Event Threat Detection conceptual overview

A high-level overview of Event Threat Detection concepts and features.

How Event Threat Detection works

Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available. When Event Threat Detection detects a threat, it writes a finding to Security Command Center and to a Cloud Logging project. From Cloud Logging, you can export findings to other systems with Pub/Sub and process them with Cloud Functions.

Rules

Rules define the type of threats that Event Threat Detection detects. Currently, Event Threat Detection includes the following default rules:

Display name API name Log source types Description
Malware: bad domain malware_bad_domain Virtual Private Cloud (VPC) flow log
Cloud DNS log
Detection of malware based on a connection to, or a lookup of, a known bad domain
Malware: bad IP malware_bad_ip VPC flow log
Firewall Rules log
Detection of malware based on a connection to a known bad IP address
Cryptomining: pool domain cryptomining_pool_domain VPC flow log
Cloud DNS log
Detection of cryptomining based on a connection to, or a lookup of, a known mining domain
Cryptomining: pool IP cryptomining_pool_ip VPC flow log
Firewall Rules log
Detection of cryptomining based on a connection to a known mining IP address
Brute force SSH brute_force_ssh syslog Detection of successful brute force of SSH on a host
Outgoing DoS outgoing_dos VPC flow log Detection of outgoing denial of service traffic
IAM: Anomalous grant iam_anomalous_grant Cloud Audit Logs Detection of privileges granted to Identity and Access Management (IAM) users and service accounts that are not members of the organization

To create custom detection rules, you can store your log data in BigQuery, and then run unique or recurring SQL queries that capture your threat models.

Log types

Currently, Event Threat Detection consumes logs from the following Google Cloud sources.

Activating Virtual Private Cloud flow logs

Event Threat Detection analyzes Virtual Private Cloud (VPC) flow logs for malware, phishing, cryptomining, outbound DDoS, and outbound port-scanning detections. Event Threat Detection works best when VPC flow logging is active. Learn more about VPC Flow Logs.

Event Threat Detection works best with frequent sampling and brief aggregation intervals. If you set lower sampling rates or longer aggregation intervals, there can be a delay between the occurrence and the detection of an event. This can make it harder to evaluate possible malware, cryptomining, or phishing traffic increases.

Activating Cloud DNS logs

Event Threat Detection analyzes DNS logs for malware, phishing, and cryptomining detections. Event Threat Detection works best when Cloud DNS logging is active. Learn more about Cloud DNS logs.

What's next