Testing Event Threat Detection

Verify that Event Threat Detection is working by intentionally triggering the IAM Anomalous Grant detector and checking for findings.

Event Threat Detection is a built-in service for the Security Command Center Premium tier that monitors your organization's Cloud Logging and Google Workspace logging streams and detects threats in near-real time. To learn more, read Event Threat Detection overview.

Before you begin

To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings.

To complete this guide, you must have an Identity and Access Management (IAM) role with the resourcemanager.projects.setIamPolicy permission, like the Project IAM Admin role.

Testing Event Threat Detection

To test Event Threat Detection, you create a test user, grant permissions, and then view the finding in the Google Cloud console and in Cloud Logging.

Step 1: Creating a test user

To trigger the detector, you need a test user with a gmail.com email address. You can create a gmail.com account and then grant it access to the project where you want to perform the test. Make sure that this gmail.com account doesn't already have any IAM permissions in the project where you are performing the test.

Step 2: Triggering the IAM Anomalous Grant detector

Trigger the IAM Anomalous Grant detector by inviting the gmail.com email address to the Project Owner role.

1. Go to the IAM & Admin page in the Google Cloud console.
   Go to the IAM & Admin page
2. On the IAM & Admin page, click Add.
3. In the Add principals window, under New principals, enter the test user's gmail.com address.
4. Under Select a role, select Project > Owner.
5. Click Save.

Next, you verify that the IAM Anomalous Grant detector has written a finding.

Step 3: Viewing the finding in Security Command Center

To view the Event Threat Detection finding in Security Command Center:

1. Go to the Security Command Center Findings page in the Google Cloud console.

   Go to Findings

2. In the Category section of the Quick filters panel, select Persistence: IAM anomalous grant. If necessary, click View more to find it. The Findings query results panel updates to show only the selected finding category.

3. To sort the list in the Findings query results panel, click the Event time column header so that the most recent finding displays first.

4. In the Findings query results panel, display the details of the finding by clicking Persistence: IAM Anomalous Grant in the Category column. The details panel for the finding opens and displays the Summary tab.

5. Check the value on the Principal email row. It should be the test gmail.com email address that you granted ownership to.

If a finding doesn't appear that matches your test gmail.com account, verify your Event Threat Detection settings.

Step 4: Viewing the finding in Cloud Logging

If you enabled logging findings to Cloud Logging, you can view the finding there. Viewing logging findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.

1. Go to Logs Explorer in the Google Cloud console.

   Go to Logs Explorer

2. In the Project selector at the top of the page, select the project where you are storing your Event Threat Detection logs.

3. Click the Query builder tab.

4. In the Resource drop-down list, select Threat Detector.

5. Under Detector name, select iam_anomalous_grant, and then click Add. The query appears in the query builder text box.

6. Alternatively, enter the following query in the text box:

   resource.type="threat_detector" resource.labels.detector_name="iam_anomalous_grant"
   

7. Click Run Query. The Query results table is updated with the logs you selected.

8. To view a log, click a table row, and then click Expand nested fields.

If you don't see a finding for the IAM Anomalous Grant rule, verify your Event Threat Detection settings.

Clean up

When you're finished testing, remove the test user from the project.

1. Go to the IAM & Admin page in the Google Cloud console.
   Go to the IAM & Admin page
2. Next to the test user's gmail.com address, click Edit.
3. On the Edit permissions panel that appears, click Delete for all roles granted to the test user.
4. Click Save.

What's next

• Learn more about using Event Threat Detection.
• Read a high-level overview of Event Threat Detection concepts.
• Learn how to investigate and develop response plans for threats.