1/certificatesigningrequests"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1665577688",             "nanos": 597107000           },           "insertId": "a189aaf0-90dc-4aaf-a48c-1daa850dd993"         }       }     ],     "properties": {},     "findingId": "025e0ba774da4d678883257cd125fc43",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/tactics/TA0004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-12T12:28:08.597107Z%22%0AinsertId%3D%22a189aaf0-90dc-4aaf-a48c-1daa850dd993%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     }   } }

권한 에스컬레이션: 휴면 서비스 계정에 부여된 가장 역할

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "REGION_CODE"       },       "serviceName": "iam.googleapis.com",       "methodName": "google.iam.admin.v1.SetIAMPolicy"     },     "assetDisplayName": "ASSET_DISPLAY_NAME",     "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Impersonation Role Granted for Dormant Service Account",     "cloudDlpInspection": {},     "contacts": {       "security": {         "contacts": [           {             "email": "EMAIL_ADDRESS_1"           },           {             "email": "EMAIL_ADDRESS_2"           }         ]       },       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS_3"           },           {             "email": "EMAIL_ADDRESS_4           }         ]       }     },     "createTime": "CREATE_TIMESTAMP",     "database": {},     "eventTime": "EVENT_TIMESTAMP",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd",     "iamBindings": [       {         "action": "ADD",         "role": "roles/iam.serviceAccountTokenCreator",         "member": "IAM_Account_Who_Received_Impersonation_Role"       }     ],     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS",         "CLOUD_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",     "severity": "MEDIUM",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_ID",     "display_name": "projects/PROJECT_ID/serviceAccounts/DORMANT_SERVICE_ACCOUNT_EMAIL",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parent_display_name": "PROJECT_ID",     "type": "google.iam.ServiceAccount",     "folders": [       {         "resourceFolderDisplayName": "RESOURCE_FOLDER_DISPLAY_NAME",         "resourceFolder": "RESOURCE_FOLDER_ID"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_ID"     },     "detectionCategory": {       "ruleName": "impersonation_role_granted_over_dormant_sa"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "GOOGLE_CLOUD_RESOURCE_NAME"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1678897327",             "nanos": 26483000           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {},     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "LINK_TO_LOG_QUERY"         }       ]     }   } }

권한 에스컬레이션: 권한이 있는 Kubernetes 컨테이너 실행

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {         "regionCode": "US"       },       "serviceName": "k8s.io",       "methodName": "io.k8s.core.v1.pods.create"     },     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",     "category": "Privilege Escalation: Launch of privileged Kubernetes container",     "contacts": {       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2022-10-08T21:43:41.145Z",     "database": {},     "eventTime": "2022-10-08T21:43:09.188Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "indicator": {},     "kubernetes": {       "pods": [         {           "ns": "default",           "name": "POD_NAME",           "containers": [             {               "name": "CONTAINER_NAME",               "uri": "CONTAINER_URI"             }           ]         }       ]     },     "mitreAttack": {},     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/04206668443b45078d5b51c908ad87da",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "severity": "LOW",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//container.googleapis.com/projects/PROJECT_ID/locations/us-west1-a/clusters/CLUSTER_NAME",     "display_name": "CLUSTER_NAME",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_ID",     "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "parent_display_name": "PROJECT_ID",     "type": "google.container.Cluster",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_NAME",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "ruleName": "gke_control_plane",       "subRuleName": "launch_privileged_container"     },     "detectionPriority": "LOW",     "affectedResources": [       {         "gcpResourceName": "//k8s.io/core/v1/namespaces/default/pods/POD_NAME"       },       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1665265389",             "nanos": 188357000           },           "insertId": "98b6dfb7-05f6-4279-a902-7e18e815364c"         }       }     ],     "properties": {},     "findingId": "04206668443b45078d5b51c908ad87da",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/tactics/TA0004/"       },       "cloudLoggingQueryUri": [         {           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222022-10-08T21:43:09.188357Z%22%0AinsertId%3D%2298b6dfb7-05f6-4279-a902-7e18e815364c%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"         }       ],       "relatedFindingUri": {}     }   } }

권한 에스컬레이션: 공개로 설정된 권한이 있는 그룹

프로젝트 수준의 활성화에는 이 발견 항목을 사용할 수 없습니다.

{   "finding": {     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",     "resourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings",     "state": "ACTIVE",     "category": "Privilege Escalation: Privileged Group Opened To Public",     "sourceProperties": {       "sourceId": {         "organizationNumber": "ORGANIZATION_ID",         "customerOrganizationNumber": "ORGANIZATION_ID"       },       "detectionCategory": {         "technique": "persistence",         "indicator": "audit_log",         "ruleName": "privileged_group_opened_to_public"       },       "detectionPriority": "HIGH",       "affectedResources": [{         "gcpResourceName": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"       }, {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID"       }],       "evidence": [{         "sourceLogId": {           "resourceContainer": "organizations/ORGANIZATION_ID",           "timestamp": {             "seconds": "1634774534",             "nanos": 7.12E8           },           "insertId": "INSERT_ID"         }       }],       "properties": {         "privilegedGroupOpenedToPublic": {           "principalEmail": "PRINCIPAL_EMAIL",           "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",           "sensitiveRoles": [{             "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",             "roleName": ["ROLES"]           }],           "whoCanJoin": "ALLOW_EXTERNAL_MEMBERS"         }       },       "findingId": "FINDING_ID",       "contextUris": {         "mitreUri": {           "displayName": "MITRE Link",           "url": " https://attack.mitre.org/techniques/T1078"         },         "cloudLoggingQueryUri": [{           "displayName": "Cloud Logging Query Link",           "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-10-21T00:02:14.712Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\u003d"         }]       }     },     "securityMarks": {       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"     },     "eventTime": "2021-10-21T00:02:19.173Z",     "createTime": "2021-10-21T00:02:20.099Z",     "severity": "HIGH",     "workflowState": "NEW",     "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",     "findingClass": "THREAT"   },   "resource": {     "name": "//admin.googleapis.com/organizations/ORGANIZATION_ID/groupSettings"   } }

권한 에스컬레이션: 하이브리드 그룹에 부여된 중요한 역할

{   "findings": {     "access": {       "principalEmail": "PRINCIPAL_EMAIL",       "callerIp": "IP_ADDRESS",       "callerIpGeo": {},       "serviceName": "cloudresourcemanager.googleapis.com",       "methodName": "SetIamPolicy",     },     "assetDisplayName": "PROJECT_NAME",     "assetId": "organizations/ORGANIZATION_NUMBER/assets/ASSET_ID",     "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "category": "Privilege Escalation: Sensitive Role Granted To Hybrid Group",     "contacts": {       "technical": {         "contacts": [           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           },           {             "email": "EMAIL_ADDRESS"           }         ]       }     },     "createTime": "2022-12-22T00:31:58.242Z",     "database": {},     "eventTime": "2022-12-22T00:31:58.151Z",     "exfiltration": {},     "findingClass": "THREAT",     "findingProviderId": "organizations/ORGANIZATION_NUMBER/firstPartyFindingProviders/etd",     "iamBindings": [       {         "action": "ADD",         "role": "roles/iam.securityAdmin",         "member": "group:GROUP_NAME@ORGANIZATION_NAME",       }     ],     "indicator": {},     "kernelRootkit": {},     "kubernetes": {},     "mitreAttack": {       "primaryTactic": "INITIAL_ACCESS",       "primaryTechniques": [         "VALID_ACCOUNTS",         "CLOUD_ACCOUNTS"       ]     },     "mute": "UNDEFINED",     "name": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",     "parent": "organizations/ORGANIZATION_NUMBER/sources/SOURCE_ID",     "parentDisplayName": "Event Threat Detection",     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "severity": "HIGH",     "sourceDisplayName": "Event Threat Detection",     "state": "ACTIVE",     "vulnerability": {},     "workflowState": "NEW"   },   "resource": {     "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "display_name": "PROJECT_NAME",     "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",     "project_display_name": "PROJECT_NAME",     "parent_name": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",     "parent_display_name": "FOLDER_ID",     "type": "google.cloud.resourcemanager.Project",     "folders": [       {         "resourceFolderDisplayName": "FOLDER_ID",         "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER"       }     ]   },   "sourceProperties": {     "sourceId": {       "projectNumber": "PROJECT_NUMBER",       "customerOrganizationNumber": "ORGANIZATION_NUMBER"     },     "detectionCategory": {       "technique": "persistence",       "indicator": "audit_log",       "ruleName": "sensitive_role_to_group_with_external_member"     },     "detectionPriority": "HIGH",     "affectedResources": [       {         "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"       }     ],     "evidence": [       {         "sourceLogId": {           "projectId": "PROJECT_ID",           "resourceContainer": "projects/PROJECT_ID",           "timestamp": {             "seconds": "1671669114",             "nanos": 715318000           },           "insertId": "INSERT_ID"         }       }     ],     "properties": {       "sensitiveRoleToHybridGroup": {         "principalEmail": "PRINCIPAL_EMAIL",         "groupName": "group:GROUP_NAME@ORGANIZATION_NAME",         "bindingDeltas": [           {             "action": "ADD",             "role": "roles/iam.securityAdmin",             "member": "group:GROUP_NAME@ORGANIZATION_NAME",           }         ],         "resourceName": "projects/PROJECT_ID"       }     },     "findingId": "FINDING_ID",     "contextUris": {       "mitreUri": {         "displayName": "MITRE Link",         "url": "https://attack.mitre.org/techniques/T1078/004/"       }     }   } }

다음 단계

Event Threat Detection 작동 방식 자세히 알아보기
위협에 대한 대응 계획을 조사하고 개발하는 방법 알아보기

Event Threat Detection 사용 컬렉션을 사용해 정리하기 내 환경설정을 기준으로 콘텐츠를 저장하고 분류하세요.

발견 항목 검토

Security Command Center에서 발견 항목 검토

Cloud Logging에서 발견 항목 보기

발견 항목 형식 예시

활성 스캔: RCE에 취약한 Log4j

무작위 공격: SSH

Cloud IDS

방어 회피: breakglass 워크로드 배포 생성됨

방어 회피: breakglass 워크로드 배포 업데이트됨

방어 회피: VPC 서비스 제어 수정

검색: 민감한 Kubernetes 객체 확인 가능

탐색: 서비스 계정 자체 조사

삭제: 익명처리 프록시에서 액세스

실행: 암호화폐 채굴 Docker 이미지

유출: BigQuery 데이터 무단 반출

유출: BigQuery 데이터 추출

유출: Google Drive에 대한 BigQuery 데이터

유출: Cloud SQL 데이터 무단 반출

유출: CloudSQL 초과 권한 부여

유출: 외부 조직으로 CloudSQL 복원 백업

영향: 암호화폐 채굴 명령어

영향: Google Cloud 백업 및 DR 백업이 삭제됨

영향: Google Cloud 백업 및 DR 호스트가 삭제됨

영향: Google Cloud 백업 및 DR 계획 연결이 삭제됨

영향: Google Cloud 백업 및 DR Vault가 삭제됨

영향: Google Cloud 백업 및 DR 삭제 정책

영향: Google Cloud 백업 및 DR 삭제 프로필

영향: Google Cloud 백업 및 DR 스토리지 풀 삭제

영향: Google Cloud 백업 및 DR 삭제 템플릿

영향: Google Cloud 백업 및 DR에서 모든 이미지를 만료

영향: Google Cloud 백업 및 DR에서 이미지가 만료됨

영향: Google Cloud 백업 및 DR의 백업 만료일이 앞당겨짐

영향: Google Cloud 백업 및 DR의 백업 빈도 감소

영향: Google Cloud 백업 및 DR을 통해 어플라이언스 삭제

시스템 복구 차단: Google Cloud 백업 및 DR 삭제 계획

초기 액세스: 계정 사용 중지됨 계정 도용

초기 액세스: 사용자 테이블에 대한 데이터베이스 수퍼유저 작성

초기 액세스: 사용 중지됨 비밀번호 유출

초기 액세스: 휴면 서비스 계정 작업

초기 액세스: AI 서비스의 휴면 서비스 계정 활동

초기 액세스: 휴면 서비스 계정 키 생성됨

초기 액세스: 과도한 권한 거부 작업

초기 액세스: 정부 기반 공격

초기 액세스: 유출된 서비스 계정 키 사용됨

초기 액세스: Log4j 손상 시도

초기 액세스: 의심스러운 로그인이 차단됨

측면 이동: 인스턴스에 연결된 수정된 부팅 디스크

멀웨어: 불량 도메인

멀웨어: 불량 IP

멀웨어: 암호화폐 채굴 불량 도메인

멀웨어: 암호화폐 채굴 불량 IP

멀웨어: 발신 DoS

지속성: GCE 관리자가 SSH 키를 추가함

지속성: GCE 관리자가 시작 스크립트를 추가함

지속성: IAM 비정상적인 권한 부여

지속성: 새로운 AI API 메서드

지속성: 새로운 API 메서드

지속성: 새로운 지역

지속성: AI 서비스의 새로운 지역

지속성: 새로운 사용자 에이전트

지속성: SSO 사용 설정 전환

지속성: SSO 설정이 변경됨

지속성: 강력한 인증이 사용 중지됨

지속성: 2단계 인증이 사용 중지됨

권한 에스컬레이션: 사용자 테이블에 대한 AlloyDB 데이터베이스 수퍼유저 작성

권한 에스컬레이션: AlloyDB 초과 권한 부여

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 서비스 계정 가장

권한 에스컬레이션: AI 관리자 활동을 위한 비정상적인 서비스 계정 가장

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 다단계 서비스 계정 위임

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 다단계 서비스 계정 위임

권한 에스컬레이션: AI 데이터 액세스를 위한 비정상적인 다단계 서비스 계정 위임

권한 에스컬레이션: 데이터 액세스를 위한 비정상적인 다단계 서비스 계정 위임

권한 에스컬레이션: 관리자 활동을 위한 비정상적인 서비스 계정 가장

권한 에스컬레이션: AI 관리자 활동을 위한 비정상적인 서비스 계정 가장

권한 에스컬레이션: AI 데이터 액세스를 위한 비정상적인 서비스 계정 가장

권한 에스컬레이션: 데이터 액세스를 위한 비정상적인 서비스 계정 가장

권한 에스컬레이션: 민감한 Kubernetes RBAC 객체 변경사항

권한 에스컬레이션: 마스터 인증서에 대한 Kubernetes CSR 만들기

권한 에스컬레이션: 민감한 Kubernetes 바인딩 만들기

Event Threat Detection 사용