Testing Event Threat Detection

Verify that Event Threat Detection is working by intentionally triggering the IAM Anomalous Grant detector and checking for findings. Event Threat Detection is a built-in service for the Security Command Center Premium tier. To view Event Threat Detection findings, it must be enabled in Security Command Center Services settings.

Before you begin

To complete this guide, you must have an Identity and Access Management (IAM) role with the resourcemanager.projects.setIamPolicy permission, like the Project IAM Admin role.

Testing Event Threat Detection

To test Event Threat Detection, you create a test user, grant permissions, and then view the finding in the Security Command Center dashboard and in Cloud Logging.

Step 1: Creating a test user

To trigger the detector, you need a test user with a gmail.com email address. You can create a gmail.com account and then grant it access to the project where you want to perform the test.

  1. Go to the IAM & Admin page in the Cloud Console.
    Go to the IAM & Admin page
  2. On the IAM & Admin page, click Add.
  3. In the Add members window, under New members, enter the test user's gmail.com address.
  4. Under Select a role, select Project > Browser.
  5. Click Save.

Step 2: Triggering the IAM Anomalous Grant detector

Trigger the IAM Anomalous Grant detector by granting the Project Editor role to a gmail.com email address. Note: Currently, this finding is only triggered for Security Command Center users with a gmail.com email address.

  1. Go to the IAM & Admin page in the Cloud Console.
    Go to the IAM & Admin page
  2. Next to the test user's gmail.com address, click Edit.
  3. On the Edit permissions panel that appears, click Add another role.
  4. Select Project > Editor.
  5. Click Save.

Next, you verify that the IAM Anomalous Grant detector has written findings.

Step 3: Viewing the finding in Security Command Center

To view the Event Threat Detection finding in (Security Command Center):

  1. Go to the Security Command Center Findings tab in the Cloud Console.
    Go to the Findings
  2. Next to View by, click Source Type.
  3. In the Source type list, select Event Threat Detection.
  4. In the Filter box, enter category:iam.
  5. Sort the list by clicking the eventTime column header so that the most recent finding displays first.
  6. Click the finding type name Persistence: Iam Anomalous Grant to display the Finding Details panel.
  7. On the Finding Details panel, click Source Properties. The properties field should show the test gmail.com email address you granted permissions to.

If a finding doesn't appear that matches your test gmail.com account, verify your Event Threat Detection settings.

Step 3: Viewing the finding in Cloud Logging

If you have enabled logging findings to Cloud Logging, you can view the finding there.

  1. Go to the Logs Viewer page in the Cloud Console.
    Go to the Logs Viewer page
  2. On the Logs Viewer page, click Select, and then click the project where you are storing your Event Threat Detection logs.
  3. In the resource drop-down list, select Cloud Threat Detector, and then select iam_anomalous_grant.
  4. To view the log, click the log name and then click Expand all.

If you don't see a finding for the IAM Anomalous Grant rule, verify your Event Threat Detection settings.

Clean up

When you're finished testing, you can remove the test user from the project.

  1. Go to the IAM & Admin page in the Cloud Console.
    Go to the IAM & Admin page
  2. Next to the test user's gmail.com address, click Edit.
  3. On the Edit permissions panel that appears, click Delete for all roles granted to the test user.
  4. Click Save.

What's next