arrow_back

Determine the difference between normal activity and an incident

Sign in Join
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses

Determine the difference between normal activity and an incident

Lab 1 hour 30 minutes universal_currency_alt 2 Credits show_chart Introductory
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses
important icon IMPORTANT:

desktop/labtop icon Make sure to complete this hands-on lab on a desktop/laptop only.

check icon There are only 5 attempts permitted per lab.

quiz target icon As a reminder – it is common to not get every question correct on your first try, and even to need to redo a task; this is part of the learning process.

timer icon Once a lab is started, the timer cannot be paused. After 1 hour and 30 minutes, the lab will end and you’ll need to start again.

tip icon For more information review the Lab technical tips reading.

Activity overview

Event Threat Detection is one of Security Command Center's (SCC) services. Event Threat Detection is a log-based threat analysis that continuously monitors Google Cloud logs for potential threats. When Event Threat Detection identifies suspicious activity, it generates a finding that you can investigate.

In this lab, you’ll analyze findings in the Google Cloud Security Command Center and examine related events in Cloud Logging.

Scenario

Recently, the security team discovered two threat findings relating to suspicious activity with user accounts. The threat findings were promptly investigated and remediated. One of the findings was determined to be benign user activity while the other finding was confirmed as malicious. Your team lead, Chloe, has tasked you with examining the details behind each finding so that you can understand the difference between normal activity and malicious activity. To do this, you'll recreate the malicious activity to trigger IAM detectors, analyze the logs associated with both threat findings, and then remediate the malicious finding.

Here's how you'll do this task: First, you'll grant permissions to an external account to trigger an Event Threat Detection IAM finding. Then, you'll use the Security Command Center to access the two IAM findings. Next, you'll analyze details of the findings using Security Command Center and Cloud Logging to determine which finding is benign activity and which is anomalous. Finally, you'll remediate the finding related to the malicious IAM activity by adjusting the IAM settings.

Setup

Before you click Start Lab

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This practical lab lets you do the activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud console

  1. Click the Start Lab button. On the left is the Lab Details panel with the following:

    • Time remaining
    • The Open Google Cloud console button
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
    Note: If you need to pay for the lab, a pop-up opens for you to select your payment method.

  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window) if you are running the Chrome browser. The Sign in page opens in a new browser tab.

    Tip: You can arrange the tabs in separate, side-by-side windows to easily switch between them.

    Note: If the Choose an account dialog displays, click Use Another Account.

  3. If necessary, copy the Google Cloud username below and paste it into the Sign in dialog. Click Next.

{{{user_0.username | "Google Cloud username"}}}

You can also find the Google Cloud username in the Lab Details panel.

  1. Copy the Google Cloud password below and paste it into the Welcome dialog. Click Next.
{{{user_0.password | "Google Cloud password"}}}

You can also find the Google Cloud password in the Lab Details panel.

Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  1. Click through the subsequent pages:
    • Accept the terms and conditions
    • Do not add recovery options or two-factor authentication (because this is a temporary account)
    • Do not sign up for free trials

After a few moments, the Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Google Cloud console menu with the Navigation menu icon highlighted

Task 1. Grant permissions to an external account

In this task, you’ll grant project owner rights to an external gmail account. Granting owner rights to an external account will trigger the Event Threat Detection IAM detectors. Granting project owner rights to an external account is considered anomalous behavior or potentially malicious activity. Event Threat Detection will identify this activity as a threat and generate findings which you'll examine in the upcoming tasks.

  1. In the Google Cloud console, in the Navigation menu (Navigation Menu icon), click IAM & Admin > IAM. The IAM page opens.

On the View By Principals tab, note the two student users that have been automatically configured for the qwiklabs.net organization. These two users are also the same users listed in the Lab details panel as Google Cloud username 1 and Google Cloud username 2.

These two users have automatically been granted owner roles to the lab project by a service account as part of a normal provisioning process. This will trigger an alert finding or incident because an external principal has an owner role. However, because both users belong to the qwiklabs.net organization this alert is considered normal activity. You will examine this alert finding later.

  1. On the View By Principals tab, click Grant Access. The Grant access dialog displays.
  2. Under the Add principals section, in the New principals field, type bad.actor.demo@gmail.com.
  3. Expand the Select a role drop-down menu, select Basic, and then select Owner.
  4. Click Save.

You have now assigned the owner role to the external user bad.actor.demo@gmail.com. This will trigger a finding in SCC because this user is outside of the qwiklabs.net organization.

Click Check my progress to verify that you have completed this task correctly.

Grant permissions to an external account

Task 2. Access the Event Threat Detection findings

In this task, you’ll access the Event Threat Detection findings in the Security Command Center.

  1. In the Google Cloud console, in the Navigation menu (Navigation Menu icon), click Security > Findings. The Findings page opens.

You should notice three findings with high severities listed in the Finding query results panel. In this lab, you’ll examine two Persistence: IAM anomalous grant findings to determine whether the finding is normal activity or whether it is malicious.

Note: If the Persistence: IAM anomalous grant findings are not listed, you may have to wait a few minutes and refresh. Wait until both these active findings display before continuing.

The Persistence: IAM anomalous grant indicates that an anomalous IAM grant was detected. This means that a user or service account was granted access to a resource that they should not have had access to. This could be a potential indication of a malicious actor attempting to gain unauthorized access to your environment.

Next, filter the findings to display a list of Persistence: IAM anomalous grant category findings.

  1. In the Quick filters panel, in the Category section, select the checkbox for the Persistence: IAM anomalous grant category.
Note: Selecting attributes with quick filters automatically adds them to the query. Notice that the Query preview is updated with the Persistence: IAM anomalous grant category you selected. You can locate specific findings or groups of findings by editing the findings query.

The filter returns two Persistence: IAM anomalous grant findings.

  1. Click the Event time column header to sort the findings in descending order, so that the earliest finding is at the top.

Task 3. Analyze the findings

In this task, you'll examine these findings to determine which is normal activity and which is a genuine incident.

  1. In the Findings query results panel, in the Category column, click the Persistence: IAM Anomalous Grant finding with the earliest event time. The Persistence: IAM Anomalous Grant dialog opens on the Summary tab, which displays the finding summary.

  2. Find the Principal email row. This is the user account that granted the owner role to the user. Notice that the service account belongs to the qwiklabs.net organization. With this information, you can establish that this finding represents normal and expected activity.

  3. Click the Source Properties tab, and expand properties > sensitiveRoleGrant > members. Again, the email address listed for principalEmail is the user that granted the owner role, and the email address(es) listed for members is the user that was granted the owner role.

Next, you'll locate the malicious activity associated with the external user account you had granted access to: bad.actor.demo@gmail.com.

  1. Click the close (X) button to return to the Findings page.
  2. In the Findings query results panel, in the Category column, click on the Persistence: IAM Anomalous Grant findings record with the latest event time.
  3. Note the value on the Principal email row. This is the user account email address that granted the owner role to the user.
  4. Click Source Properties tab, and expand properties > sensitiveRoleGrant > members. You should notice the user account bad.actor.demo@gmail.com, which is an external user account. With this information, you can establish that this finding is associated with an unauthorized and malicious actor.

Task 4. Access the findings in Cloud Logging

In this task, you’ll access the events related to the Security Command Center findings in Cloud Logging.

  1. In the Google Cloud console, in the Navigation menu (Navigation Menu icon) click Logging > Logs Explorer. The Logs Explorer page opens. (You may need to click More Products to expand the Navigation menu options and locate Logging under Operations.)
  2. Copy the following query into the Query builder at the top of the page:
protoPayload.authorizationInfo.permission="resourcemanager.projects.setIamPolicy" protoPayload.methodName="InsertProjectOwnershipInvite"

This query filters the IAM logs.

  1. Click Run query. The query results should display on the Query results pane.
  2. In the Query results pane, expand the audit log listed for your project.
  3. Click Expand nested fields. All the nested fields contained in the log are made visible.

You can now examine the details of the anomalous request event including information such as:

  • authenticationInfo: The email of the user who made the request.
  • request: The email identity of the user the anomalous grant was made to.
  • request Metadata: The IP address of the system where the request was made, the browser user agent of the web browser that was used.

This information can be vital when investigating whether an event is normal activity or an actual threat event.

Task 5. Fix the finding

In this task, you’ll remediate the malicious Persistence: IAM Anomalous Grant finding by removing the project owner role that you had previously assigned to the external user.

  1. In the Google Cloud console, in the Navigation menu (Navigation Menu icon), click IAM & Admin > IAM. The IAM page opens.
  2. Next to the bad.actor.demo@gmail.com user, click the Edit principal (Edit icon) icon. The Edit permissions page opens.
  3. Click the Delete (Delete icon) icon to delete the owner role.
  4. Click Save.

The policy will be updated, and the owner role removed from the bad.actor.demo@gmail.com user.

Click Check my progress to verify that you have completed this task correctly.

Fix the finding

Conclusion

Great work! Through this lab activity, you have gained practical experience in analyzing a security alert to determine whether it is a genuine malicious activity.

You did this by granting permissions to an external user, viewing the Event Threat Detection findings in the Security Command Center, and accessing the findings in Cloud Logging. Finally, you remediated the finding by removing the project owner role from the external user.

As a security analyst, these are skills that can enable you to quickly take steps to contain, mitigate, and remediate any threats.

End your lab

Before you end the lab, make sure you’re satisfied that you’ve completed all the tasks. When you're ready, click End Lab and then click Submit.

Ending the lab will remove your access to the lab environment, and you won’t be able to access the work you've completed in it again.

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.