Overview of Event Threat Detection

What is Event Threat Detection?

Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization or projects and identifies threats within your systems in near-real time. Event Threat Detection is regularly updated with new detectors to identify emerging threats at cloud scale.

How Event Threat Detection works

Event Threat Detection monitors the Cloud Logging stream for your organization or projects. If you activate Security Command Center Premium tier at the organization level, Event Threat Detection consumes logs for your projects as they are created and Event Threat Detection can monitor Google Workspace Logs. Cloud Logging contains log entries of API calls and other actions that create, read, or modify the configuration or metadata of your resources. Google Workspace logs track user sign-ins to your domain and provide a record of actions performed on your Google Workspace Admin Console.

Log entries contain status and event information that Event Threat Detection uses to quickly detect threats. Event Threat Detection applies detection logic and proprietary threat intelligence, including tripwire indicator matching, windowed profiling, advanced profiling, machine learning, and anomaly detection, to identify threats in near-real time.

When Event Threat Detection detects a threat, it writes a finding to Security Command Center. If you activate Security Command Center Premium tier at the organization level, Security Command Center can write findings to a Cloud Logging project. From Cloud Logging and Google Workspace logging, you can export findings to other systems with Pub/Sub and process them with Cloud Functions.

If you activate Security Command Center Premium tier at the organization level, you can additionally use Chronicle to investigate some findings. Chronicle is a Google Cloud service that lets you investigate threats and pivot through related entities in a unified timeline. For instructions on sending findings to Chronicle, see Investigate findings in Chronicle.

Your ability to view and edit findings and logs is determined by the Identity and Access Management (IAM) roles you are granted. For more information on Security Command Center IAM roles, see Access control.

Event Threat Detection rules

Rules define the type of threats that Event Threat Detection detects and the types of logs that must be enabled for detectors to work. Admin Activity audit logs are always written; you can't configure or disable them.

Event Threat Detection includes the following default rules:

Display name API name Log source types Description
Active Scan: Log4j Vulnerable to RCE Unavailable Cloud DNS logs Detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners.
Inhibit System Recovery: Deleted Google Cloud Backup and DR host BACKUP_HOSTS_DELETE_HOST Cloud Audit Logs:
Backup and DR Service Data Access logs
A host was deleted from Backup and DR. Applications that are associated with the deleted host might not be protected.
Data Destruction: Google Cloud Backup and DR expire image BACKUP_EXPIRE_IMAGE Cloud Audit Logs:
Backup and DR Data Access logs
A user requested the deletion of a backup image from Backup and DR. The deletion of a backup image does not prevent future backups.
Inhibit System Recovery: Google Cloud Backup and DR remove plan BACKUP_REMOVE_PLAN Cloud Audit Logs:
Backup and DR Data Access logs
A backup plan with multiple policies for an application was deleted from Backup and DR. The deletion of a backup plan can prevent future backups.
Data Destruction: Google Cloud Backup and DR expire all images BACKUP_EXPIRE_IMAGES_ALL Cloud Audit Logs:
Backup and DR Data Access logs
A user requested the deletion of all backup images for a protected application from Backup and DR. The deletion of backup images does not prevent future backups.
Inhibit System Recovery: Google Cloud Backup and DR delete template BACKUP_TEMPLATES_DELETE_TEMPLATE Cloud Audit Logs:
Backup and DR Data Access logs
A predefined backup template, which is used to set up backups for multiple applications, was deleted. The ability to set up backups in the future might be impacted.
Inhibit System Recovery: Google Cloud Backup and DR delete policy BACKUP_TEMPLATES_DELETE_POLICY Cloud Audit Logs:
Backup and DR Data Access logs
A Backup and DR policy, which defines how a backup is taken and where it is stored, was deleted. Future backups that use the policy might fail.
Inhibit System Recovery: Google Cloud Backup and DR delete profile BACKUP_PROFILES_DELETE_PROFILE Cloud Audit Logs:
Backup and DR Data Access logs
A Backup and DR profile, which defines which storage pools should be used to store backups, was deleted. Future backups that use the profile might fail.
Data Destruction: Google Cloud Backup and DR remove appliance BACKUP_APPLIANCES_REMOVE_APPLIANCE Cloud Audit Logs:
Backup and DR Data Access logs
A backup appliance was deleted from Backup and DR. Applications that are associated with the deleted backup appliance might not be protected.
Inhibit System Recovery: Google Cloud Backup and DR delete storage pool BACKUP_STORAGE_POOLS_DELETE Cloud Audit Logs:
Backup and DR Data Access logs
A storage pool, which associates a Cloud Storage bucket with Backup and DR, has been removed from Backup and DR. Future backups to this storage target will fail.
Brute force SSH BRUTE_FORCE_SSH authlog Detection of successful brute force of SSH on a host.
Cloud IDS: THREAT_IDENTIFIER Preview CLOUD_IDS_THREAT_ACTIVITY Cloud IDS logs Events that are detected by Cloud IDS. Cloud IDS detects layer 7 attacks by analyzing mirrored packets and, when an event is detected, sends a finding to Security Command Center. Finding category names start with "Cloud IDS" followed by the Cloud IDS threat identifier. To learn more about Cloud IDS detections, see Cloud IDS Logging information.
Credential Access: External Member Added To Privileged Group EXTERNAL_MEMBER_ADDED_TO_PRIVILEGED_GROUP Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

Detects events where an external member is added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, see Unsafe Google Group changes.

Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

This finding isn't available for project-level activations.

Credential Access: Privileged Group Opened To Public PRIVILEGED_GROUP_OPENED_TO_PUBLIC Google Workspace:
Admin Audit
Permissions:
DATA_READ

Detects events where a privileged Google Group (a group granted sensitive roles or permissions) is changed to be accessible to the general public. To learn more, see Unsafe Google Group changes.

Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

This finding isn't available for project-level activations.

Credential Access: Sensitive Role Granted To Hybrid Group SENSITIVE_ROLE_TO_GROUP_WITH_EXTERNAL_MEMBER Cloud Audit Logs:
IAM Admin Activity audit logs

Detects events where sensitive roles are granted to a Google Group with external members. To learn more, see Unsafe Google Group changes.

Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

This finding isn't available for project-level activations.

Defense Evasion: Breakglass Workload Deployment CreatedPreview BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_CREATE Cloud Audit Logs:
Admin Activity logs
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Defense Evasion: Breakglass Workload Deployment UpdatedPreview BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_UPDATE Cloud Audit Logs:
Admin Activity logs
Detects when workloads are updated by using the break-glass flag to override Binary Authorization controls.
Defense Evasion: Modify VPC Service Control DEFENSE_EVASION_MODIFY_VPC_SERVICE_CONTROL Cloud Audit Logs VPC Service Controls audit logs

Detects a change to an existing VPC Service Controls perimeter that would lead to a reduction in the protection offered by that perimeter.

This finding isn't available for project-level activations.

Discovery: Can get sensitive Kubernetes object check GKE_CONTROL_PLANE_CAN_GET_SENSITIVE_OBJECT Cloud Audit Logs:
GKE Data Access logs

A potentially malicious actor attempted to determine what sensitive objects in GKE they can query for, by using the kubectl auth can-i get command. Specifically, the rule detects whether the actor checked for API access on the following objects:

Discovery: Service Account Self-Investigation SERVICE_ACCOUNT_SELF_INVESTIGATION Cloud Audit Logs:
IAM Data Access audit logs
Permissions:
DATA_READ

Detection of an IAM service account credential that is used to investigate the roles and permissions associated with that same service account.

Sensitive roles

Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.

Evasion: Access from Anonymizing Proxy ANOMALOUS_ACCESS Cloud Audit Logs:
Admin Activity logs
Detection of Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses.
Exfiltration: BigQuery Data Exfiltration DATA_EXFILTRATION_BIG_QUERY Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ
Detects the following scenarios:

  • Resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.

    This scenario is indicated by a subrule of exfil_to_external_table and a severity of HIGH.

  • Attempts to access BigQuery resources that are protected by VPC Service Controls.

    This scenario is indicated by a subrule of vpc_perimeter_violation and a severity of LOW.

Exfiltration: BigQuery Data Extraction DATA_EXFILTRATION_BIG_QUERY_EXTRACTION Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ
Detects the following scenarios:

  • A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Cloud Storage bucket outside the organization.
  • A BigQuery resource owned by the protected organization is saved, through extraction operations, to a publicly accessible Cloud Storage bucket owned by that organization.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Exfiltration: BigQuery Data to Google Drive DATA_EXFILTRATION_BIG_QUERY_TO_GOOGLE_DRIVE Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ
Detects the following:

  • A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Google Drive folder.
Exfiltration: Cloud SQL Data Exfiltration
CLOUDSQL_EXFIL_EXPORT_TO_EXTERNAL_GCS
CLOUDSQL_EXFIL_EXPORT_TO_PUBLIC_GCS
Cloud Audit Logs: MySQL data access logs
PostgreSQL data access logs
SQL Server data access logs
Detects the following scenarios:

  • Live instance data exported to a Cloud Storage bucket outside of the organization.
  • Live instance data exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Exfiltration: Cloud SQL Restore Backup to External Organization CLOUDSQL_EXFIL_RESTORE_BACKUP_TO_EXTERNAL_INSTANCE Cloud Audit Logs: MySQL admin activity logs
PostgreSQL admin activity logs
SQL Server admin activity logs

Detects events where the backup of a Cloud SQL instance is restored to an instance outside of the organization.

Exfiltration: Cloud SQL Over-Privileged Grant CLOUDSQL_EXFIL_USER_GRANTED_ALL_PERMISSIONS Cloud Audit Logs: PostgreSQL data access logs
Note: You must enable the pgAudit extension to use this rule.

Detects events where a Cloud SQL for PostgreSQL user or role has been granted all privileges to a database, or to all tables, procedures, or functions in a schema.

Initial Access: Database Superuser Writes to User Tables CLOUDSQL_SUPERUSER_WRITES_TO_USER_TABLES Cloud Audit Logs: Cloud SQL for PostgreSQL data access logs
Cloud SQL for MySQL data access logs
Note: You must enable the pgAudit extension for PostgreSQL or database auditing for MySQL to use this rule.

Detects events where a Cloud SQL superuser (postgres for PostgreSQL servers or root for MySQL users) writes to non-system tables.

PreviewPrivilege Escalation: AlloyDB Over-Privileged Grant ALLOYDB_USER_GRANTED_ALL_PERMISSIONS Cloud Audit Logs: AlloyDB for PostgreSQL data access logs
Note: You must enable the pgAudit extension to use this rule.

Detects events where an AlloyDB for PostgreSQL user or role has been granted all privileges to a database, or to all tables, procedures, or functions in a schema.

PreviewPrivilege Escalation: AlloyDB Database Superuser Writes to User Tables ALLOYDB_SUPERUSER_WRITES_TO_USER_TABLES Cloud Audit Logs: AlloyDB for PostgreSQL data access logs
Note: You must enable the pgAudit extension to use this rule.

Detects events where an AlloyDB for PostgreSQL superuser (postgres) writes to non-system tables.

Initial Access: Dormant Service Account Action DORMANT_SERVICE_ACCOUNT_USED_IN_ACTION Cloud Audit Logs: Admin Activity logs

Detects events where a dormant user-managed service account triggered an action. In this context, a service account is considered dormant if it has been inactive for more than 180 days.

Privilege Escalation: Dormant Service Account Granted Sensitive Role DORMANT_SERVICE_ACCOUNT_ADDED_IN_IAM_ROLE Cloud Audit Logs: IAM Admin Activity audit logs

Detects events where a dormant user-managed service account was granted one or more sensitive IAM roles. In this context, a service account is considered dormant if it has been inactive for more than 180 days.

Sensitive roles

Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.

Persistence: Impersonation Role Granted For Dormant Service Account DORMANT_SERVICE_ACCOUNT_IMPERSONATION_ROLE_GRANTED Cloud Audit Logs: IAM Admin Activity audit logs

Detects events where a principal is granted permissions to impersonate a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.

Initial Access: Dormant Service Account Key Created DORMANT_SERVICE_ACCOUNT_KEY_CREATED Cloud Audit Logs: Admin Activity logs

Detects events where a key is created for a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.

Initial Access: Leaked Service Account Key Used LEAKED_SA_KEY_USED Cloud Audit Logs: Admin Activity logs
Data Access logs

Detects events where a leaked service account key is used to authenticate the action. In this context, a leaked service account key is one that was posted on the public internet.

Initial Access: Excessive Permission Denied Actions EXCESSIVE_FAILED_ATTEMPT Cloud Audit Logs: Admin Activity logs

Detects events where a principal repeatedly triggers permission denied errors by attempting changes across multiple methods and services.

Impair Defenses: Strong Authentication Disabled ENFORCE_STRONG_AUTHENTICATION Google Workspace:
Admin Audit
2-step verification was disabled for the organization.

This finding isn't available for project-level activations.

Impair Defenses: Two Step Verification Disabled 2SV_DISABLE Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A user disabled 2-step verification.

This finding isn't available for project-level activations.

Initial Access: Account Disabled Hijacked ACCOUNT_DISABLED_HIJACKED Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A user's account was suspended due to suspicious activity.

This finding isn't available for project-level activations.

Initial Access: Disabled Password Leak ACCOUNT_DISABLED_PASSWORD_LEAK Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A user's account is disabled because a password leak was detected.

This finding isn't available for project-level activations.

Initial Access: Government Based Attack GOV_ATTACK_WARNING Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
Government-backed attackers might have tried to compromise a user account or computer.

This finding isn't available for project-level activations.

Initial Access: Log4j Compromise Attempt Unavailable Cloud Load Balancing Logs:
Cloud HTTP Load Balancer
Note: You must enable external Application Load Balancer logging to use this rule.
Detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. These findings have low severity, because they only indicate a detection or exploit attempt, not a vulnerability or a compromise.
This rule is always on.
Initial Access: Suspicious Login Blocked SUSPICIOUS_LOGIN Google Workspace Logs:
Login Audit
Permissions:
DATA_READ
A suspicious login to a user's account was detected and blocked.

This finding isn't available for project-level activations.

Log4j Malware: Bad Domain LOG4J_BAD_DOMAIN Cloud DNS logs Detection of Log4j exploit traffic based on a connection to, or a lookup of, a known domain used in Log4j attacks.
Log4j Malware: Bad IP LOG4J_BAD_IP VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of Log4j exploit traffic based on a connection to a known IP address used in Log4j attacks.
Malware: bad domain MALWARE_BAD_DOMAIN Cloud DNS logs Detection of malware based on a connection to, or a lookup of, a known bad domain.
Malware: bad IP MALWARE_BAD_IP VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of malware based on a connection to a known bad IP address.
Malware: Cryptomining Bad Domain CRYPTOMINING_POOL_DOMAIN Cloud DNS logs Detection of cryptomining based on a connection to, or a lookup of, a known mining domain.
Malware: Cryptomining Bad IP CRYPTOMINING_POOL_IP VPC flow logs
Firewall Rules logs
Cloud NAT logs
Detection of cryptomining based on a connection to a known mining IP address.
Outgoing DoS OUTGOING_DOS VPC flow logs Detection of outgoing denial of service traffic.
Persistence: GCE Admin Added SSH Key GCE_ADMIN_ADD_SSH_KEY Cloud Audit Logs:
Compute Engine audit logs
Detection of a modification to the Compute Engine instance metadata ssh key value on an established instance (older than 1 week).
Persistence: GCE Admin Added Startup Script GCE_ADMIN_ADD_STARTUP_SCRIPT Cloud Audit Logs:
Compute Engine audit logs
Detection of a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week).
Persistence: IAM Anomalous Grant IAM_ANOMALOUS_GRANT Cloud Audit Logs:
IAM Admin Activity audit logs

This finding includes subrules that provide more specific information about each instance of this finding.

The following list shows all possible subrules:

  • external_service_account_added_to_policy, external_member_added_to_policy: Detection of privileges granted to IAM users and service accounts that are not members of your organization or, if Security Command Center is activated at the project level only, your project. Note: If Security Command Center is activated at the organization level at any tier, then this detector uses an organization's existing IAM policies as context. If Security Command Center activation is only at the project level, then the detector uses only the project's IAM policies as context. If a sensitive IAM grant to an external member occurs, and there are less than three existing IAM policies that are similar to it, this detector generates a finding.

    Sensitive roles

    Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.

  • external_member_invited_to_policy: Detects when an external member is invited as the owner of the project through the InsertProjectOwnershipInvite API.
  • custom_role_given_sensitive_permissions: Detects when the setIAMPolicy permission is added to a custom role.
  • service_account_granted_sensitive_role_to_member: Detects when privileged roles are granted to members through a service account. This subrule is triggered by a subset of sensitive roles that include only basic IAM roles and certain data storage roles. For more information, see Sensitive IAM roles and permissions
  • policy_modified_by_default_compute_service_account: Detects when a default Compute Engine service account is used to modify project IAM settings
PreviewPersistence: Unmanaged Account Granted Sensitive Role
UNMANAGED_ACCOUNT_ADDED_IN_IAM_ROLE Cloud Audit Logs:
IAM Admin Activity audit logs
Detection of a sensitive role being granted to an unmanaged account.
Persistence: New API Method
ANOMALOUS_BEHAVIOR_NEW_API_METHOD Cloud Audit Logs:
Admin Activity logs
Detection of anomalous usage of Google Cloud services by IAM service accounts.
Persistence: New Geography
IAM_ANOMALOUS_BEHAVIOR_IP_GEOLOCATION Cloud Audit Logs:
Admin Activity logs
Detection of IAM user and service accounts accessing Google Cloud from anomalous locations, based on the geolocation of the requesting IP addresses.

This finding isn't available for project-level activations.

Persistence: New User Agent IAM_ANOMALOUS_BEHAVIOR_USER_AGENT Cloud Audit Logs:
Admin Activity logs
Detection of IAM service accounts accessing Google Cloud from anomalous or suspicious user agents.

This finding isn't available for project-level activations.

Persistence: SSO Enablement Toggle TOGGLE_SSO_ENABLED Google Workspace:
Admin Audit
The Enable SSO (single sign-on) setting on the admin account was disabled.

This finding isn't available for project-level activations.

Persistence: SSO Settings Changed CHANGE_SSO_SETTINGS Google Workspace:
Admin Audit
The SSO settings for the admin account were changed.

This finding isn't available for project-level activations.

Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity ANOMALOUS_SA_DELEGATION_IMPERSONATION_OF_SA_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs
Detects when a potentially anomalous impersonated service account is used for an administrative activity.
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity ANOMALOUS_SA_DELEGATION_MULTISTEP_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs
Detects when an anomalous multistep delegated request is found for an administrative activity.
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access ANOMALOUS_SA_DELEGATION_MULTISTEP_DATA_ACCESS Cloud Audit Logs:
Data Access logs
Detects when an anomalous multistep delegated request is found for a data access activity.
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity ANOMALOUS_SA_DELEGATION_IMPERSONATOR_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs
Detects when a potentially anomalous caller/impersonator in a delegation chain is used for an administrative activity.
Privilege Escalation: Anomalous Service Account Impersonator for Data Access ANOMALOUS_SA_DELEGATION_IMPERSONATOR_DATA_ACCESS Cloud Audit Logs:
Data Access logs
Detects when a potentially anomalous caller/impersonator in a delegation chain is used for a data access activity.
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects GKE_CONTROL_PLANE_EDIT_SENSITIVE_RBAC_OBJECT Cloud Audit Logs:
GKE Admin Activity logs
To escalate privilege, a potentially malicious actor attempted to modify a ClusterRole or ClusterRoleBinding role-based access control (RBAC) object of the sensitive cluster-admin role by using a PUT or PATCH request.
Privilege Escalation: Create Kubernetes CSR for master cert GKE_CONTROL_PLANE_CSR_FOR_MASTER_CERT Cloud Audit Logs:
GKE Admin Activity logs
A potentially malicious actor created a Kubernetes master certificate signing request (CSR), which gives them cluster-admin access.
Privilege Escalation: Creation of sensitive Kubernetes bindings GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING Cloud Audit Logs:
IAM Admin Activity audit logs
To escalate privilege, a potentially malicious actor attempted to create a new RoleBinding or ClusterRoleBinding object for the cluster-admin role.
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials GKE_CONTROL_PLANE_GET_CSR_WITH_COMPROMISED_BOOTSTRAP_CREDENTIALS Cloud Audit Logs:
GKE Data Access logs
A potentially malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials.
Privilege Escalation: Launch of privileged Kubernetes container GKE_CONTROL_PLANE_LAUNCH_PRIVILEGED_CONTAINER Cloud Audit Logs:
GKE Admin Activity logs

A potentially malicious actor created a Pod that contains privileged containers or containers with privilege escalation capabilities.

A privileged container has the privileged field set to true. A container with privilege escalation capabilities has the allowPrivilegeEscalation field set to true. For more information, see the SecurityContext v1 core API reference in the Kubernetes documentation.

Persistence: Service Account Key Created SERVICE_ACCOUNT_KEY_CREATION Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the creation of a service account key. Service account keys are long-lived credentials that increase the risk of unauthorized access to Google Cloud resources.
Privilege Escalation: Global Shutdown Script Added GLOBAL_SHUTDOWN_SCRIPT_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a global shutdown script is added to a project.
Persistence: Global Startup Script Added GLOBAL_STARTUP_SCRIPT_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a global startup script is added to a project.
Defense Evasion: Organization-Level Service Account Token Creator Role Added ORG_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when the Service Account Token Creator IAM role is granted at the organization level.
Defense Evasion: Project-Level Service Account Token Creator Role Added PROJECT_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when the Service Account Token Creator IAM role is granted at the project level.
Lateral Movement: OS Patch Execution From Service Account OS_PATCH_EXECUTION_FROM_SERVICE_ACCOUNT Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a service account uses the Compute Engine Patch feature to update the operating system of any currently running Compute Engine instance.
Lateral Movement: Modified Boot Disk Attached to Instance Preview MODIFY_BOOT_DISK_ATTACH_TO_INSTANCE Cloud Audit Logs:
Compute Engine audit logs
Detects when a boot disk is detached from one Compute Engine instance and attached to another, which could indicate a malicious attempt to compromise the system using a modified boot disk.
Credential Access: Secrets Accessed In Kubernetes Namespace SECRETS_ACCESSED_IN_KUBERNETES_NAMESPACE Cloud Audit Logs:
GKE Data Access logs
Detects when secrets or service account tokens are accessed by a service account in the current Kubernetes namespace.
Resource Development: Offensive Security Distro Activity OFFENSIVE_SECURITY_DISTRO_ACTIVITY Cloud Audit Logs:
IAM Admin Activity audit logs
Detects successful Google Cloud resource manipulations from known penetration testing or offensive security distros.
Privilege Escalation: New Service Account is Owner or Editor SERVICE_ACCOUNT_EDITOR_OWNER Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a new service account is created with Editor or Owner roles for a project.
Discovery: Information Gathering Tool Used INFORMATION_GATHERING_TOOL_USED Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the use of ScoutSuite, a cloud security auditing tool that is known to be used by threat actors.
Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_IMPLICIT_DELEGATION Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when the iam.serviceAccounts.implicitDelegation permission is abused to generate access tokens from a more privileged service account.
Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_SIGN_JWT Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a service account uses the serviceAccounts.signJwt method to generate an access token for another service account.
Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_OPENID Cloud Audit Logs:
IAM Admin Activity audit logs
Detects cross-project use of the iam.serviceAccounts.getOpenIdToken IAM permission.

This finding isn't available for project-level activations.

Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_ACCESS_TOKEN Cloud Audit Logs:
IAM Admin Activity audit logs
Detects cross-project use of the iam.serviceAccounts.getAccessToken IAM permission.

This finding isn't available for project-level activations.

Privilege Escalation: Suspicious Cross-Project Permission Use SUSPICIOUS_CROSS_PROJECT_PERMISSION_DATAFUSION Cloud Audit Logs:
IAM Admin Activity audit logs
Detects cross-project use of the datafusion.instances.create IAM permission.

This finding isn't available for project-level activations.

Command and Control: DNS Tunneling DNS_TUNNELING_IODINE_HANDSHAKE Cloud DNS logs Detects the handshake of the DNS tunneling tool Iodine.
Defense Evasion: VPC Route Masquerade Attempt VPC_ROUTE_MASQUERADE Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the manual creation of VPC routes masquerading as Google Cloud default routes, allowing egress traffic to external IP addresses.
Impact: Billing Disabled BILLING_DISABLED_SINGLE_PROJECT Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when billing has been disabled for a project.
Impact: Billing Disabled BILLING_DISABLED_MULTIPLE_PROJECTS Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when billing has been disabled for multiple projects in an organization within a short time period.
Impact: VPC Firewall High Priority Block VPC_FIREWALL_HIGH_PRIORITY_BLOCK Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a VPC firewall rule that blocks all traffic is added at priority 0.
Impact: VPC Firewall Mass Rule Deletion VPC_FIREWALL_MASS_RULE_DELETION Cloud Audit Logs:
IAM Admin Activity audit logs
Detects the mass deletion of VPC firewall rules by non-service accounts.
Impact: Service API Disabled SERVICE_API_DISABLED Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a Google Cloud service API is disabled in a production environment.
Impact: Managed Instance Group Autoscaling Set To Maximum MIG_AUTOSCALING_SET_TO_MAX Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a managed instance group is configured for maximum autoscaling.
Discovery: Unauthorized Service Account API Call UNAUTHORIZED_SERVICE_ACCOUNT_API_CALL Cloud Audit Logs:
IAM Admin Activity audit logs
Detects when a service account makes an unauthorized cross-project API call.
Defense Evasion: Anonymous Sessions Granted Cluster Admin Access ANONYMOUS_SESSIONS_GRANTED_CLUSTER_ADMIN Cloud Audit Logs:
GKE Admin Activity logs
Detects the creation of a role-based access control (RBAC) ClusterRoleBinding object adding the root-cluster-admin-binding behavior to anonymous users.
Initial Access: Anonymous GKE Resource Created from the Internet GKE_RESOURCE_CREATED_ANONYMOUSLY_FROM_INTERNET Cloud Audit Logs:
GKE Admin Activity logs
Detects resource creation events from effectively anonymous internet users.
Initial Access: GKE Resource Modified Anonymously from the Internet GKE_RESOURCE_MODIFIED_ANONYMOUSLY_FROM_INTERNET Cloud Audit Logs:
GKE Admin Activity logs
Detects resource manipulation events from effectively anonymous internet users.

Custom modules for Event Threat Detection

In addition to built-in detection rules, Event Threat Detection provides module templates that you can use to create custom detection rules. For more information, see Overview of custom modules for Event Threat Detection.

To create detection rules for which no custom module templates are available, you can export your log data to BigQuery, and then run unique or recurring SQL queries that capture your threat models.

Unsafe Google Group changes

This section explains how Event Threat Detection uses Google Workspace logs, Cloud Audit logs, and IAM policies to detect unsafe Google Groups changes. Detecting Google Groups changes is only supported when you activate Security Command Center at the organization level.

Google Cloud customers can use Google Groups to manage roles and permissions for members in their organizations, or apply access policies to collections of users. Instead of granting roles directly to members, administrators can grant roles and permissions to Google Groups, and then add members to specific groups. Group members inherit all of a group's roles and permissions, which lets members access specific resources and services.

While Google Groups are a convenient way to manage access control at scale, they can pose a risk if external users from outside your organization or domain are added to privileged groups—groups that are granted sensitive roles or permissions. Sensitive roles control access to security and network settings, logs, and personally identifiable information (PII), and are not recommended for external group members.

In large organizations, administrators might not be aware when external members are added to privileged groups. Cloud Audit logs record role grants to groups, but those log events don't contain information on group members, which can obscure the potential impact of some group changes.

If you share your Google Workspace logs with Google Cloud, Event Threat Detection monitors your logging streams for new members added to your organization's Google Groups. Because the logs are at the organization level, Event Threat Detection can scan Google Workspace logs only when you activate Security Command Center at the organization level. Event Threat Detection can't scan these logs when you activate Security Command Center at the project level.

Event Threat Detection identifies external group members and, using Cloud Audit logs, reviews each affected group's IAM roles to check whether the groups are granted sensitive roles. That information is used to detect the following unsafe changes for privileged Google Groups:

  • External group members added to privileged groups
  • Sensitive roles or permissions granted to groups with external group members
  • Privileged groups that are changed to allow anyone in the general public to join

Event Threat Detection writes findings to Security Command Center. Findings contain the email addresses of newly added external members, internal group members that initiate events, group names, and the sensitive roles associated with groups. You can use the information to remove external members from groups or revoke sensitive roles granted to groups.

For more information on Event Threat Detection findings, see Event Threat Detection rules.

Sensitive IAM roles and permissions

This section explains how Event Threat Detection defines sensitive IAM roles. Detections like IAM Anomalous Grant and Unsafe Google Group changes generate findings only if changes involve high- or medium-sensitivity roles. The sensitivity of roles impacts the severity rating assigned to findings.

  • High-sensitivity roles control critical services in organizations, including billing, firewall settings, and logging. Findings that match these roles are classified as High severity.
  • Medium-sensitivity roles have editing permissions that let principals make changes to Google Cloud resources; and viewing and executing permissions on data storage services that often hold sensitive data. The severity assigned to findings depends on the resource:
    • If medium-sensitivity roles are granted at the organization level, findings are classified as High severity.
    • If medium-sensitivity roles are granted at lower levels in your resource hierarchy (folders, projects, and buckets, among others), findings are classified as Medium severity.

Granting these sensitive roles is considered dangerous if the grantee is an External Member or an abnormal identity, like a principal that has been inactive for a long time. Granting sensitive roles to external members creates a potential threat because they can be abused for account compromise and data exfiltration.

Finding categories that use these sensitive roles include:

  • Persistence: IAM Anomalous Grant
    • Subrule: external_service_account_added_to_policy
    • Subrule: external_member_added_to_policy
  • Credential Access: Sensitive Role Granted To Hybrid Group
  • Privilege Escalation: Dormant Service Account Granted Sensitive Role

Finding categories that use a subset of the sensitive roles include:

  • Persistence: IAM Anomalous Grant
    • Subrule: service_account_granted_sensitive_role_to_member

The service_account_granted_sensitive_role_to_member subrule targets both external and internal members generally and therefore uses only a subset of sensitive roles, as explained in Event Threat Detection rules.

Table 1. High-sensitivity roles
Category Role Description
Basic roles: contain thousands of permissions across all Google Cloud services. roles/owner Basic roles
roles/editor
Security roles: control access to security settings roles/cloudkms.* All Cloud Key Management Service roles
roles/cloudsecurityscanner.* All Web Security Scanner roles
roles/dlp.* All Sensitive Data Protection roles
roles/iam.* All IAM roles
roles/secretmanager.* All Secret Manager roles
roles/securitycenter.* All Security Command Center roles
Logging roles: control access to an organization's logs roles/errorreporting.* All Error Reporting roles
roles/logging.* All Cloud Logging roles
roles/stackdriver.* All Cloud Monitoring roles
Personal information roles: control access to resources that contain personally identifiable information, including banking and contact information roles/billing.* All Cloud Billing roles
roles/healthcare.* All Cloud Healthcare API roles
roles/essentialcontacts.* All Essential Contacts roles
Networking roles: control access to an organization's network settings roles/dns.* All Cloud DNS roles
roles/domains.* All Cloud Domains roles
roles/networkconnectivity.* All Network Connectivity Center roles
roles/networkmanagement.* All Network Connectivity Center roles
roles/privateca.* All Certificate Authority Service roles
Service roles: control access to service resources in Google Cloud roles/cloudasset.* All Cloud Asset Inventory roles
roles/servicedirectory.* All Service Directory roles
roles/servicemanagement.* All Service Management roles
roles/servicenetworking.* All Service Networking roles
roles/serviceusage.* All Service Usage roles
Compute Engine roles: control access to Compute Engine virtual machines, which carry long-running jobs and are associated with firewall rules

roles/compute.admin

roles/compute.instanceAdmin

roles/compute.instanceAdmin.v1

roles/compute.loadBalancerAdmin

roles/compute.networkAdmin

roles/compute.orgFirewallPolicyAdmin

roles/compute.orgFirewallPolicyUser

roles/compute.orgSecurityPolicyAdmin

roles/compute.orgSecurityPolicyUser

roles/compute.orgSecurityResourceAdmin

roles/compute.osAdminLogin

roles/compute.publicIpAdmin

roles/compute.securityAdmin

roles/compute.storageAdmin

roles/compute.xpnAdmin

All Compute Engine Admin and Editor roles
Table 2. Medium-sensitivity roles
Category Role Description
Editing roles: IAM roles that include permissions to make changes to Google Cloud resources

Examples:

roles/storage.objectAdmin

roles/file.editor

roles/source.writer

roles/container.developer

Role names usually end with titles like Admin, Owner, Editor, or Writer.

Expand the node in the last row of the table to see All medium-sensitivity roles

Data storage roles: IAM roles that include permissions to view and execute data storage services

Examples:

roles/cloudsql.viewer

roles/cloudsql.client

roles/bigquery.dataViewer

roles/bigquery.user

roles/spanner.databaseReader

roles/spanner.databaseUser

Expand the node in the last row of the table to see All medium-sensitivity roles
All medium-sensitivity roles

Access Approval
roles/accessapproval.approver
roles/accessapproval.configEditor

Access Context Manager
roles/accesscontextmanager.gcpAccessAdmin
roles/accesscontextmanager.policyAdmin
roles/accesscontextmanager.policyEditor

Actions
roles/actions.Admin

AI Platform
roles/ml.admin
roles/ml.developer
roles/ml.jobOwner
roles/ml.modelOwner
roles/ml.modelUser

API Gateway
roles/apigateway.admin

App Engine
roles/appengine.appAdmin
roles/appengine.appCreator
roles/appengine.serviceAdmin

AutoML
roles/automl.admin
roles/automl.editor

BigQuery
roles/bigquery.admin
roles/bigquery.dataEditor
roles/bigquery.dataOwner
roles/bigquery.dataViewer
roles/bigquery.resourceAdmin
roles/bigquery.resourceEditor
roles/bigquery.resourceViewer
roles/bigquery.user

Binary Authorization
roles/binaryauthorization.attestorsAdmin
roles/binaryauthorization.attestorsEditor
roles/binaryauthorization.policyAdmin
roles/binaryauthorization.policyEditor

Bigtable
roles/bigtable.admin
roles/bigtable.reader
roles/bigtable.user

Cloud Build
roles/cloudbuild.builds.builder
roles/cloudbuild.builds.editor

Cloud Deployment Manager
roles/deploymentmanager.editor
roles/deploymentmanager.typeEditor

Cloud Endpoints
roles/endpoints.portalAdminBeta

Cloud Functions
roles/cloudfunctions.admin
roles/cloudfunctions.developer
roles/cloudfunctions.invoker

Cloud IoT
roles/cloudiot.admin
roles/cloudiot.deviceController
roles/cloudiot.editor
roles/cloudiot.provisioner

Cloud Life Sciences
roles/genomics.admin
roles/genomics.admin
roles/lifesciences.admin
roles/lifesciences.editor

Cloud Monitoring
roles/monitoring.admin
roles/monitoring.alertPolicyEditor
roles/monitoring.dashboardEditor
roles/monitoring.editor
roles/monitoring.metricWriter
roles/monitoring.notificationChannelEditor
roles/monitoring.servicesEditor
roles/monitoring.uptimeCheckConfigEditor

Cloud Run
roles/run.admin
roles/run.developer

Cloud Scheduler
roles/cloudscheduler.admin

Cloud Source Repositories
roles/source.admin
roles/source.writer

Spanner
roles/spanner.admin
roles/spanner.backupAdmin
roles/spanner.backupWriter
roles/spanner.databaseAdmin
roles/spanner.restoreAdmin
roles/spanner.databaseReader
roles/spanner.databaseUser

Cloud Storage
roles/storage.admin
roles/storage.hmacKeyAdmin
roles/storage.objectAdmin
roles/storage.objectCreator
roles/storage.objectViewer
roles/storage.legacyBucketOwner
roles/storage.legacyBucketWriter
roles/storage.legacyBucketReader
roles/storage.legacyObjectOwner
roles/storage.legacyObjectReader

Cloud SQL
roles/cloudsql.admin
roles/cloudsql.editor
roles/cloudsql.client
roles/cloudsql.instanceUser
roles/cloudsql.viewer

Cloud Tasks
roles/cloudtasks.admin
roles/cloudtasks.enqueuer
roles/cloudtasks.queueAdmin
roles/cloudtasks.taskDeleter

Cloud TPU
tpu.admin

Cloud Trace
roles/cloudtrace.admin
roles/cloudtrace.agent

Compute Engine
roles/compute.imageUser
roles/compute.osLoginExternalUser
roles/osconfig.guestPolicyAdmin
roles/osconfig.guestPolicyEditor
roles/osconfig.osPolicyAssignmentAdmin
roles/osconfig.osPolicyAssignmentEditor
roles/osconfig.patchDeploymentAdmin

Artifact Analysis
roles/containeranalysis.admin
roles/containeranalysis.notes.attacher
roles/containeranalysis.notes.editor
roles/containeranalysis.occurrences.editor

Data Catalog
roles/datacatalog.admin
roles/datacatalog.categoryAdmin
roles/datacatalog.entryGroupCreator
roles/datacatalog.entryGroupOwner
roles/datacatalog.entryOwner

Dataflow
roles/dataflow.admin
roles/dataflow.developer

Dataproc
roles/dataproc.admin
roles/dataproc.editor

Dataproc Metastore
roles/metastore.admin
roles/metastore.editor

Datastore
roles/datastore.importExportAdmin
roles/datastore.indexAdmin
roles/datastore.owner
roles/datastore.user

Eventarc
roles/eventarc.admin
roles/eventarc.developer
roles/eventarc.eventReceiver

Filestore
roles/file.editor

Firebase
roles/firebase.admin
roles/firebase.analyticsAdmin
roles/firebase.developAdmin
roles/firebase.growthAdmin
roles/firebase.qualityAdmin
roles/firebaseabt.admin
roles/firebaseappcheck.admin
roles/firebaseappdistro.admin
roles/firebaseauth.admin
roles/firebasecrashlytics.admin
roles/firebasedatabase.admin
roles/firebasedynamiclinks.admin
roles/firebasehosting.admin
roles/firebaseinappmessaging.admin
roles/firebaseml.admin
roles/firebasenotifications.admin
roles/firebaseperformance.admin
roles/firebasepredictions.admin
roles/firebaserules.admin
roles/firebasestorage.admin
roles/cloudconfig.admin
roles/cloudtestservice.testAdmin

Game Servers
roles/gameservices.admin

Google Cloud VMware Engine
vmwareengine.vmwareengineAdmin

Google Kubernetes Engine
roles/container.admin
roles/container.clusterAdmin
roles/container.developer

Google Kubernetes Engine Hub
roles/gkehub.admin
roles/gkehub.gatewayAdmin
roles/gkehub.connect

Google Workspace
roles/gsuiteaddons.developer

Identity-Aware Proxy
roles/iap.admin
roles/iap.settingsAdmin

Managed Service for Microsoft Active Directory
roles/managedidentities.admin
roles/managedidentities.domainAdmin
roles/managedidentities.viewer

Memorystore for Redis
roles/redis.admin
roles/redis.editor

On-Demand Scanning API
roles/ondemandscanning.admin

Ops Config Monitoring
roles/opsconfigmonitoring.resourceMetadata.writer

Organization Policy Service
roles/axt.admin
roles/orgpolicy.policyAdmin

Other roles
roles/autoscaling.metricsWriter
roles/autoscaling.sitesAdmin
roles/autoscaling.stateWriter
roles/chroniclesm.admin
roles/dataprocessing.admin
roles/earlyaccesscenter.admin
roles/firebasecrash.symbolMappingsAdmin
roles/identityplatform.admin
roles/identitytoolkit.admin
roles/oauthconfig.editor
roles/retail.admin
roles/retail.editor
roles/runtimeconfig.admin

Proximity Beacon
roles/proximitybeacon.attachmentEditor
roles/proximitybeacon.beaconEditor

Pub/Sub
roles/pubsub.admin
roles/pubsub.editor

Pub/Sub Lite
roles/pubsublite.admin
roles/pubsublite.editor
roles/pubsublite.publisher

reCAPTCHA Enterprise
roles/recaptchaenterprise.admin
roles/recaptchaenterprise.agent

Recommendations
roles/automlrecommendations.admin
roles/automlrecommendations.editor

Recommender
roles/recommender.billingAccountCudAdmin
roles/recommender.cloudAssetInsightsAdmin
roles/recommender.cloudsqlAdmin
roles/recommender.computeAdmin
roles/recommender.firewallAdmin
roles/recommender.iamAdmin
roles/recommender.productSuggestionAdmin
roles/recommender.projectCudAdmin

Resource Manager
roles/resourcemanager.folderAdmin
roles/resourcemanager.folderCreator
roles/resourcemanager.folderEditor
roles/resourcemanager.folderIamAdmin
roles/resourcemanager.folderMover
roles/resourcemanager.lienModifier
roles/resourcemanager.organizationAdmin
roles/resourcemanager.projectCreator
roles/resourcemanager.projectDeleter
roles/resourcemanager.projectIamAdmin
roles/resourcemanager.projectMover
roles/resourcemanager.tagAdmin

Resource Settings
roles/resourcesettings.admin

Serverless VPC Access
roles/vpcaccess.admin

Service Consumer Management
roles/serviceconsumermanagement.tenancyUnitsAdmin

Storage Transfer Service
roles/storagetransfer.admin
roles/storagetransfer.user

Vertex AI
roles/aiplatform.admin
roles/aiplatform.featurestoreAdmin
roles/aiplatform.migrator
roles/aiplatform.user

Vertex AI Workbench user-managed notebooks
roles/notebooks.admin
roles/notebooks.legacyAdmin

Workflows
roles/workflows.admin
roles/workflows.editor

Log types and activation requirements

This section lists the logs that Event Threat Detection uses, along with the threats that Event Threat Detection looks for in each log, and what, if anything, you need to do to turn on each log.

You need to turn a log on for Event Threat Detection only if all of the following are true:

  • You are using the product or service that writes to the log.
  • You need to protect the product or service against the threats that Event Threat Detection detects in the log.
  • The log is a data access audit log or other log that is off by default.

Certain threats can be detected in multiple logs. If Event Threat Detection can detect a threat in a log that is already turned on, you don't need to turn on another log to detect that same threat.

If a log isn't listed in this section, Event Threat Detection does not scan it, even if it is turned on. For more information, see Potentially redundant log scans.

As described in the following table, some log types are only available at the organization level. If you activate Security Command Center at the project level, Event Threat Detection doesn't scan these logs and doesn't produce any findings.

Potentially redundant log scans

Event Threat Detection can provide network detection of malware by scanning any one of the following logs:

  • Cloud DNS logging
  • Cloud NAT logging
  • Firewall Rules Logging
  • VPC Flow Logs

If you are already using Cloud DNS logging, Event Threat Detection can detect malware using domain resolution. For most users, the Cloud DNS logs are sufficient for the network detection of malware.

If you need another level of visibility beyond domain resolution, you can turn on VPC Flow Logs, but VPC Flow Logs can incur costs. To manage these costs, we recommend increasing the aggregation interval to 15 minutes and reducing the sample rate to between 5% and 10%, but there is a tradeoff between recall (higher sample) and cost management (lower sample rate).

If you are already using Firewall Rules Logging or Cloud NAT logging, these logs are useful in place of VPC Flow Logs.

You don't need to enable more than one of Cloud NAT logging, Firewall Rules Logging, or VPC Flow Logs.

Logs that you need to turn on

This section lists the Cloud Logging and Google Workspace logs that you can turn on or otherwise configure to increase the number of threats that Event Threat Detection can detect.

Certain threats, such as threats posed by the anomalous impersonation or delegation of a service account, can be found in most audit logs. For these types of threats, you determine which logs you need to turn on based on the products and services you are using.

The following table shows specific logs you need to turn on for threats that can be detected in only certain specific log types.

Privilege Escalation: AlloyDB Over-Privileged Grant
Log type Threats detected Configuration required
Cloud DNS logging Log4j Malware: Bad Domain
Malware: bad domain
Malware: Cryptomining Bad Domain
Turn on Cloud DNS logging
Cloud NAT logging Log4j Malware: Bad IP
Malware: bad IP
Malware: Cryptomining Bad IP
Turn on Cloud NAT logging
Firewall Rules Logging Log4j Malware: Bad IP
Malware: bad IP
Malware: Cryptomining Bad IP
Turn on Firewall Rules Logging.
Google Kubernetes Engine (GKE) Data Access audit logs Discovery: Can get sensitive Kubernetes object check
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
Activate Logging Data Access audit logs for GKE
Google Workspace Admin Audit logs Credential Access: Privileged Group Opened To Public
Impair Defenses: Strong Authentication Disabled
Impair Defenses: Two Step Verification Disabled
Persistence: SSO Enablement Toggle
Persistence: SSO Settings Changed
Share Google Workspace Admin Audit logs with Cloud Logging

This log type can't be scanned in project-level activations.

Google Workspace Login Audit logs Credential Access: External Member Added To Privileged Group
Impair Defenses: Two Step Verification Disabled
Initial Access: Account Disabled Hijacked
Initial Access: Disabled Password Leak
Initial Access: Government Based Attack
Initial Access: Suspicious Login Blocked
Share Google Workspace Login Audit logs with Cloud Logging

This log type can't be scanned in project-level activations.

External Application Load Balancer backend service logs Initial Access: Log4j Compromise Attempt Turn on external Application Load Balancer logging
Cloud SQL MySQL Data Access audit logs Exfiltration: Cloud SQL Data Exfiltration Activate Logging Data Access audit logs for Cloud SQL for MySQL
Cloud SQL PostgreSQL Data Access audit logs Exfiltration: Cloud SQL Data Exfiltration
Exfiltration: Cloud SQL Over-Privileged Grant
AlloyDB for PostgreSQL Data Access audit logs Privilege Escalation: AlloyDB Database Superuser Writes to User Tables
IAM Data Access audit logs Discovery: Service Account Self-Investigation Activate Logging Data Access audit logs for Resource Manager
SQL Server Data Access audit logs Exfiltration: Cloud SQL Data Exfiltration Activate Logging Data Access audit logs for Cloud SQL for SQL Server
Generic Data Access audit logs Initial Access: Leaked Service Account Key Used
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
Privilege Escalation: Anomalous Service Account Impersonator for Data Access
Activate Logging Data Access audit logs.
authlogs/authlog on virtual machines Brute force SSH Install the Ops Agent or the legacy Logging agent on your VM hosts
VPC Flow Logs Log4j Malware: Bad IP
Malware: bad IP
Malware: Cryptomining Bad IP
Outgoing DoS
Turn on VPC Flow Logs.
Backup and DR audit logging Data destruction: Google cloud backup and dr expire all images
Inhibit system recovery: Google cloud backup and dr delete policy
Inhibit system recovery: Google cloud backup and dr delete template
Inhibit system recovery: Google cloud backup and dr delete profile
Inhibit system recovery: Google cloud backup and dr delete storage pool
Inhibit system recovery: deleted Google cloud backup and dr host
Data destruction: Google cloud backup and dr expire image
Data destruction: Google cloud backup and dr remove appliance
Inhibit system recovery: Google cloud backup and dr remove plan
Enable Backup and DR audit logging

Logs that are always on

The following table lists the Cloud Logging logs that you do not need to turn on or configure. These logs are always on and Event Threat Detection scans them automatically.

Log type Threats detected Configuration required
BigQueryAuditMetadata Data Access logs Exfiltration: BigQuery Data Exfiltration
Exfiltration: BigQuery Data Extraction
Exfiltration: BigQuery Data to Google Drive
None
Google Kubernetes Engine (GKE) Admin Activity audit logs Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
Privilege Escalation: Creation of sensitive Kubernetes bindings
Privilege Escalation: Launch of privileged Kubernetes container
Privilege Escalation: Create Kubernetes CSR for master cert
None
IAM Admin Activity audit logs Credential Access: Sensitive Role Granted To Hybrid Group
Privilege Escalation: Dormant Service Account Granted Sensitive Role
Persistence: Impersonation Role Granted For Dormant Service Account
Persistence: IAM Anomalous Grant
PreviewPersistence: Unmanaged Account Granted Sensitive Role
None
MySQL Admin Activity logs Exfiltration: Cloud SQL Restore Backup to External Organization None
PostgreSQL Admin Activity logs Exfiltration: Cloud SQL Restore Backup to External Organization None
SQL Server Admin Activity logs Exfiltration: Cloud SQL Restore Backup to External Organization None
Generic Admin Activity audit logs Initial Access: Dormant Service Account Action>
Initial Access: Dormant Service Account Key Created
Initial Access: Excessive Permission Denied Actions
Initial Access: Leaked Service Account Key Used
Persistence: Compute Engine Admin Added SSH Key
Persistence: Compute Engine Admin Added Startup Script
Persistence: New API Method
Persistence: New Geography
Persistence: New User Agent
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
Lateral Movement: Modified Boot Disk Attached to Instance Preview
None
VPC Service Controls Audit logs Defense Evasion: Modify VPC Service Control Preview None

What's next