Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Malware is detected by examining VPC Flow Logs and
Cloud DNS logs for connections to known command and control domains and
IP addresses.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Log4j Malware: Bad Domain finding, as directed in Reviewing
findings.
The details panel for the
finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Indicator domain: the domain that triggered the finding.
Affected resource, especially the following fields:
Resource full name: the full resource name of the affected
Compute Engine instance.
Project full name: the full resource name of the project that
contains the finding.
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
VirusTotal indicator: link to the VirusTotal analysis page.
Flow Analyzer: link to the Flow Analyzer feature of Network Intelligence Center. This field displays only when VPC Flow Logs is enabled.
Click the JSON tab and note the following field:
evidence:
sourceLogId:
projectID: the ID of the project in which the issue was detected.
properties:
InstanceDetails: the resource address for the Compute Engine
instance.
Step 2: Review permissions and settings
In the Google Cloud console, go to the Dashboard page.
Select the project that is specified in the Project full name row
on the Summary tab.
Navigate to the Resources card and click Compute Engine.
Click the VM instance that matches the name and zone in
Resource full name.
Review instance details, including network and access settings.
In the navigation pane, click VPC Network, then click Firewall.
Remove or disable overly permissive firewall rules.
Step 3: Check logs
On the Summary tab of the finding details panel, click the
Cloud Logging URI link to open the Logs Explorer.
On the page that loads, find VPC Flow Logs related to the IP
address in Source IP by using the following filter:
logName="projects/projectId/logs/compute.googleapis.com%2Fvpc_flows" AND
(jsonPayload.connection.src_ip="SOURCE_IP" OR jsonPayload.connection.dest_ip="destIP")
Replace the following:
PROJECT_ID with select the project listed
in projectId.
SOURCE_IP with the IP address listed on
the Source IP row in the Summary tab of the finding details.
Step 4: Check Flow Analyzer
You must enable VPC Flow Logs to perform the following process.
Ensure that you have upgraded your log bucket to use Log Analytics.
For instructions, see Upgrade a bucket to use Log
Analytics. There is no additional cost
to upgrade.
In the Google Cloud console, go to the Flow Analyzer
page:
You can also access Flow Analyzer through the
Flow Analyzer URL link in the Related Links section on
the Summary tab of the Finding details pane.
To further investigate information pertaining to the Event Threat Detection
finding, use the time range picker in the action bar to change the time
period. The time period should reflect when the finding was first reported.
For example, if the finding was reported within the last 2 hours, you might
set the time period to Last 6 hours. This ensures the time period in
Flow Analyzer includes the time when the finding was
reported.
Filter Flow Analyzer to display the
appropriate results for the IP address associated with the malicious IP
finding:
From the Filter menu in the Source row of the Query section,
select IP.
In the Value field, enter the IP address associated with the finding
and click Run New Query.
If Flow Analyzer doesn't display any results for the IP
address, clear the filter from the Source row, and run the query again
with the same filter in the Destination row.
Analyze the results. For additional information about a specific flow, click
Details in the All data flows table to open the Flow details
pane.
Review related findings by clicking the link on the Related findings
on the Related findings row in the Summary tab of the
finding details.
Related findings are the same finding type and the same instance and network.
Check flagged URLs and domains on
VirusTotal by
clicking the link in VirusTotal indicator. VirusTotal is an
Alphabet-owned service that provides context on potentially malicious files,
URLs, domains, and IP addresses.
To develop a response plan, combine your investigation results with MITRE
research.
Step 6: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project containing malware.
Investigate the potentially compromised instance and remove any discovered
malware. To assist with detection and removal, use an endpoint detection and
response solution.
To track activity and vulnerabilities that allowed the insertion of malware,
check audit logs and syslogs associated with the compromised instance.
Block the malicious IP addresses by updating firewall
rules or by using Cloud Armor. You can
enable Cloud Armor on the Security Command Center Integrated
Services
page. Depending on data volume, Cloud Armor costs can
be significant. See the Cloud Armor pricing guide
for more information.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nMalware is detected by examining VPC Flow Logs and\nCloud DNS logs for connections to known command and control domains and\nIP addresses.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Log4j Malware: Bad Domain` finding, as directed in [Reviewing\n findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n The details panel for the\n finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Indicator domain**: the domain that triggered the finding.\n - **Affected resource** , especially the following fields:\n - **Resource full name**: the full resource name of the affected Compute Engine instance.\n - **Project full name**: the full resource name of the project that contains the finding.\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n - **VirusTotal indicator**: link to the VirusTotal analysis page.\n - **Flow Analyzer**: link to the Flow Analyzer feature of Network Intelligence Center. This field displays only when VPC Flow Logs is enabled.\n\n 1. Click the **JSON** tab and note the following field:\n\n - `evidence`:\n - `sourceLogId`:\n - `projectID`: the ID of the project in which the issue was detected.\n - `properties`:\n - `InstanceDetails`: the resource address for the Compute Engine instance.\n\nStep 2: Review permissions and settings\n\n1. In the Google Cloud console, go to the **Dashboard** page.\n\n \u003cbr /\u003e\n\n [Go to the Dashboard](https://console.cloud.google.com/home)\n\n \u003cbr /\u003e\n\n2. Select the project that is specified in the **Project full name** row\n on the **Summary** tab.\n\n3. Navigate to the **Resources** card and click **Compute Engine**.\n\n4. Click the VM instance that matches the name and zone in\n **Resource full name**.\n Review instance details, including network and access settings.\n\n5. In the navigation pane, click **VPC Network** , then click **Firewall**.\n Remove or disable overly permissive firewall rules.\n\nStep 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. On the page that loads, find VPC Flow Logs related to the IP\n address in **Source IP** by using the following filter:\n\n - `logName=\"projects/`\u003cvar class=\"edit\" translate=\"no\"\u003eprojectId\u003c/var\u003e`/logs/compute.googleapis.com%2Fvpc_flows\" AND\n (jsonPayload.connection.src_ip=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eSOURCE_IP\u003c/var\u003e`\" OR jsonPayload.connection.dest_ip=\"`\u003cvar class=\"edit\" translate=\"no\"\u003edestIP\u003c/var\u003e`\")`\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with select the project listed in `projectId`.\n - \u003cvar translate=\"no\"\u003eSOURCE_IP\u003c/var\u003e with the IP address listed on the **Source IP** row in the **Summary** tab of the finding details.\n\nStep 4: Check Flow Analyzer\n\nYou must enable VPC Flow Logs to perform the following process.\n\n1. Ensure that you have upgraded your log bucket to use Log Analytics. For instructions, see [Upgrade a bucket to use Log\n Analytics](/logging/docs/buckets#upgrade-bucket). There is no additional cost to upgrade.\n2. In the Google Cloud console, go to the **Flow Analyzer**\n page:\n\n [Go to Flow Analyzer](https://console.cloud.google.com/net-intelligence/flow-analyzer)\n\n You can also access Flow Analyzer through the\n **Flow Analyzer URL** link in the **Related Links section** on\n the **Summary** tab of the **Finding details** pane.\n3. To further investigate information pertaining to the Event Threat Detection\n finding, use the time range picker in the action bar to change the time\n period. The time period should reflect when the finding was first reported.\n For example, if the finding was reported within the last 2 hours, you might\n set the time period to **Last 6 hours**. This ensures the time period in\n Flow Analyzer includes the time when the finding was\n reported.\n\n4. Filter Flow Analyzer to display the\n appropriate results for the IP address associated with the malicious IP\n finding:\n\n 1. From the **Filter** menu in the **Source** row of the **Query** section, select **IP**.\n 2. In the **Value** field, enter the IP address associated with the finding\n and click **Run New Query**.\n\n If Flow Analyzer doesn't display any results for the IP\n address, clear the filter from the **Source** row, and run the query again\n with the same filter in the **Destination** row.\n5. Analyze the results. For additional information about a specific flow, click\n **Details** in the **All data flows** table to open the **Flow details**\n pane.\n\nStep 5: Research attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for this finding type: [Dynamic\n Resolution](https://attack.mitre.org/techniques/T1568/) and [Command and Control](https://attack.mitre.org/tactics/TA0011/).\n2. Review related findings by clicking the link on the **Related findings** on the **Related findings** row in the **Summary** tab of the finding details. Related findings are the same finding type and the same instance and network.\n3. Check flagged URLs and domains on [VirusTotal](https://www.virustotal.com) by clicking the link in **VirusTotal indicator**. VirusTotal is an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.\n4. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 6: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project containing malware.\n- Investigate the potentially compromised instance and remove any discovered malware. To assist with detection and removal, use an endpoint detection and response solution.\n- To track activity and vulnerabilities that allowed the insertion of malware, check audit logs and syslogs associated with the compromised instance.\n- If necessary, [stop the compromised\n instance](/compute/docs/instances/stop-start-instance) and replace it with a new instance.\n- Block the malicious IP addresses by [updating firewall\n rules](/vpc/docs/using-firewalls) or by using Cloud Armor. You can enable Cloud Armor on the Security Command Center [Integrated\n Services](https://console.cloud.google.com/security/command-center/config/integrated-services) page. Depending on data volume, Cloud Armor costs can be significant. See the [Cloud Armor pricing guide](/armor/pricing) for more information.\n- To control access and use of VM images, use [Shielded VM](/security/shielded-cloud/shielded-vm) and [Trusted\n Images](/compute/docs/images/restricting-image-access) IAM policy.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
