Configuring Event Threat Detection logging

This page describes how to configure Event Threat Detection Legacy and manage Event Threat Detection Legacy logs in the Security Command Center Legacy, a pre-GA version of Security Command Center that is not available for new subscribers. Security Command Center Legacy is only visible to users who have not subscribed to the Security Command Center Premium or Standard tier.

If you are already subscribed to the Security Command Center Premium tier, Event Threat Detection is automatically configured for you, and you can control Cloud Logging output using the Sinks configuration. For more information, see configuring Security Command Center.

Event Threat Detection monitors your organization's Cloud Logging stream and detects threats in near-real time. To learn more, read Event Threat Detection overview.

Use the following instructions to set up Event Threat Detection scans in the Legacy UI and choose where to write logs.

We recommend using the following initial settings:

  • Scan all projects
  • Enable all rules
  • Enable Cloud Logging for your project

Cloud Console

Scanning projects

On the Event Threat Detection Sources tab, you can choose which projects to monitor.

To monitor all projects:

  1. Go to the Event Threat Detection Sources page in the Cloud Console.
    Go to the Sources page
  2. Select Include all current and future projects.
  3. Click Save.

To monitor most projects, exclude the projects you don't want to monitor:

  1. Go to the Event Threat Detection Sources page in the Cloud Console.
    Go to the Sources page
  2. Select Exclude a subset of your projects.
  3. Select the projects you do not want to monitor.
  4. Click Save.

To monitor a few projects, select the specific projects to include:

  1. Go to the Event Threat Detection Sources page in the Cloud Console.
    Go to the Sources page
  2. Select Include a subset of your projects.
  3. Select the projects to monitor. You must select at least one.
  4. Click Save.

Enabling rules

On the Event Threat Detection Rules tab, you can select which rules to enable.

  1. Go to the Event Threat Detection Rules page in the Cloud Console.
    Go to the Rules page
  2. Under Enable, click next to a rule name to enable or disable that rule.

Configuring output

On the Event Threat Detection Outputs tab, you can select where to log your findings.

Event Threat Detection findings are automatically written to Security Command Center. If you also want to log your findings to Google Cloud's operations suite:

  1. Go to the Event Threat Detection Outputs page in the Cloud Console.
    Go to the Outputs page
  2. Enable Log findings to Google Cloud's operations suite.
  3. Select the project where you want to store the logs. You can enter its name in Project or click Browse and then select it.
  4. Click Save.

API

To enable the recommended Event Threat Detection settings using the API, get a credential bearer token, and then use the following curl commands.

Getting a credential bearer token

To get the credential bearer token for your service account, use the following gcloud tool commands.

$ export GOOGLE_APPLICATION_CREDENTIALS=path-to-your-service-account.json
$ TOKEN=`gcloud auth application-default print-access-token`

Scanning projects

Use sourceSettings to choose which projects to monitor. To enable Event Threat Detection for all projects in your organization, use the following command:

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sourceSettings" \
    --data '{ "settings": { "log_sources": { "inclusion_mode": "ALL" } } }'

Enabling rules

Use detectorSettings to choose which detectors to enable. To enable all Event Threat Detection detectors, use the following command to set every rule to true:

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/detectorSettings" \
    --data '{ "settings": \
        { "outgoing_dos": { "enable_event_threat_detection": true }, \
        "malware_bad_ip": { "enable_event_threat_detection": true }, \
        "malware_bad_domain": { "enable_event_threat_detection": true }, \
        "ssh_brute_force": { "enable_event_threat_detection": true }, \
        "cryptomining_pool_domain": { "enable_event_threat_detection": true }, \
        "cryptomining_pool_ip": { "enable_event_threat_detection": true }, \
        "iam_anomalous_grant": { "enable_event_threat_detection": true } } }'

Configuring output

Use sinkSettings to configure output. To set the project where findings are logged, use the following command:

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sinkSettings" \
    --data '{ "settings": \
        { "logging_sink_project": "projects/your-ETD-logging-destination-project-ID" } }'

Disabling Event Threat Detection

To disable Event Threat Detection, set sourceSettings, detectorSettings, and sinkSettings to empty objects.

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sourceSettings" \
    --data '{ "settings": {} }'

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sinkSettings" \
    --data '{ "settings": {} }'

$ curl -s --request PATCH \
    -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" \
    "https://threatdetection.googleapis.com/v1/organizations/your-organization-ID/sinkSettings" \
    --data '{ "settings": {} }'

What's next