Event Threat Detection conceptual overview

What is Event Threat Detection?

Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. Event Threat Detection is regularly updated with new detectors to identify emerging threats at cloud scale.

How Event Threat Detection works

Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available. Log entries contain status and event information that Event Threat Detection uses to quickly detect threats. Event Threat Detection applies detection logic and proprietary threat intelligence to the granular information contained in logs. When Event Threat Detection detects a threat, it writes a finding to Security Command Center and to a Cloud Logging project.

From Cloud Logging, you can export findings to other systems with Pub/Sub and process them with Cloud Functions.

Rules

Rules define the type of threats that Event Threat Detection detects. Currently, Event Threat Detection includes the following default rules:

Display name API name Log source types Description
Exfiltration to external table org_exfiltration Cloud Audit Logs Detection of resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.
VPC perimeter violation vpc_perimeter_violation Cloud Audit Logs Detection of attempts to access BigQuery resources that are protected by VPC Service Controls.
Malware: bad domain malware_bad_domain Virtual Private Cloud (VPC) flow log
Cloud DNS log
Detection of malware based on a connection to, or a lookup of, a known bad domain.
Malware: bad IP malware_bad_ip VPC flow log
Firewall Rules log
Detection of malware based on a connection to a known bad IP address.
Cryptomining: pool domain cryptomining_pool_domain VPC flow log
Cloud DNS log
Detection of cryptomining based on a connection to, or a lookup of, a known mining domain.
Cryptomining: pool IP cryptomining_pool_ip VPC flow log
Firewall Rules log
Detection of cryptomining based on a connection to a known mining IP address.
Brute force SSH brute_force_ssh syslog Detection of successful brute force of SSH on a host.
Outgoing DoS outgoing_dos VPC flow log Detection of outgoing denial of service traffic.
IAM: Anomalous grant iam_anomalous_grant Cloud Audit Logs Detection of privileges granted to Identity and Access Management (IAM) users and service accounts that are not members of the organization. Note: currently, this finding is only triggered for Security Command Center users with a gmail.com email address.

To create custom detection rules, you can store your log data in BigQuery, and then run unique or recurring SQL queries that capture your threat models.

Log types

Event Threat Detection relies on logs generated by Google Cloud. Logs are off by default, letting you decide which logs should be generated and what products can access them. However, to use Event Threat Detection, you must turn on logs for your organization, folders, and projects where you want Event Threat Detection to have full visibility.

Currently, Event Threat Detection consumes logs from the following Google Cloud sources. Follow the instructions at the links below to enable logs for each source.

Activating Virtual Private Cloud flow logs

Event Threat Detection analyzes Virtual Private Cloud (VPC) flow logs for malware, phishing, cryptomining, outbound DDoS, and outbound port-scanning detections. Event Threat Detection works best when VPC flow logging is active. Learn more about VPC Flow Logs.

Event Threat Detection works best with frequent sampling and brief aggregation intervals. If you set lower sampling rates or longer aggregation intervals, there can be a delay between the occurrence and the detection of an event. This delay can make it harder to evaluate possible malware, cryptomining, or phishing traffic increases.

Activating Cloud DNS logs

Event Threat Detection analyzes DNS logs for malware, phishing, and cryptomining detections. Event Threat Detection works best when Cloud DNS logging is active. Learn more about Cloud DNS logs.

What's next