Stay organized with collections
Save and categorize content based on your preferences.
This document offers informal guidance on how you can respond to findings of suspicious
activities in your Cloud Run resources. The recommended steps might not be appropriate for all
findings and might impact your operations. Before you take any action, you should investigate the
findings; assess the information that you gather; and decide how to respond.
The techniques in this document aren't guaranteed to be effective against any previous, current,
or future threats that you face. To understand why Security Command Center does not provide official
remediation guidance for threats, see Remediating threats.
Before you begin
Review the
finding.
Note the affected container and the detected binaries, processes, or
libraries.
To learn more about the finding that you're investigating, search for the
finding in the Threat findings
index.
General recommendations
Contact the owner of the affected resource.
View the logs for the potentially
compromised Cloud Run service or job.
For forensic analysis, collect and back up the logs from the affected
service or job.
For further investigation, consider using incident response services
like Mandiant.
Consider deleting the affected Cloud Run service or service
revision:
If the script or Python code was making intended changes to the container,
deploy a revision to the service that has all
the intended changes. Don't rely on a script to make changes after the container
is deployed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Respond to Cloud Run threat findings\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document offers informal guidance on how you can respond to findings of suspicious\nactivities in your Cloud Run resources. The recommended steps might not be appropriate for all\nfindings and might impact your operations. Before you take any action, you should investigate the\nfindings; assess the information that you gather; and decide how to respond.\n\nThe techniques in this document aren't guaranteed to be effective against any previous, current,\nor future threats that you face. To understand why Security Command Center does not provide official\nremediation guidance for threats, see [Remediating threats](/security-command-center/docs/how-to-investigate-threats#remediating_threats).\n\nBefore you begin\n----------------\n\n1. [Review the\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). Note the affected container and the detected binaries, processes, or libraries.\n2. To learn more about the finding that you're investigating, search for the finding in the [Threat findings\n index](/security-command-center/docs/threat-findings-index).\n\nGeneral recommendations\n-----------------------\n\n- Contact the owner of the affected resource.\n- [View the logs](/run/docs/logging#viewing-logs) for the potentially compromised Cloud Run service or job.\n- For forensic analysis, collect and back up the logs from the affected service or job.\n- For further investigation, consider using incident response services like [Mandiant](/security/consulting/mandiant-incident-response-services).\n- Consider deleting the affected Cloud Run service or service revision:\n - To delete the service, see [Delete existing\n services](/run/docs/managing/services#delete).\n - To delete the service revision, [roll back to a previous\n revision](/run/docs/rollouts-rollbacks-traffic-migration#rollback) or deploy a new, more secure revision. Then, [delete the affected\n revision](/run/docs/managing/revisions#delete).\n- Consider [deleting the affected Cloud Run\n job](/run/docs/managing/jobs#delete).\n\nMalicious script or Python code executed\n----------------------------------------\n\nIf the script or Python code was making intended changes to the container,\n[deploy a revision](/run/docs/deploying#revision) to the service that has all\nthe intended changes. Don't rely on a script to make changes after the container\nis deployed.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
