Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
Anomalous access from an anonymous proxy is detected by examining Cloud Audit Logs
for Google Cloud service modifications that originated from an IP address
associated with the Tor network.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open anEvasion: Access from Anonymizing Proxyfinding, as directed inReviewing findings. The panel for the finding
details opens, displaying theSummarytab.
On theSummarytab of the finding details panel, review the
listed values in the following sections:
What was detected, especially the following fields:
Principal email: the account that made the changes (a potentially
compromised account).
IP: The proxy IP address where the changes are conducted
from.
Affected resource
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
Optionally, click theJSONtab to view additional finding fields.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nAnomalous access from an anonymous proxy is detected by examining Cloud Audit Logs\nfor Google Cloud service modifications that originated from an IP address\nassociated with the Tor network.\n| **Note:** Google Cloud has its own internal mechanism to identify Tor IP addresses.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open an `Evasion: Access from Anonymizing Proxy` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The panel for the finding details opens, displaying the **Summary** tab.\n2. On the **Summary** tab of the finding details panel, review the\n listed values in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Principal email**: the account that made the changes (a potentially compromised account).\n - **IP**: The proxy IP address where the changes are conducted from.\n - **Affected resource**\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. Optionally, click the **JSON** tab to view additional finding fields.\n\nStep 2: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Proxy: Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003/).\n2. Contact the owner of the account in the `principalEmail` field. Confirm whether the action was conducted by the legitimate owner.\n3. To develop a response plan, combine your investigation results with MITRE research.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
