BACKUP_HOSTS_DELETE_HOST
Backup and DR Service Data Access logs
BACKUP_EXPIRE_IMAGE
Backup and DR Data Access logs
BACKUP_REMOVE_PLAN
Backup and DR Data Access logs
BACKUP_EXPIRE_IMAGES_ALL
Backup and DR Data Access logs
BACKUP_TEMPLATES_DELETE_TEMPLATE
Backup and DR Data Access logs
BACKUP_TEMPLATES_DELETE_POLICY
Backup and DR Data Access logs
BACKUP_PROFILES_DELETE_PROFILE
Backup and DR Data Access logs
BACKUP_APPLIANCES_REMOVE_APPLIANCE
Backup and DR Data Access logs
BACKUP_STORAGE_POOLS_DELETE
Backup and DR Data Access logs
BACKUP_REDUCE_BACKUP_EXPIRATION
Backup and DR Data Access logs
BACKUP_REDUCE_BACKUP_FREQUENCY
Backup and DR Data Access logs
BRUTE_FORCE_SSH
CLOUD_IDS_THREAT_ACTIVITY
EXTERNAL_MEMBER_ADDED_TO_PRIVILEGED_GROUP
Login Audit
Permissions:
DATA_READ
Detects events where an external member is added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, see Unsafe Google Group changes.
Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.
This finding isn't available for project-level activations.
PRIVILEGED_GROUP_OPENED_TO_PUBLIC
Admin Audit
Permissions:
DATA_READ
Detects events where a privileged Google Group (a group granted sensitive roles or permissions) is changed to be accessible to the general public. To learn more, see Unsafe Google Group changes.
Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.
This finding isn't available for project-level activations.
SENSITIVE_ROLE_TO_GROUP_WITH_EXTERNAL_MEMBER
IAM Admin Activity audit logs
Detects events where sensitive roles are granted to a Google Group with external members. To learn more, see Unsafe Google Group changes.
Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.
This finding isn't available for project-level activations.
BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_CREATE
Admin Activity logs
BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_UPDATE
Admin Activity logs
DEFENSE_EVASION_MODIFY_VPC_SERVICE_CONTROL
Detects a change to an existing VPC Service Controls perimeter that would lead to a reduction in the protection offered by that perimeter.
This finding isn't available for project-level activations.
GKE_CONTROL_PLANE_CAN_GET_SENSITIVE_OBJECT
GKE Data Access logs
A potentially malicious actor attempted to determine what sensitive objects in GKE they can query for, by using the kubectl auth can-i get
command. Specifically, the rule detects whether the actor checked for API access on the following objects:
*
(all)-
cluster-admin
ClusterRole
Secret
SERVICE_ACCOUNT_SELF_INVESTIGATION
IAM Data Access audit logs
Permissions:
DATA_READ
Detection of an IAM service account credential that is used to investigate the roles and permissions associated with that same service account.
Sensitive roles
Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.
ANOMALOUS_ACCESS
Admin Activity logs
DATA_EXFILTRATION_BIG_QUERY
Permissions:
DATA_READ
-
Resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.
This scenario is indicated by a subrule of
exfil_to_external_table
and a severity ofHIGH
. -
Attempts to access BigQuery resources that are protected by VPC Service Controls.
This scenario is indicated by a subrule of
vpc_perimeter_violation
and a severity ofLOW
.
DATA_EXFILTRATION_BIG_QUERY_EXTRACTION
Permissions:
DATA_READ
- A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Cloud Storage bucket outside the organization.
- A BigQuery resource owned by the protected organization is saved, through extraction operations, to a publicly accessible Cloud Storage bucket owned by that organization.
For project-level activations of the Security Command Center Premium tier,this finding is available only if the Standard tier is enabled in theparent organization.
DATA_EXFILTRATION_BIG_QUERY_TO_GOOGLE_DRIVE
Permissions:
DATA_READ
- A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Google Drive folder.
CLOUDSQL_EXFIL_EXPORT_TO_EXTERNAL_GCS
CLOUDSQL_EXFIL_EXPORT_TO_PUBLIC_GCS
PostgreSQL data access logs
SQL Server data access logs
- Live instance data exported to a Cloud Storage bucket outside of the organization.
- Live instance data exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.
For project-level activations of the Security Command Center Premium tier,this finding is available only if the Standard tier is enabled in theparent organization.
CLOUDSQL_EXFIL_RESTORE_BACKUP_TO_EXTERNAL_INSTANCE
PostgreSQL admin activity logs
SQL Server admin activity logs
Detects events where the backup of a Cloud SQL instance is restored to an instance outside of the organization.
CLOUDSQL_EXFIL_USER_GRANTED_ALL_PERMISSIONS
Note: You must enable the pgAudit extension to use this rule.
Detects events where a Cloud SQL for PostgreSQL user or role has been granted all privileges to a database, or to all tables, procedures, or functions in a schema.
CLOUDSQL_SUPERUSER_WRITES_TO_USER_TABLES
Cloud SQL for MySQL data access logs
Note: You must enable the pgAudit extension for PostgreSQL or database auditing for MySQL to use this rule.
Detects events where a Cloud SQL superuser (postgres
for PostgreSQL servers or root
for MySQL users) writes to non-system tables.
ALLOYDB_USER_GRANTED_ALL_PERMISSIONS
Note: You must enable the pgAudit extension to use this rule.
Detects events where an AlloyDB for PostgreSQL user or role has been granted all privileges to a database, or to all tables, procedures, or functions in a schema.
ALLOYDB_SUPERUSER_WRITES_TO_USER_TABLES
Note: You must enable the pgAudit extension to use this rule.
Detects events where an AlloyDB for PostgreSQL superuser (postgres
) writes to non-system tables.
DORMANT_SERVICE_ACCOUNT_USED_IN_ACTION
Detects events where a dormant user-managed service account triggered an action. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
DORMANT_SERVICE_ACCOUNT_ADDED_IN_IAM_ROLE
Detects events where a dormant user-managed service account was granted one or more sensitive IAM roles. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Sensitive roles
Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.
DORMANT_SERVICE_ACCOUNT_IMPERSONATION_ROLE_GRANTED
Detects events where a principal is granted permissions to impersonate a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
DORMANT_SERVICE_ACCOUNT_KEY_CREATED
Detects events where a key is created for a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
LEAKED_SA_KEY_USED
Data Access logs
Detects events where a leaked service account key is used to authenticate the action. In this context, a leaked service account key is one that was posted on the public internet.
EXCESSIVE_FAILED_ATTEMPT
Detects events where a principal repeatedly triggers permission denied errors by attempting changes across multiple methods and services.
Admin Audit
This finding isn't available for project-level activations.
Login Audit
Permissions:
DATA_READ
This finding isn't available for project-level activations.
Login Audit
Permissions:
DATA_READ
This finding isn't available for project-level activations.
Login Audit
Permissions:
DATA_READ
This finding isn't available for project-level activations.
Login Audit
Permissions:
DATA_READ
This finding isn't available for project-level activations.
Cloud HTTP Load Balancer
Note: You must enable external Application Load Balancer logging to use this rule.
This rule is always on.
Login Audit
Permissions:
DATA_READ
This finding isn't available for project-level activations.
LOG4J_BAD_DOMAIN
LOG4J_BAD_IP
Firewall Rules logs
Cloud NAT logs
MALWARE_BAD_DOMAIN
MALWARE_BAD_IP
Firewall Rules logs
Cloud NAT logs
CRYPTOMINING_POOL_DOMAIN
CRYPTOMINING_POOL_IP
Firewall Rules logs
Cloud NAT logs
OUTGOING_DOS
GCE_ADMIN_ADD_SSH_KEY
Compute Engine audit logs
GCE_ADMIN_ADD_STARTUP_SCRIPT
Compute Engine audit logs
IAM_ANOMALOUS_GRANT
IAM Admin Activity audit logs
This finding includes subrules that provide more specific information about each instance of this finding.
The following list shows all possible subrules:
external_service_account_added_to_policy
,external_member_added_to_policy
: Detection of privileges granted to IAM users and service accounts that are not members of your organization or, if Security Command Center is activated at the project level only, your project. Note: If Security Command Center is activated at the organization level at any tier, then this detector uses an organization's existing IAM policies as context. If Security Command Center activation is only at the project level, then the detector uses only the project's IAM policies as context. If a sensitive IAM grant to an external member occurs, and there are less than three existing IAM policies that are similar to it, this detector generates a finding.Sensitive roles
Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.
external_member_invited_to_policy
: Detects when an external member is invited as the owner of the project through theInsertProjectOwnershipInvite
API.custom_role_given_sensitive_permissions
: Detects when thesetIAMPolicy
permission is added to a custom role.service_account_granted_sensitive_role_to_member
: Detects when privileged roles are granted to members through a service account. This subrule is triggered by a subset of sensitive roles that include only basic IAM roles and certain data storage roles. For more information, see Sensitive IAM roles and permissionspolicy_modified_by_default_compute_service_account
: Detects when a default Compute Engine service account is used to modify project IAM settings
UNMANAGED_ACCOUNT_ADDED_IN_IAM_ROLE
IAM Admin Activity audit logs
ANOMALOUS_BEHAVIOR_NEW_API_METHOD
Admin Activity logs
IAM_ANOMALOUS_BEHAVIOR_IP_GEOLOCATION
Admin Activity logs
This finding isn't available for project-level activations.
IAM_ANOMALOUS_BEHAVIOR_USER_AGENT
Admin Activity logs
This finding isn't available for project-level activations.
Admin Audit
This finding isn't available for project-level activations.
Admin Audit
This finding isn't available for project-level activations.
ANOMALOUS_SA_DELEGATION_IMPERSONATION_OF_SA_ADMIN_ACTIVITY
Admin Activity logs
ANOMALOUS_SA_DELEGATION_MULTISTEP_ADMIN_ACTIVITY
Admin Activity logs
ANOMALOUS_SA_DELEGATION_MULTISTEP_DATA_ACCESS
Data Access logs
ANOMALOUS_SA_DELEGATION_IMPERSONATOR_ADMIN_ACTIVITY
Admin Activity logs
ANOMALOUS_SA_DELEGATION_IMPERSONATOR_DATA_ACCESS
Data Access logs
GKE_CONTROL_PLANE_EDIT_SENSITIVE_RBAC_OBJECT
GKE Admin Activity logs
ClusterRole
, RoleBinding
, or ClusterRoleBinding
role-based access control (RBAC) object of the sensitive cluster-admin
role by using a PUT
or PATCH
request. GKE_CONTROL_PLANE_CSR_FOR_MASTER_CERT
GKE Admin Activity logs
cluster-admin
access.GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING
IAM Admin Activity audit logs
RoleBinding
or ClusterRoleBinding
object for the cluster-admin
role. GKE_CONTROL_PLANE_GET_CSR_WITH_COMPROMISED_BOOTSTRAP_CREDENTIALS
GKE Data Access logs
kubectl
command, using compromised bootstrap credentials.GKE_CONTROL_PLANE_LAUNCH_PRIVILEGED_CONTAINER
GKE Admin Activity logs
A potentially malicious actor created a Pod that contains privileged containers or containers with privilege escalation capabilities.
A privileged container has the privileged
field set to true
. A container with privilege escalation capabilities has the allowPrivilegeEscalation
field set to true
. For more information, see the SecurityContext v1 core API reference in the Kubernetes documentation.
SERVICE_ACCOUNT_KEY_CREATION
IAM Admin Activity audit logs
GLOBAL_SHUTDOWN_SCRIPT_ADDED
IAM Admin Activity audit logs
GLOBAL_STARTUP_SCRIPT_ADDED
IAM Admin Activity audit logs
ORG_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED
IAM Admin Activity audit logs
PROJECT_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED
IAM Admin Activity audit logs
OS_PATCH_EXECUTION_FROM_SERVICE_ACCOUNT
IAM Admin Activity audit logs
MODIFY_BOOT_DISK_ATTACH_TO_INSTANCE
Compute Engine audit logs
SECRETS_ACCESSED_IN_KUBERNETES_NAMESPACE
GKE Data Access logs
OFFENSIVE_SECURITY_DISTRO_ACTIVITY
IAM Admin Activity audit logs
SERVICE_ACCOUNT_EDITOR_OWNER
IAM Admin Activity audit logs
INFORMATION_GATHERING_TOOL_USED
IAM Admin Activity audit logs
SUSPICIOUS_TOKEN_GENERATION_IMPLICIT_DELEGATION
IAM Admin Activity audit logs
iam.serviceAccounts.implicitDelegation
permission is abused to generate access tokens from a more privileged service account.SUSPICIOUS_TOKEN_GENERATION_SIGN_JWT
IAM Admin Activity audit logs
SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_OPENID
IAM Admin Activity audit logs
iam.serviceAccounts.getOpenIdToken
IAM permission. This finding isn't available for project-level activations.
SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_ACCESS_TOKEN
IAM Admin Activity audit logs
iam.serviceAccounts.getAccessToken
IAM permission. This finding isn't available for project-level activations.
SUSPICIOUS_CROSS_PROJECT_PERMISSION_DATAFUSION
IAM Admin Activity audit logs
datafusion.instances.create
IAM permission. This finding isn't available for project-level activations.
DNS_TUNNELING_IODINE_HANDSHAKE
VPC_ROUTE_MASQUERADE
IAM Admin Activity audit logs
BILLING_DISABLED_SINGLE_PROJECT
IAM Admin Activity audit logs
BILLING_DISABLED_MULTIPLE_PROJECTS
IAM Admin Activity audit logs
VPC_FIREWALL_HIGH_PRIORITY_BLOCK
IAM Admin Activity audit logs
VPC_FIREWALL_MASS_RULE_DELETION
IAM Admin Activity audit logs
SERVICE_API_DISABLED
IAM Admin Activity audit logs
MIG_AUTOSCALING_SET_TO_MAX
IAM Admin Activity audit logs
UNAUTHORIZED_SERVICE_ACCOUNT_API_CALL
IAM Admin Activity audit logs
ANONYMOUS_SESSIONS_GRANTED_CLUSTER_ADMIN
GKE Admin Activity logs
ClusterRoleBinding
object adding the root-cluster-admin-binding
behavior to anonymous users. GKE_RESOURCE_CREATED_ANONYMOUSLY_FROM_INTERNET
GKE Admin Activity logs
GKE_RESOURCE_MODIFIED_ANONYMOUSLY_FROM_INTERNET
GKE Admin Activity logs