Compute Engine threat findings
Security Command Center performsagentless andlog-basedmonitoring of Compute Engine resources. For recommended responses to thesethreats, seeRespond to Compute Enginethreat findings.
Agentless monitoring finding types
The following agentless monitoring detections are available withVirtual Machine Threat Detection:
Defense Evasion: RootkitDefense Evasion: Unexpected ftrace handlerDefense Evasion: Unexpected interrupt handlerDefense Evasion: Unexpected kernel modulesDefense Evasion: Unexpected kernel read-only data modificationDefense Evasion: Unexpected kprobe handlerDefense Evasion: Unexpected processes in runqueueDefense Evasion: Unexpected system call handlerExecution: cryptocurrency mining combined detectionExecution: Cryptocurrency Mining Hash MatchExecution: Cryptocurrency Mining YARA RuleMalware: Malicious file on diskMalware: Malicious file on disk (YARA)
Log-based finding types
The following log-based detections are available withEvent Threat Detection:
Brute force SSHImpact: Managed Instance Group Autoscaling Set To MaximumLateral Movement: Modified Boot Disk Attached to InstanceLateral Movement: OS Patch Execution From Service AccountPersistence: GCE Admin Added SSH KeyPersistence: GCE Admin Added Startup ScriptPersistence: Global Startup Script AddedPrivilege Escalation: Global Shutdown Script Added
The following log-based detections are available withSensitive Actions Service:
What's next
- Learn aboutVirtual Machine Threat Detection.
- Learn aboutEvent Threat Detection.
- Learn aboutSensitive Actions Service.
- Learn how torespond to Compute Enginethreats.
- Refer to theThreat findings index.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.