What is Event Threat Detection?
Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. Event Threat Detection is regularly updated with new detectors to identify emerging threats at cloud scale.
How Event Threat Detection works
Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available. Log entries contain status and event information that Event Threat Detection uses to quickly detect threats. Event Threat Detection applies detection logic and proprietary threat intelligence to the granular information contained in logs. When Event Threat Detection detects a threat, it writes a finding to Security Command Center and to a Cloud Logging project.
From Cloud Logging, you can export findings to other systems with Pub/Sub and process them with Cloud Functions.
Rules
Rules define the type of threats that Event Threat Detection detects. Currently, Event Threat Detection includes the following default rules:
| Display name | API name | Log source types | Description |
|---|---|---|---|
| Exfiltration to external table | org_exfiltration |
Cloud Audit Logs | Detection of resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations. |
| VPC perimeter violation | vpc_perimeter_violation |
Cloud Audit Logs | Detection of attempts to access BigQuery resources that are protected by VPC Service Controls. |
| Malware: bad domain | malware_bad_domain |
Virtual Private Cloud (VPC) flow log Cloud DNS log |
Detection of malware based on a connection to, or a lookup of, a known bad domain. |
| Malware: bad IP | malware_bad_ip |
VPC flow log Firewall Rules log |
Detection of malware based on a connection to a known bad IP address. |
| Cryptomining: pool domain | cryptomining_pool_domain |
VPC flow log Cloud DNS log |
Detection of cryptomining based on a connection to, or a lookup of, a known mining domain. |
| Cryptomining: pool IP | cryptomining_pool_ip |
VPC flow log Firewall Rules log |
Detection of cryptomining based on a connection to a known mining IP address. |
| Brute force SSH | brute_force_ssh |
syslog | Detection of successful brute force of SSH on a host. |
| Outgoing DoS | outgoing_dos |
VPC flow log | Detection of outgoing denial of service traffic. |
| IAM: Anomalous grant | iam_anomalous_grant |
Cloud Audit Logs | Detection of privileges granted to Identity and Access Management (IAM) users and service accounts that are not members of the organization. Note: currently, this finding is only triggered for Security Command Center users with a gmail.com email address. |
To create custom detection rules, you can store your log data in BigQuery, and then run unique or recurring SQL queries that capture your threat models.
Log types
Event Threat Detection relies on logs generated by Google Cloud. Logs are off by default, letting you decide which logs should be generated and what products can access them. However, to use Event Threat Detection, you must turn on logs for your organization, folders, and projects where you want Event Threat Detection to have full visibility.
Currently, Event Threat Detection consumes logs from the following Google Cloud sources. Follow the instructions at the links below to enable logs for each source.
Activating Virtual Private Cloud flow logs
Event Threat Detection analyzes Virtual Private Cloud (VPC) flow logs for malware, phishing, cryptomining, outbound DDoS, and outbound port-scanning detections. Event Threat Detection works best when VPC flow logging is active. Learn more about VPC Flow Logs.
Event Threat Detection works best with frequent sampling and brief aggregation intervals. If you set lower sampling rates or longer aggregation intervals, there can be a delay between the occurrence and the detection of an event. This delay can make it harder to evaluate possible malware, cryptomining, or phishing traffic increases.
Activating Cloud DNS logs
Event Threat Detection analyzes DNS logs for malware, phishing, and cryptomining detections. Event Threat Detection works best when Cloud DNS logging is active. Learn more about Cloud DNS logs.
What's next
- Learn about using Event Threat Detection.