Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A principal repeatedly triggered permission denied
errors across multiple methods and services.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Initial Access: Excessive Permission Denied Actions
finding, as directed in Reviewing findings.
In the finding details, on the Summary tab, note the values of the
following fields.
Under What was detected:
Principal email: the principal that triggered multiple permission denied errors
Service name: the API name of the Google Cloud service that the last permission denied error happened
Method name: the method called when the last permission denied error happened
In the finding details, on the Source Properties tab, note the values of
the following fields in the JSON:
properties.failedActions: the permission denied errors that occurred.
For each entry, details include the service name, method name,
number of failed attempts, and the time the error last occurred.
A maximum of 10 entries are shown.
Step 2: Check logs
In the Google Cloud console, go to Logs Explorer by clicking
the link in Cloud Logging URI.
On the Google Cloud console toolbar, select your project.
On the page that loads, find related logs by using the following filter:
To develop a response plan, combine your investigation results with MITRE
research.
Step 4: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the account in the Principal email field. Confirm
whether the legitimate owner conducted the action.
Delete project resources created by that account, like unfamiliar
Compute Engine instances, snapshots, service accounts, and IAM users etc.
Contact the owner of the project with the account, and potentially delete or disable
the account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Initial Access: Excessive Permission Denied Actions\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\nA principal repeatedly triggered *permission denied*\nerrors across multiple methods and services.\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open the `Initial Access: Excessive Permission Denied Actions` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. In the finding details, on the **Summary** tab, note the values of the\n following fields.\n\n Under **What was detected**:\n - **Principal email**: the principal that triggered multiple permission denied errors\n - **Service name**: the API name of the Google Cloud service that the last permission denied error happened\n - **Method name**: the method called when the last permission denied error happened\n3. In the finding details, on the **Source Properties** tab, note the values of\n the following fields in the JSON:\n\n - **properties.failedActions**: the permission denied errors that occurred. For each entry, details include the service name, method name, number of failed attempts, and the time the error last occurred. A maximum of 10 entries are shown.\n\n### Step 2: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer** by clicking the link in **Cloud Logging URI**.\n2. On the Google Cloud console toolbar, select your project.\n3. On the page that loads, find related logs by using the following filter:\n\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003ePRINCIPAL_EMAIL\u003c/var\u003e`\"`\n - `protoPayload.status.code=7`\n\n Replace \u003cvar translate=\"no\"\u003ePRINCIPAL_EMAIL\u003c/var\u003e with the value that you noted in the\n **Principal email** field in the finding details.\n\n### Step 3: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Valid Accounts: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/).\n2. To develop a response plan, combine your investigation results with MITRE research.\n\n### Step 4: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the account in the **Principal email** field. Confirm whether the legitimate owner conducted the action.\n- Delete project resources created by that account, like unfamiliar Compute Engine instances, snapshots, service accounts, and IAM users etc.\n- Contact the owner of the project with the account, and potentially delete or disable the account.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
