IMPORTANT:

Make sure to complete this hands-on lab on a desktop/laptop only.

There are only 5 attempts permitted per lab.

As a reminder – it is common to not get every question correct on your first try, and even to need to redo a task; this is part of the learning process.

Once a lab is started, the timer cannot be paused. After 1 hour and 30 minutes, the lab will end and you’ll need to start again.

For more information review the Lab technical tips reading.

Activity overview

A false positive is an alert that incorrectly detects the presence of a threat. False positives can be triggered by genuine and legitimate user activity. Security teams may spend lots of time and resources investigating false positive alerts only to discover that there is no real threat.

In this lab, you'll recreate the activity that generates a false positive alert. Then, you'll access and analyze the false positive threat using Security Command Center (SCC) and take action to address it. You'll be using two separate accounts in this lab: one account to trigger the false positive and another account to analyze and remediate the false positive.

Scenario

Your team lead, Chloe, has been notified of a low severity security alert. The alert identified a service account with broad permissions using insecure key management practices through user managed keys. Upon further investigation it was found that Hank, the cloud architect, unintentionally triggered this alert. Hank was testing a new service account and accidentally created the key for the test user account. This alert was addressed and closed as a false positive.

Chloe believes this alert serves as a great example of a false positive alert. Chloe has tasked you with recreating the activity that triggered the false positive alert. You'll analyze the alert and then remediate it. The process of recreating the false positive serves as a valuable learning experience that will help you understand how and why the alert was triggered and how you can implement effective security policies to mitigate further false positive alerts.

Here's how you'll do this task: First, you'll recreate the false positive by creating a service account, assigning a role, providing a key, and activating the service account. Then, you'll use Security Command Center (SCC) to access the vulnerability finding related to activity you triggered. Finally, you'll take action to remediate the vulnerability finding and take action to remediate the false positive.

Setup

Before you click Start Lab

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This practical lab lets you do the activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. On the left is the Lab Details panel with the following:

   • Time remaining
   • The Open Google Cloud console button
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab
   Note: If you need to pay for the lab, a pop-up opens for you to select your payment method.

2. Click Open Google console (or right-click and select Open Link in Incognito Window) if you are running the Chrome browser. The lab Sign in page opens in a new browser tab.

   Tip: You can arrange the tabs in separate, side-by-side windows to easily switch between them.

   Note: If the Choose an account dialog displays, click Use Another Account.

3. If necessary, copy the Google Cloud username 1 below and paste it into the Sign in dialog. Click Next.

{{{user_0.username | "Google Cloud username 1"}}}

You can also find the Google Cloud username 1 in the Lab Details panel.

4. Copy the Google Cloud password below and paste it into the Welcome dialog. Click Next.

{{{user_0.password | "Google Cloud password"}}}

You can also find the Google Cloud password in the Lab Details panel.

Important: You must use the credentials from the left panel. Do not use your Google Cloud credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

5. Click through the subsequent pages:
   • Accept the terms and conditions
   • Do not add recovery options or two-factor authentication (because this is a temporary account)
   • Do not sign up for free trials

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.

Task 1. Create a service account

Note: Make sure you are on the username 1: Google Cloud console.

In this task, you’ll create a service account and grant it permissions sufficient to trigger an anomalous threat finding in SCC.

1. In Google Cloud console, in the Navigation menu (), click IAM & Admin > Service Accounts.

2. In the action bar, click + Create Service Account.

3. In the Service account details section:

   • In the Service account name field, type test-account.

     Notice the Service account ID automatically populates.

   • Click Create and Continue.

     Notice the pop-up message “Service account created”.

4. In the Grant this service account access to project section, expand the Select a role drop-down menu, select Basic, and then select Owner.

5. Click Continue, and then click Done.

Notice the test-account service account listed in the Service accounts list.

Click Check my progress to verify that you have completed this task correctly. Create a service account

Task 2. Create a JSON authentication key for your service account

Note: Make sure you are on the username 1: Google Cloud console.

In this task, you’ll create and download a JSON authentication key for the new service account you created in the previous task. You’ll then use Cloud Shell to upload that key to your Google Cloud account. This will trigger a threat finding in SCC.

1. Still on the Service Accounts page, inline with the test-account service account, click Actions () > Manage keys. The test-account page opens.

2. In the Keys section, click Add Key > Create new key.

3. In the Create private key dialog, set the Key type to JSON.

4. Click Create.

   The console prompts you to download the key to your local device. Once downloaded, you’ll use Cloud Shell to upload the key to your Google Cloud (student) account.

5. On your local device, navigate to the key file you just downloaded and rename it test-account.

6. In the Google Cloud console, click the Activate Cloud Shell () icon.

7. Click Continue.

   It should only take a few moments to provision and connect to the Cloud Shell environment.

8. In the Cloud Shell title bar, click More () > Upload > Choose Files.

9. Navigate to and select the file on your local machine, and then in the Upload dialog, click Upload.

10. Copy the following command into the Cloud Shell terminal:

    ls

This command lists the key file you just uploaded.

11. Press ENTER.

In the test-account page, in the Key list, notice the key you just created with the Key creation date as the current date.

Click Check my progress to verify that you have completed this task correctly. Create a JSON authentication key for your service account

Task 3. Trigger the false positive finding

Note: Make sure you are on the username 1: Google Cloud console.

In this task, you’ll reconfigure the Cloud Shell environment to use the new test-account service account that you created in Task 1. This will trigger a threat finding in SCC. Then, you’ll assign excessive permissions to the lab project.

1. Copy the following command into the Cloud Shell terminal:

   export PROJECT_ID=$(gcloud info --format='value(config.project)') export SA_NAME="test-account@${PROJECT_ID}.iam.gserviceaccount.com" gcloud auth activate-service-account ${SA_NAME} --key-file=test-account.json

This command activates the new service account.

2. Press ENTER.

3. Copy the following command into the Cloud Shell terminal:

   gcloud auth list

This command confirms that you activated the service account, and that gcloud is using this service account.

4. Press ENTER.

   In the output, the following confirms the service account is active:

   Output:

   ACTIVE: * ACCOUNT: test-account@{{{project_0.project_id | "Google Cloud project ID"}}}.iam.gserviceaccount.com

5. Copy the following command into the Cloud Shell terminal:

   export STUDENT2={{{user_1.username | "Google Cloud username 2"}}} gcloud projects add-iam-policy-binding $PROJECT_ID --member user:$STUDENT2 --role roles/editor

This command grants the editor role to user 2 so that you can access and remediate the false positive finding in the next task.

6. Press ENTER.

Click Check my progress to verify that you have completed this task correctly. Assign excessive permissions to trigger threat detection

Task 4. Sign in as the second user

You'll need to switch Google Cloud accounts by logging into the Google Cloud console using the second user account provided in the Lab Details panel. You will use this user account to perform the remaining tasks.

1. In the Google Cloud console, click on the user icon in the top-right corner of the screen, and then click Add account.

2. Navigate back to the Lab Details panel, copy the Google Cloud username 2: and password. Then, paste the username and password into the Google Cloud console Sign in dialog.

Task 5. View the threat finding in SCC

Note: Make sure you are on the username 2: Google Cloud console.

In this task, you’ll locate and examine the SCC finding generated by the service Event Threat Detection. This finding is a false positive that was triggered by the activity you generated in Tasks 1-3.

To view the Event Threat Detection finding in SCC:

1. In the Navigation menu (), click Security > Findings.

2. In the Quick filters pane, locate the Category section, then select User managed service account key. If necessary, click View more to find it.

   The Findings query results panel updates to display only the selected finding category.

3. In the Findings query results panel, display the details of the finding by clicking the most recent (see Event time) User managed service account key in the Category column. The details panel for the finding opens and displays the Summary tab.

Leave the User managed service account key page open to answer the following questions.

Task 6. Fix the finding

Note: Make sure you are on the username 2: Google Cloud console.

In this task, you'll remediate the false positive by deleting the JSON authentication key for the test-account service account.

1. In Google Cloud console, in the Navigation menu (), click IAM & Admin > Service Accounts.

2. On the Service accounts page, click the email address of the test-account service account.

3. Click the Keys tab.

4. From the list of keys, click the Delete service account key () icon to delete the key. A pop-up will appear asking you to confirm the action. Click Delete.

Click Check my progress to verify that you have completed this task correctly. Delete the key

Conclusion

Great work!

You have completed this lab! You used SCC to investigate a false positive and took action to remediate it. As a cloud security analyst, you'll likely encounter false positive alerts. It's important to understand how and why false positive alerts are triggered and how you can take action to remediate them.

End your lab

Before you end the lab, make sure you’re satisfied that you’ve completed all the tasks. When you're ready, click End Lab and then click Submit.

Ending the lab will remove your access to the lab environment, and you won’t be able to access the work you've completed in it again.

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.