Configuring Event Threat Detection logging

Configure Event Threat Detection and select where to write your Event Threat Detection output if you haven't migrated to the Security Command Center Premium tier. This guide is for the Security Command Center Legacy UI, which is only visible if you haven't migrated to the Security Command Center Premium or Standard tier.

We recommend using the following initial settings:

  • Scan all projects
  • Enable all rules
  • Enable Cloud Logging for your project

Cloud Console

Scanning projects

On the Event Threat Detection Sources tab, you can choose which projects to monitor.

To monitor all projects:

  1. Go to the Event Threat Detection Sources page in the Cloud Console.
    Go to the Sources page
  2. Select Include all current and future projects.
  3. Click Save.

To monitor most projects, exclude the projects you don't want to monitor:

  1. Go to the Event Threat Detection Sources page in the Cloud Console.
    Go to the Sources page
  2. Select Exclude a subset of your projects.
  3. Select the projects you do not want to monitor.
  4. Click Save.

To monitor a few projects, select the specific projects to include:

  1. Go to the Event Threat Detection Sources page in the Cloud Console.
    Go to the Sources page
  2. Select Include a subset of your projects.
  3. Select the projects to monitor. You must select at least one.
  4. Click Save.

Enabling rules

On the Event Threat Detection Rules tab, you can select which rules to enable.

  1. Go to the Event Threat Detection Rules page in the Cloud Console.
    Go to the Rules page
  2. Under Enable, click next to a rule name to enable or disable that rule.

Configuring output

On the Event Threat Detection Outputs tab, you can select where to log your findings.

Event Threat Detection findings are automatically written to Security Command Center. If you also want to log your findings to Google Cloud's operations suite:

  1. Go to the Event Threat Detection Outputs page in the Cloud Console.
    Go to the Outputs page
  2. Enable Log findings to Google Cloud's operations suite.
  3. Select the project where you want to store the logs. You can enter its name in Project or click Browse and then select it.
  4. Click Save.

API

To enable the recommended Event Threat Detection settings using the API, get a credential bearer token, and then use the following curl commands.

Getting a credential bearer token

To get the credential bearer token for your service account, use the following gcloud tool commands.

$ export GOOGLE_APPLICATION_CREDENTIALS=path-to-your-service-account.json
$ TOKEN=`gcloud auth application-default print-access-token`

Scanning projects

Use sourceSettings to choose which projects to monitor. To enable Event Threat Detection for all projects in your organization, use the following command:

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sourceSettings" \
    --data '{ "settings": { "log_sources": { "inclusion_mode": "ALL" } } }'

Enabling rules

Use detectorSettings to choose which detectors to enable. To enable all Event Threat Detection detectors, use the following command to set every rule to true:

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/detectorSettings" \
    --data '{ "settings": \
        { "outgoing_dos": { "enable_event_threat_detection": true }, \
        "malware_bad_ip": { "enable_event_threat_detection": true }, \
        "malware_bad_domain": { "enable_event_threat_detection": true }, \
        "ssh_brute_force": { "enable_event_threat_detection": true }, \
        "cryptomining_pool_domain": { "enable_event_threat_detection": true }, \
        "cryptomining_pool_ip": { "enable_event_threat_detection": true }, \
        "iam_anomalous_grant": { "enable_event_threat_detection": true } } }'

Configuring output

Use sinkSettings to configure output. To set the project where findings are logged, use the following command:

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sinkSettings" \
    --data '{ "settings": \
        { "logging_sink_project": "projects/your-ETD-logging-destination-project-ID" } }'

Disabling Event Threat Detection

To disable Event Threat Detection, set sourceSettings, detectorSettings, and sinkSettings to empty objects.

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sourceSettings" \
    --data '{ "settings": {} }'

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sinkSettings" \
    --data '{ "settings": {} }'

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sinkSettings" \
    --data '{ "settings": {} }'

What's next