Stay organized with collections
Save and categorize content based on your preferences.
This document offers informal guidance on how you can respond to findings of suspicious
activities in your Compute Engine resources. The recommended steps might not be appropriate for all
findings and might impact your operations. Before you take any action, you should investigate the
findings; assess the information that you gather; and decide how to respond.
The techniques in this document aren't guaranteed to be effective against any previous, current,
or future threats that you face. To understand why Security Command Center does not provide official
remediation guidance for threats, see Remediating threats.
Before you begin
Review the
finding.
Note the affected Compute Engine instance and the detected principal email
and caller IP address (if present). Also review the finding for indicators of compromise
(IP, domain, file hash, or signature).
To learn more about the finding that you're investigating, search for the
finding in the Threat findings
index.
General recommendations
Contact the owner of the affected resource.
Investigate the potentially compromised instance and remove any
discovered malware.
For forensic analysis, consider backing up the affected virtual machines
and persistent disks. For more information, see
Data protection options
in the Compute Engine documentation.
If necessary, delete the VM instance.
If the finding includes a principal email and caller IP, review other audit
logs associated with that principal or IP address for anomalous activity. If
necessary, disable or reduce the privileges of the associated account if it has been
compromised.
For further investigation, consider using incident response services
like
Mandiant.
In addition, consider the recommendations in the subsequent sections on this
page.
SSH threats
Consider disabling SSH access to the VM. For information about
disabling SSH keys, see
Restrict SSH keys from VMs.
This action can interrupt authorized access to the VM, so consider the
needs of your organization before you proceed.
Consider using
Secure Boot
for your Compute Engine VM instances.
Consider
deleting the potentially compromised service account
and rotate and delete all service account access keys for the potentially
compromised project. After deletion, applications that use the service
account for authentication lose access. Before proceeding, your security
team should identify all impacted applications and work with application
owners to ensure business continuity.
Work with your security team to identify unfamiliar resources, including
Compute Engine instances, snapshots, service accounts, and
IAM users. Delete resources not created with authorized
accounts.
Respond to any notifications from Cloud Customer Care.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document offers informal guidance on how you can respond to findings of suspicious\nactivities in your Compute Engine resources. The recommended steps might not be appropriate for all\nfindings and might impact your operations. Before you take any action, you should investigate the\nfindings; assess the information that you gather; and decide how to respond.\n\nThe techniques in this document aren't guaranteed to be effective against any previous, current,\nor future threats that you face. To understand why Security Command Center does not provide official\nremediation guidance for threats, see [Remediating threats](/security-command-center/docs/how-to-investigate-threats#remediating_threats).\n\nBefore you begin\n\n1. [Review the\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). Note the affected Compute Engine instance and the detected principal email and caller IP address (if present). Also review the finding for indicators of compromise (IP, domain, file hash, or signature).\n2. To learn more about the finding that you're investigating, search for the finding in the [Threat findings\n index](/security-command-center/docs/threat-findings-index).\n\nGeneral recommendations\n\n- Contact the owner of the affected resource.\n- Investigate the potentially compromised instance and remove any discovered malware.\n- If necessary, [stop the compromised instance](/compute/docs/instances/stop-start-instance) and replace it with a new instance.\n- For forensic analysis, consider backing up the affected virtual machines and persistent disks. For more information, see [Data protection options](/compute/docs/disks/data-protection) in the Compute Engine documentation.\n- If necessary, delete the VM instance.\n- If the finding includes a principal email and caller IP, review other audit logs associated with that principal or IP address for anomalous activity. If necessary, disable or reduce the privileges of the associated account if it has been compromised.\n- For further investigation, consider using incident response services like [Mandiant](/security/consulting/mandiant-incident-response-services).\n\nIn addition, consider the recommendations in the subsequent sections on this\npage.\n\nSSH threats\n\n- Consider disabling SSH access to the VM. For information about disabling SSH keys, see [Restrict SSH keys from VMs](/compute/docs/connect/restrict-ssh-keys). This action can interrupt authorized access to the VM, so consider the needs of your organization before you proceed.\n- Only use SSH authentication with [authorized keys](/compute/docs/instances/ssh).\n- Block malicious IP addresses by [updating firewall\n rules](/vpc/docs/using-firewalls) or by using [Cloud Armor](/armor/docs/cloud-armor-overview). Consider [enabling\n Cloud Armor as an integrated\n service](/security-command-center/docs/how-to-configure-security-command-center#gcp-configure-other-services). Depending on data volume, Cloud Armor costs can be significant. For more information, see [Cloud Armor pricing](/armor/pricing).\n\nLateral movements in Compute Engine instances\n\n- Consider using\n [Secure Boot](/compute/shielded-vm/docs/shielded-vm#secure-boot)\n for your Compute Engine VM instances.\n\n- Consider\n [deleting the potentially compromised service account](/iam/docs/service-accounts-delete-undelete#deleting)\n and rotate and delete all service account access keys for the potentially\n compromised project. After deletion, applications that use the service\n account for authentication lose access. Before proceeding, your security\n team should identify all impacted applications and work with application\n owners to ensure business continuity.\n\n- Work with your security team to identify unfamiliar resources, including\n Compute Engine instances, snapshots, service accounts, and\n IAM users. Delete resources not created with authorized\n accounts.\n\n- Respond to any notifications from Cloud Customer Care.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
