What is Event Threat Detection?
Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. Event Threat Detection is regularly updated with new detectors to identify emerging threats at cloud scale.
How Event Threat Detection works
Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available. Log entries contain status and event information that Event Threat Detection uses to quickly detect threats. Event Threat Detection applies detection logic and proprietary threat intelligence to the granular information contained in logs.
Event Threat Detection uses a variety of analysis techniques, including tripwire indicator matching, windowed profiling, advanced profiling, machine learning, and anomaly detection to identify threats in near-real time.
When Event Threat Detection detects a threat, it writes a finding to Security Command Center and to a Cloud Logging project. From Cloud Logging, you can export findings to other systems with Pub/Sub and process them with Cloud Functions.
Rules
Rules define the type of threats that Event Threat Detection detects and the types of logs that must be enabled for the detector to work. Admin Activity audit logs are always written; you can't configure or disable them.
Currently, Event Threat Detection includes the following default rules:
| Display name | API name | Log source types | Description |
|---|---|---|---|
| Exfiltration to external table | org_exfiltration |
Cloud Audit Logs:
BigQueryAuditMetadata data access logs Permissions: DATA_READ
|
Detection of resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations. |
| VPC perimeter violation | vpc_perimeter_violation |
Cloud Audit Logs:
BigQueryAuditMetadata data access logs Permissions: DATA_READ
|
Detection of attempts to access BigQuery resources that are protected by VPC Service Controls. |
| Malware: bad domain | malware_bad_domain |
Cloud DNS Logs: Admin Activity log |
Detection of malware based on a connection to, or a lookup of, a known bad domain. |
| Malware: bad IP | malware_bad_ip |
VPC flow logs Firewall Rules logs Cloud NAT logs |
Detection of malware based on a connection to a known bad IP address. |
| Cryptomining: pool domain | cryptomining_pool_domain |
Cloud DNS Logs: Admin Activity logs |
Detection of cryptomining based on a connection to, or a lookup of, a known mining domain. |
| Cryptomining: pool IP | cryptomining_pool_ip |
VPC flow logs Firewall Rules logs Cloud NAT logs |
Detection of cryptomining based on a connection to a known mining IP address. |
| Brute force SSH | brute_force_ssh |
syslog | Detection of successful brute force of SSH on a host. |
| Outgoing DoS | outgoing_dos |
VPC flow logs | Detection of outgoing denial of service traffic. |
| Persistence: IAM Anomalous Grant | iam_anomalous_grant |
Cloud Audit Logs: Admin Activity logs |
Detection of privileges granted to Identity and Access Management (IAM) users and service accounts that are not members of the organization. Note: currently, this finding is only triggered for Security Command Center users with a gmail.com email address. |
| Persistence: New Geography Preview |
iam_anomalous_behavior_ip_geolocation |
Cloud Audit Logs: Admin Activity logs |
Detection of Identity and Access Management (IAM) users accessing Google Cloud from an anomalous location, based on the geolocation of the requesting IP address. |
| Persistence: New User Agent Preview |
iam_anomalous_behavior_user_agent |
Cloud Audit Logs: Admin Activity logs |
Detection of Identity and Access Management (IAM) users accessing Google Cloud from an anomalous user agent. |
| Discovery: Service Account Self-Investigation Preview |
service_account_self_investigation |
Cloud Audit Logs: Resource Manager data access logs Permissions: DATA_READ
|
Detects when a service account credential is used to investigate the roles and permissions associated with that same service account. |
To create custom detection rules, you can store your log data in BigQuery, and then run unique or recurring SQL queries that capture your threat models.
Log types
Event Threat Detection relies on logs generated by Google Cloud. Logs are off by default, letting you decide which logs should be generated and what products can access them. However, to use Event Threat Detection, you must turn on logs for your organization, folders, and projects where you want Event Threat Detection to have full visibility.
Currently, Event Threat Detection consumes logs from the following Google Cloud sources. Follow the instructions at the links below to enable logs for each source.
- SSH logs/syslog
- VPC flow logs
- Cloud Audit Logs
- Admin Activity logs are always written; you can't configure or disable them
- Data Access logs
- Cloud DNS logs
- Firewall Rules logs
- Cloud NAT logs
Activating Virtual Private Cloud flow logs
Event Threat Detection analyzes Virtual Private Cloud (VPC) flow logs for malware, phishing, cryptomining, and outbound DDoS detections. Event Threat Detection works best when VPC flow logging is active. Learn more about VPC Flow Logs.
Event Threat Detection works best with frequent sampling and brief aggregation intervals. If you set lower sampling rates or longer aggregation intervals, there can be a delay between the occurrence and the detection of an event. This delay can make it harder to evaluate possible malware, cryptomining, or phishing traffic increases.
Activating Cloud DNS logs
Event Threat Detection analyzes DNS logs for malware, phishing, and cryptomining detections. Event Threat Detection works best when Cloud DNS logging is active. Learn more about Cloud DNS logs.
What's next
Learn about using Event Threat Detection.
Learn how to investigate and develop response plans for threats.