Overview of Event Threat Detection

What is Event Threat Detection?

Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. Event Threat Detection is regularly updated with new detectors to identify emerging threats at cloud scale.

How Event Threat Detection works

Event Threat Detection monitors your organization's Cloud Logging stream and Google Workspace Logs, and consumes logs for your projects as they become available. Cloud Logging contains log entries of API calls and other actions that create, read, or modify the configuration or metadata of your resources. Google Workspace logs track user sign-ins to your domain and provide a record of actions performed on your Google Workspace Admin Console.

Log entries contain status and event information that Event Threat Detection uses to quickly detect threats. Event Threat Detection applies detection logic and proprietary threat intelligence, including tripwire indicator matching, windowed profiling, advanced profiling, machine learning, and anomaly detection, to identify threats in near-real time.

When Event Threat Detection detects a threat, it writes a finding to Security Command Center and to a Cloud Logging project. From Cloud Logging and Google Workspace logging, you can export findings to other systems with Pub/Sub and process them with Cloud Functions.

In addition, you can use Chronicle to investigate some findings. Chronicle is a Google Cloud service that lets you investigate threats and pivot through related entities in a unified timeline. For instructions on sending findings to Chronicle, see Investigate findings in Chronicle.

Your ability to view and edit findings and logs is determined by the Identity and Access Management (IAM) roles you are granted. For more information on Security Command Center IAM roles, see Access control.

Event Threat Detection rules

Rules define the type of threats that Event Threat Detection detects and the types of logs that must be enabled for detectors to work. Admin Activity audit logs are always written; you can't configure or disable them.

Event Threat Detection includes the following default rules:

Display name API name Log source types Description
Exfiltration: BigQuery Data Exfiltration data_exfiltration_big_query Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ
Detects the following scenarios:

  • Resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.
  • Attempts to access BigQuery resources that are protected by VPC Service Controls.
Exfiltration: Cloud SQL Data Exfiltration
cloudsql_exfil_export_to_external_gcs
cloudsql_exfil_export_to_public_gcs
Cloud Audit Logs: MySQL data access logs
PostgreSQL data access logs
SQL Server data access logs
Detects the following scenarios:

  • Live instance data exported to a Cloud Storage bucket outside of the organization.
  • Live instance data exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.
Malware: bad domain malware_bad_domain Cloud DNS Logs:
Admin Activity log
Detection of malware based on a connection to, or a lookup of, a known bad domain.
Malware: bad IP malware_bad_ip VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of malware based on a connection to a known bad IP address.
Cryptomining: pool domain cryptomining_pool_domain Cloud DNS Logs:
Admin Activity logs
Detection of cryptomining based on a connection to, or a lookup of, a known mining domain.
Cryptomining: pool IP cryptomining_pool_ip VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of cryptomining based on a connection to a known mining IP address.
Brute force SSH brute_force_ssh syslog Detection of successful brute force of SSH on a host.
Outgoing DoS outgoing_dos VPC flow logs Detection of outgoing denial of service traffic.
Persistence: IAM Anomalous Grant iam_anomalous_grant Cloud Audit Logs:
Admin Activity logs

Detection of privileges granted to IAM users and service accounts that are not members of the organization. Note: This finding is triggered only for Security Command Center users with a gmail.com email address.

Sensitive roles Preview

Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.

Persistence: New Geography iam_anomalous_behavior_ip_geolocation Cloud Audit Logs:
Admin Activity logs
Detection of IAM user and service accounts accessing Google Cloud from anomalous locations, based on the geolocation of the requesting IP addresses.
Persistence: New User Agent iam_anomalous_behavior_user_agent Cloud Audit Logs:
Admin Activity logs
Detection of IAM service accounts accessing Google Cloud from anomalous or suspicious user agents.
Discovery: Service Account Self-Investigation service_account_self_investigation Cloud Audit Logs:
Resource Manager data access logs
Permissions:
DATA_READ

Detection of an IAM service account credential that is used to investigate the roles and permissions associated with that same service account.

Sensitive roles Preview

Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.

Persistence: Compute Engine Admin Added SSH Key Preview gce_admin_add_ssh_key Cloud Audit Logs:
Admin Activity logs
Detection of a modification to the Compute Engine instance metadata ssh key value on an established instance (older than 1 week).
Persistence: Compute Engine Admin Added Startup Script Preview gce_admin_add_startup_script Cloud Audit Logs:
Admin Activity logs
Detection of a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week).
Credential Access: Privileged Group Opened To Public privileged_group_opened_to_public Google Workspace:
Admin Audit
Permissions:
DATA_READ

Detects when a privileged Google Group (a group granted sensitive roles or permissions) is changed to be accessible to the general public. To learn more, see Unsafe Google Group changes.

Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

Credential Access: Sensitive Role Granted To Hybrid Group sensitive_role_to_group_with_external_member Cloud Audit Logs:
Admin Activity logs

Detects when sensitive roles are granted to a Google Group with external members. To learn more, see Unsafe Google Group changes.

Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

Credential Access: External Member Added To Privileged Group external_member_added_to_privileged_group Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

Detects when an external member is added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, see Unsafe Google Group changes.

Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

Initial Access: Disabled Password Leak account_disabled_password_leak Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A user's account is disabled because a password leak was detected.
Initial Access: Suspicious Login Blocked suspicious_login Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A suspicious login to a user's account was detected and blocked.
Initial Access: Account Disabled Hijacked account_disabled_hijacked Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A user's account was suspended due to suspicious activity.
Impair Defenses: Two Step Verification Disabled 2sv_disable Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A user disabled 2-step verification.
Initial Access: Government Based Attack gov_attack_warning Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
Government-backed attackers might have tried to compromise a user account or computer.
Persistence: SSO Enablement Toggle toggle_sso_enabled Google Workspace:
Admin Audit
The Enable SSO (single sign-on) setting on the admin account was disabled.
Persistence: SSO Settings Changed change_sso_settings Google Workspace:
Admin Audit
The SSO settings for the admin account were changed.
Impair Defenses: Strong Authentication Disabled enforce_strong_authentication Google Workspace:
Admin Audit
2-step verification was disabled for the organization.

To create custom detection rules, you can export your log data to BigQuery, and then run unique or recurring SQL queries that capture your threat models.

Unsafe Google Group changes

This section explains how Event Threat Detection uses Google Workspace logs, Cloud Audit logs, and IAM policies to detect unsafe Google Groups changes.

Google Cloud customers can use Google Groups to manage roles and permissions for members in their organizations, or apply access policies to collections of users. Instead of granting roles directly to members, administrators can grant roles and permissions to Google Groups, and then add members to specific groups. Group members inherit all of a group's roles and permissions, which lets members access specific resources and services.

While Google Groups are a convenient way to manage access control at scale, they can pose a risk if external users from outside your organization or domain are added to privileged groups—groups that are granted sensitive roles or permissions. Sensitive roles control access to security and network settings, logs, and personally identifiable information (PII), and are not recommended for external group members.

In large organizations, administrators might not be aware when external members are added to privileged groups. Cloud Audit logs record role grants to groups, but those log events don't contain information on group members, which can obscure the potential impact of some group changes.

If you share your Google Workspace logs with Google Cloud, Event Threat Detection monitors your logging streams for new members added to your organization's Google Groups.

Event Threat Detection identifies external group members and, using Cloud Audit logs, reviews each affected group's IAM roles to check whether the groups are granted sensitive roles. That information is used to detect the following unsafe changes for privileged Google Groups:

  • External group members added to privileged groups
  • Sensitive roles or permissions granted to groups with external group members
  • Privileged groups that are changed to allow anyone in the general public to join

Event Threat Detection writes findings to Security Command Center. Findings contain the email addresses of newly added external members, internal group members that initiate events, group names, and the sensitive roles associated with groups. You can use the information to remove external members from groups or revoke sensitive roles granted to groups.

For more information on Event Threat Detection findings, see Event Threat Detection rules.

Sensitive IAM roles and permissions

Unsafe Google Group changes generate findings only if changes involve high- or medium-sensitivity roles. The sensitivity of roles impacts the severity rating assigned to findings.

  • High-sensitivity roles control critical services in organizations, including billing, firewall settings, and logging. Findings that match these roles are classified as High severity.
  • Medium-sensitivity roles have editing permissions that let principals make changes to Google Cloud resources; and viewing and executing permissions on data storage services that often hold sensitive data. The severity assigned to findings depends on the resource:
    • If medium-sensitivity roles are granted at the organization level, findings are classified as High severity.
    • If medium-sensitivity roles are granted at lower levels in your resource hierarchy (folders, projects, and buckets, among others), findings are classified as Medium severity.

Event Threat Detection detects unsafe Google Group changes that match the following high- and medium-sensitivity roles.

Table 1. High-sensitivity roles
Category Role Description
Basic roles: contain thousands of permissions across all Google Cloud services. roles/owner Basic roles
roles/editor
Security roles: control access to security settings roles/cloudkms.* All Cloud Key Management Service roles
roles/cloudsecurityscanner.* All Web Security Scanner roles
roles/dlp.* All Cloud Data Loss Prevention roles.
roles/iam.* All IAM roles
roles/secretmanager.* All Secret Manager roles
roles/securitycenter.* All Security Command Center roles
Logging roles: control access to an organization's logs roles/errorreporting.* All Error Reporting roles
roles/logging.* All Cloud Logging roles
roles/stackdriver.* All Cloud Monitoring roles
Personal information roles: control access to resources that contain personally identifiable information, including banking and contact information roles/billing.* All Cloud Billing roles
roles/healthcare.* All Cloud Healthcare API roles
roles/essentialcontacts.* All Essential Contacts roles
Networking roles: control access to an organization's network settings roles/dns.* All Cloud DNS roles
roles/domains.* All Cloud Domains roles
roles/networkconnectivity.* All Network Connectivity Center roles
roles/networkmanagement.* All Network Connectivity Center roles
roles/privateca.* All Certificate Authority Service roles
Service roles: control access to service resources in Google Cloud roles/cloudasset.* All Cloud Asset Inventory roles
roles/servicedirectory.* All Service Directory roles
roles/servicemanagement.* All Service Management roles
roles/servicenetworking.* All Service Networking roles
roles/serviceusage.* All Service Usage roles
Compute Engine roles: control access to Compute Engine virtual machines, which carry long-running jobs and are associated with firewall rules

roles/compute.admin

roles/compute.instanceAdmin

roles/compute.instanceAdmin.v1

roles/compute.loadBalancerAdmin

roles/compute.networkAdmin

roles/compute.orgFirewallPolicyAdmin

roles/compute.orgFirewallPolicyUser

roles/compute.orgSecurityPolicyAdmin

roles/compute.orgSecurityPolicyUser

roles/compute.orgSecurityResourceAdmin

roles/compute.osAdminLogin

roles/compute.publicIpAdmin

roles/compute.securityAdmin

roles/compute.storageAdmin

roles/compute.xpnAdmin

All Compute Engine Admin and Editor roles
Table 2. Medium-sensitivity roles
Category Role Description
Editing roles: IAM roles that include permissions to make changes to Google Cloud resources

Examples:

roles/storage.objectAdmin

roles/file.editor

roles/source.writer

roles/container.developer

Role names usually end with titles like Admin, Owner, Editor, or Writer.

Expand the node in the last row of the table to see All medium-sensitivity roles

Data storage roles: IAM roles that include permissions to view and execute data storage services

Examples:

roles/cloudsql.viewer

roles/cloudsql.client

roles/bigquery.dataViewer

roles/bigquery.user

roles/spanner.databaseReader

roles/spanner.databaseUser

Expand the node in the last row of the table to see All medium-sensitivity roles
All medium-sensitivity roles

Access Approval
roles/accessapproval.approver
roles/accessapproval.configEditor

Access Context Manager
roles/accesscontextmanager.gcpAccessAdmin
roles/accesscontextmanager.policyAdmin
roles/accesscontextmanager.policyEditor

Actions
roles/actions.Admin

AI Platform
roles/ml.admin
roles/ml.developer
roles/ml.jobOwner
roles/ml.modelOwner
roles/ml.modelUser

API Gateway
roles/apigateway.admin

App Engine
roles/appengine.appAdmin
roles/appengine.appCreator
roles/appengine.serviceAdmin

AutoML
roles/automl.admin
roles/automl.editor

BigQuery
roles/bigquery.admin
roles/bigquery.dataEditor
roles/bigquery.dataOwner
roles/bigquery.dataViewer
roles/bigquery.resourceAdmin
roles/bigquery.resourceEditor
roles/bigquery.resourceViewer
roles/bigquery.user

Binary Authorization
roles/binaryauthorization.attestorsAdmin
roles/binaryauthorization.attestorsEditor
roles/binaryauthorization.policyAdmin
roles/binaryauthorization.policyEditor

Cloud Bigtable
roles/bigtable.admin
roles/bigtable.reader
roles/bigtable.user

Cloud Build
roles/cloudbuild.builds.builder
roles/cloudbuild.builds.editor

Cloud Deployment Manager
roles/deploymentmanager.editor
roles/deploymentmanager.typeEditor

Cloud Endpoints
roles/endpoints.portalAdminBeta

Cloud Functions
roles/cloudfunctions.admin
roles/cloudfunctions.developer
roles/cloudfunctions.invoker

Cloud IoT
roles/cloudiot.admin
roles/cloudiot.deviceController
roles/cloudiot.editor
roles/cloudiot.provisioner

Cloud Life Sciences
roles/genomics.admin
roles/genomics.admin
roles/lifesciences.admin
roles/lifesciences.editor

Cloud Monitoring
roles/monitoring.admin
roles/monitoring.alertPolicyEditor
roles/monitoring.dashboardEditor
roles/monitoring.editor
roles/monitoring.metricWriter
roles/monitoring.notificationChannelEditor
roles/monitoring.servicesEditor
roles/monitoring.uptimeCheckConfigEditor

Cloud Run
roles/run.admin
roles/run.developer

Cloud Scheduler
roles/cloudscheduler.admin

Cloud Source Repositories
roles/source.admin
roles/source.writer

Cloud Spanner
roles/spanner.admin
roles/spanner.backupAdmin
roles/spanner.backupWriter
roles/spanner.databaseAdmin
roles/spanner.restoreAdmin
roles/spanner.databaseReader
roles/spanner.databaseUser

Cloud Storage
roles/storage.admin
roles/storage.hmacKeyAdmin
roles/storage.objectAdmin
roles/storage.objectCreator
roles/storage.objectViewer
roles/storage.legacyBucketOwner
roles/storage.legacyBucketWriter
roles/storage.legacyBucketReader
roles/storage.legacyObjectOwner
roles/storage.legacyObjectReader

Cloud SQL
roles/cloudsql.admin
roles/cloudsql.editor
roles/cloudsql.client
roles/cloudsql.instanceUser
roles/cloudsql.viewer

Cloud Tasks
roles/cloudtasks.admin
roles/cloudtasks.enqueuer
roles/cloudtasks.queueAdmin
roles/cloudtasks.taskDeleter

Cloud TPU
tpu.admin

Cloud Trace
roles/cloudtrace.admin
roles/cloudtrace.agent

Compute Engine
roles/compute.imageUser
roles/compute.osLoginExternalUser
roles/osconfig.guestPolicyAdmin
roles/osconfig.guestPolicyEditor
roles/osconfig.osPolicyAssignmentAdmin
roles/osconfig.osPolicyAssignmentEditor
roles/osconfig.patchDeploymentAdmin

Container Analysis
roles/containeranalysis.admin
roles/containeranalysis.notes.attacher
roles/containeranalysis.notes.editor
roles/containeranalysis.occurrences.editor

Data Catalog
roles/datacatalog.admin
roles/datacatalog.categoryAdmin
roles/datacatalog.entryGroupCreator
roles/datacatalog.entryGroupOwner
roles/datacatalog.entryOwner

Dataflow
roles/dataflow.admin
roles/dataflow.developer

Dataproc
roles/dataproc.admin
roles/dataproc.editor

Dataproc Metastore
roles/metastore.admin
roles/metastore.editor

Datastore
roles/datastore.importExportAdmin
roles/datastore.indexAdmin
roles/datastore.owner
roles/datastore.user

Eventarc
roles/eventarc.admin
roles/eventarc.developer
roles/eventarc.eventReceiver

Filestore
roles/file.editor

Firebase
roles/firebase.admin
roles/firebase.analyticsAdmin
roles/firebase.developAdmin
roles/firebase.growthAdmin
roles/firebase.qualityAdmin
roles/firebaseabt.admin
roles/firebaseappcheck.admin
roles/firebaseappdistro.admin
roles/firebaseauth.admin
roles/firebasecrashlytics.admin
roles/firebasedatabase.admin
roles/firebasedynamiclinks.admin
roles/firebasehosting.admin
roles/firebaseinappmessaging.admin
roles/firebaseml.admin
roles/firebasenotifications.admin
roles/firebaseperformance.admin
roles/firebasepredictions.admin
roles/firebaserules.admin
roles/firebasestorage.admin
roles/cloudconfig.admin
roles/cloudtestservice.testAdmin

Game Servers
roles/gameservices.admin

Google Cloud VMware Engine
vmwareengine.vmwareengineAdmin

Google Kubernetes Engine
roles/container.admin
roles/container.clusterAdmin
roles/container.developer

Google Kubernetes Engine Hub
roles/gkehub.admin
roles/gkehub.gatewayAdmin
roles/gkehub.connect

Google Workspace
roles/gsuiteaddons.developer

Identity-Aware Proxy
roles/iap.admin
roles/iap.settingsAdmin

Managed Service for Microsoft Active Directory
roles/managedidentities.admin
roles/managedidentities.domainAdmin
roles/managedidentities.viewer

Memorystore for Redis
roles/redis.admin
roles/redis.editor

Notebooks
roles/notebooks.admin
roles/notebooks.legacyAdmin

On-Demand Scanning API
roles/ondemandscanning.admin

Ops Config Monitoring
roles/opsconfigmonitoring.resourceMetadata.writer

Organization Policy Service
roles/axt.admin
roles/orgpolicy.policyAdmin

Other roles
roles/autoscaling.metricsWriter
roles/autoscaling.sitesAdmin
roles/autoscaling.stateWriter
roles/chroniclesm.admin
roles/dataprocessing.admin
roles/earlyaccesscenter.admin
roles/firebasecrash.symbolMappingsAdmin
roles/identityplatform.admin
roles/identitytoolkit.admin
roles/oauthconfig.editor
roles/retail.admin
roles/retail.editor
roles/runtimeconfig.admin

Proximity Beacon
roles/proximitybeacon.attachmentEditor
roles/proximitybeacon.beaconEditor

Pub/Sub
roles/pubsub.admin
roles/pubsub.editor

Pub/Sub Lite
roles/pubsublite.admin
roles/pubsublite.editor
roles/pubsublite.publisher

reCAPTCHA Enterprise
roles/recaptchaenterprise.admin
roles/recaptchaenterprise.agent

Recommendations AI
roles/automlrecommendations.admin
roles/automlrecommendations.editor

Recommender
roles/recommender.billingAccountCudAdmin
roles/recommender.cloudAssetInsightsAdmin
roles/recommender.cloudsqlAdmin
roles/recommender.computeAdmin
roles/recommender.firewallAdmin
roles/recommender.iamAdmin
roles/recommender.productSuggestionAdmin
roles/recommender.projectCudAdmin

Resource Manager
roles/resourcemanager.folderAdmin
roles/resourcemanager.folderCreator
roles/resourcemanager.folderEditor
roles/resourcemanager.folderIamAdmin
roles/resourcemanager.folderMover
roles/resourcemanager.lienModifier
roles/resourcemanager.organizationAdmin
roles/resourcemanager.projectCreator
roles/resourcemanager.projectDeleter
roles/resourcemanager.projectIamAdmin
roles/resourcemanager.projectMover
roles/resourcemanager.tagAdmin

Resource Settings
roles/resourcesettings.admin

Serverless VPC Access
roles/vpcaccess.admin

Service Consumer Management
roles/serviceconsumermanagement.tenancyUnitsAdmin

Storage Transfer Service
roles/storagetransfer.admin
roles/storagetransfer.user

Vertex AI
roles/aiplatform.admin
roles/aiplatform.featurestoreAdmin
roles/aiplatform.migrator
roles/aiplatform.user

Workflows
roles/workflows.admin
roles/workflows.editor

Log types

Event Threat Detection relies on logs generated by Google Cloud and Google Workspace. Most logs are off by default, letting you decide which logs should be generated and what products can access them. However, to use Event Threat Detection, you must turn on logs for your organization, folders, and projects where you want Event Threat Detection to have full visibility.

Event Threat Detection automatically consumes Admin Activity logs, which are part of Cloud Audit Logs. You don't need to configure Admin Activity logs, they are generated automatically.

In addition, Event Threat Detection works best when you turn on additional logs, which the service uses to detect specific threats. To enable logs for each of the following sources, use the following guides:

Google Workspace audit logs are enabled and maintained in your Google Workspace environment. However, you must share them with Google Cloud in order for Event Threat Detection to have access and detect Google Workspace threats. For instructions on sharing Google Workspace logs, see the following guides:

What's next