Event Threat Detection conceptual overview

What is Event Threat Detection?

Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. Event Threat Detection is regularly updated with new detectors to identify emerging threats at cloud scale.

How Event Threat Detection works

Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available. Log entries contain status and event information that Event Threat Detection uses to quickly detect threats. Event Threat Detection applies detection logic and proprietary threat intelligence to the granular information contained in logs.

Event Threat Detection uses a variety of analysis techniques, including tripwire indicator matching, windowed profiling, advanced profiling, machine learning, and anomaly detection to identify threats in near-real time.

When Event Threat Detection detects a threat, it writes a finding to Security Command Center and to a Cloud Logging project. From Cloud Logging, you can export findings to other systems with Pub/Sub and process them with Cloud Functions.

Rules

Rules define the type of threats that Event Threat Detection detects and the types of logs that must be enabled for the detector to work. Admin Activity audit logs are always written; you can't configure or disable them.

Currently, Event Threat Detection includes the following default rules:

Display name API name Log source types Description
Exfiltration to external table org_exfiltration Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ
Detection of resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.
VPC perimeter violation vpc_perimeter_violation Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ
Detection of attempts to access BigQuery resources that are protected by VPC Service Controls.
Malware: bad domain malware_bad_domain Cloud DNS Logs:
Admin Activity log
Detection of malware based on a connection to, or a lookup of, a known bad domain.
Malware: bad IP malware_bad_ip VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of malware based on a connection to a known bad IP address.
Cryptomining: pool domain cryptomining_pool_domain Cloud DNS Logs:
Admin Activity logs
Detection of cryptomining based on a connection to, or a lookup of, a known mining domain.
Cryptomining: pool IP cryptomining_pool_ip VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of cryptomining based on a connection to a known mining IP address.
Brute force SSH brute_force_ssh syslog Detection of successful brute force of SSH on a host.
Outgoing DoS outgoing_dos VPC flow logs Detection of outgoing denial of service traffic.
Persistence: IAM Anomalous Grant iam_anomalous_grant Cloud Audit Logs:
Admin Activity logs
Detection of privileges granted to Identity and Access Management (IAM) users and service accounts that are not members of the organization. Note: currently, this finding is only triggered for Security Command Center users with a gmail.com email address.
Persistence: New Geography
Preview
iam_anomalous_behavior_ip_geolocation Cloud Audit Logs:
Admin Activity logs
Detection of Identity and Access Management (IAM) users accessing Google Cloud from an anomalous location, based on the geolocation of the requesting IP address.
Persistence: New User Agent
Preview
iam_anomalous_behavior_user_agent Cloud Audit Logs:
Admin Activity logs
Detection of Identity and Access Management (IAM) users accessing Google Cloud from an anomalous user agent.
Discovery: Service Account Self-Investigation service_account_self_investigation Cloud Audit Logs:
Resource Manager data access logs
Permissions:
DATA_READ
Detects when a service account credential is used to investigate the roles and permissions associated with that same service account.

To create custom detection rules, you can store your log data in BigQuery, and then run unique or recurring SQL queries that capture your threat models.

Log types

Event Threat Detection relies on logs generated by Google Cloud. Logs are off by default, letting you decide which logs should be generated and what products can access them. However, to use Event Threat Detection, you must turn on logs for your organization, folders, and projects where you want Event Threat Detection to have full visibility.

Currently, Event Threat Detection consumes logs from the following Google Cloud sources. Follow the instructions at the links below to enable logs for each source.

Activating Virtual Private Cloud flow logs

Event Threat Detection analyzes Virtual Private Cloud (VPC) flow logs for malware, phishing, cryptomining, and outbound DDoS detections. Event Threat Detection works best when VPC flow logging is active. Learn more about VPC Flow Logs.

Event Threat Detection works best with frequent sampling and brief aggregation intervals. If you set lower sampling rates or longer aggregation intervals, there can be a delay between the occurrence and the detection of an event. This delay can make it harder to evaluate possible malware, cryptomining, or phishing traffic increases.

Activating Cloud DNS logs

Event Threat Detection analyzes DNS logs for malware, phishing, and cryptomining detections. Event Threat Detection works best when Cloud DNS logging is active. Learn more about Cloud DNS logs.

What's next