The Correlated Threats feature in Security Command Center helps you uncover critical active threats in your environment. Correlated Threats outputs a set of related threat findings and provides in-depth explanations about these findings, which you can then use to prioritize, understand, and respond to these threats.
Security teams often experience alert fatigue from managing an overwhelming number of threat findings. This situation can lead to missed or delayed responses. These teams require prioritized and relevant information quickly to identify post-exploit activity.
Correlated Threats help by aggregating multiple related threat findings into an issue. This aggregation helps provide higher confidence detections that you can act on. Correlated Threats generates an issue, which represents a series of related malicious activities.
This feature offers several benefits:
- Reduces alert fatigue by consolidating numerous findings into critical issues.
- Enhances detection fidelity by combining multiple signals, helping to increase confidence in detecting malicious activity.
- Provides a visualization of the attack chain, showing how events connect to help form a complete attack story. This approach helps you anticipate adversary moves and quickly identify compromised assets.
- Highlights critical threats and provides clear recommendations, helping you prioritize and accelerate your response.
How Correlated Threats work
The Correlated Threats feature uses a rules engine to identify and group related security findings.
The rules engine queries the security graph with predefined Correlated Threats queries. The engine then translates these query results into issues. Security Command Center manages the lifecycle of these threat issues. An issue remains active for 14 days after the first threat finding if you don't mute or mark it as inactive. This time period is automatically set and cannot be configured. Correlated Threats automatically resolve if the underlying resources, such as VMs or Google Kubernetes Engine nodes, are deleted.
Correlated Threats require more frequent rule executions than other security graph rules. The system processes threat rules hourly. This approach integrates with existing Security Command Center detection sources.
Correlated Threats rules
Correlated Threats help to identify various multi-stage attack patterns across cloud resources. The following Correlated Threats rules are available:
Multiple correlated threat signals of cryptocurrency mining software: This rule looks for multiple distinct signals of malicious software coming from a Google Cloud virtual machines, including Compute Engine VMs and Google Kubernetes Engine (GKE) nodes (and their Pods).
Examples include the following:
- VM Threat Detection detects a cryptocurrency program and Event Threat Detection detects connections to cryptocurrency IP addresses or domains from the same VM.
- Container Threat Detection detects a program that is using the cryptocurrency mining stratum protocol and Event Threat Detection detects a connection to a cryptocurrency mining IP address from the same Google Kubernetes Engine node.
Multiple correlated threat signals of malicious software: This rule looks for multiple distinct signals of malicious software coming from Google Cloud virtual machines, including Compute Engine VMs and GKE nodes (and their Pods).
Examples include the following:
- Container Threat Detection detects the execution of both a malicious binary and a malicious Python script in the same Pod.
- Event Threat Detection detects a connection to a malware IP address and VM Threat Detection detects malware on the disk in the same VM.
Potentially compromised GCP account lateral movement to compromised GCE instance: This rule looks for evidence of suspicious calls to Compute Engine APIs that modify a VM (including GKE nodes). The rule then correlates that activity with malicious activity that originates from the VM within a short period. This common lateral movement pattern is used by attackers. This rule might indicate that the VM is compromised. This rule also might indicate that the Google Cloud account (either user or service account) might be the cause of the malicious activity.
Examples include the following:
- Event Threat Detection detects that a user added a new SSH key to a Compute Engine instance, and VM Threat Detection detects a cryptocurrency miner running on the same instance.
- Event Threat Detection detects that a service account accessed an instance using the Compute Engine API from the Tor network, and Event Threat Detection detects connections to a malicious IP address from the same instance.
Investigate Correlated Threats
Correlated Threats guide you through a structured investigation process. This process helps you understand and respond to security incidents effectively. You can use the Threat findings index to find further information on a specific threat finding. Each finding-specific page describes how to investigate and respond to the threat.
Reception
You receive a Correlated Threats issue through Security Command Center. This issue indicates that the system detected and grouped multiple suspicious findings. You recognize this issue as high priority, because it is marked as an Active threat. The correlation of multiple signals indicates a true positive that warrants immediate focus. For more information, see Manage and remediate issues.
Deconstruction
Open the issue to see its parts. Within the issue details view, you can expand a section to see the individual findings. For example, if a harmful script runs on a GKE node and then connects to a malicious IP address, both events appear together. Check the details of each finding, such as when it happened, what processes were involved, the malicious IP addresses, and where the detection came from. This information indicates that the events are potentially related and explains the attack's technical details. A chronological view shows the sequence of events. The system maps these details to MITRE ATT&CK attack chain stages and presents them on an attack chain visualization. This feature gives you immediate context on the attack stage.
Scope identification
Determine the extent of the threat. Check contextual information about the correlated events, such as the affected asset and its project or cluster context. The platform correlates issues by resource, using unique identifiers to tie events to the same node. This shows the impacted asset. Verify if other assets show similar signs. Note the identities involved, such as the service account or user that ran the malicious script. This scoped view helps you focus on affected systems and confirms whether the incident is localized or widespread.
Next actions
The system marks Correlated Threat issues with a critical severity. You can find recommended actions in the How to fix views. Contain the impacted asset, for example, by isolating or shutting down the affected GKE node. Follow recommendations, such as blocking the known malicious IP at the firewall or cloud VPC level. The recommended actions help you respond faster, contain the incident, and initiate a focused investigation. For more information on threats, see How to investigate threats.