Stay organized with collectionsSave and categorize content based on your preferences.
This document offers informal guidance on how you can respond to findings of suspicious
activities in your network. The recommended steps might not be appropriate for all
findings and might impact your operations. Before you take any action, you should investigate the
findings; assess the information that you gather; and decide how to respond.
The techniques in this document aren't guaranteed to be effective against any previous, current,
or future threats that you face. To understand why Security Command Center does not provide official
remediation guidance for threats, seeRemediating threats.
Before you begin
Review the
finding.
Note the affected resource and the detected network connections. If present,
review the indicators of compromise in the finding with threat intelligence
from VirusTotal.
To learn more about the finding that you're investigating, search for the
finding in theThreat findings
index.
General recommendations
Contact the owner of the affected resource.
Investigate the potentially compromised compute resource and remove
any discovered malware.
If necessary, stop the compromised compute resource.
For forensic analysis, consider backing up the affected virtual machines
and persistent disks. For more information, seeData protection optionsin the Compute Engine documentation.
If necessary, delete the affected compute resource.
For further investigation, consider using incident response services likeMandiant.
In addition, consider the recommendations in the subsequent sections on this
page.
Malware
To track activity and vulnerabilities that allowed the insertion of malware,
check audit logs and syslogs associated with the compromised
compute resource.
If you determine that the application is a miner application, and its process
is still running, terminate the process. Locate the application's executable
binary in the compute resource's storage, and delete it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document offers informal guidance on how you can respond to findings of suspicious\nactivities in your network. The recommended steps might not be appropriate for all\nfindings and might impact your operations. Before you take any action, you should investigate the\nfindings; assess the information that you gather; and decide how to respond.\n\nThe techniques in this document aren't guaranteed to be effective against any previous, current,\nor future threats that you face. To understand why Security Command Center does not provide official\nremediation guidance for threats, see [Remediating threats](/security-command-center/docs/how-to-investigate-threats#remediating_threats).\n\nBefore you begin\n\n1. [Review the\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n Note the affected resource and the detected network connections. If present,\n review the indicators of compromise in the finding with threat intelligence\n from VirusTotal.\n\n2. To learn more about the finding that you're investigating, search for the\n finding in the [Threat findings\n index](/security-command-center/docs/threat-findings-index).\n\nGeneral recommendations\n\n- Contact the owner of the affected resource.\n- Investigate the potentially compromised compute resource and remove any discovered malware.\n- If necessary, stop the compromised compute resource.\n- For forensic analysis, consider backing up the affected virtual machines and persistent disks. For more information, see [Data protection options](/compute/docs/disks/data-protection) in the Compute Engine documentation.\n- If necessary, delete the affected compute resource.\n- For further investigation, consider using incident response services like [Mandiant](/security/consulting/mandiant-incident-response-services).\n\nIn addition, consider the recommendations in the subsequent sections on this\npage.\n\nMalware\n\n- To track activity and vulnerabilities that allowed the insertion of malware, check audit logs and syslogs associated with the compromised compute resource.\n- Block malicious IP addresses by [updating firewall\n rules](/vpc/docs/using-firewalls) or by using [Cloud Armor](/armor/docs/cloud-armor-overview). Consider [enabling\n Cloud Armor as an integrated\n service](/security-command-center/docs/how-to-configure-security-command-center#gcp-configure-other-services). Depending on data volume, Cloud Armor costs can be significant. For more information, see [Cloud Armor pricing](/armor/pricing).\n- To control access and use of images, use [Shielded VM](/security/shielded-cloud/shielded-vm) and set up [trusted image policies](/compute/docs/images/restricting-image-access).\n\nCryptocurrency mining threats\n\nIf you determine that the application is a miner application, and its process\nis still running, terminate the process. Locate the application's executable\nbinary in the compute resource's storage, and delete it.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
