Using Event Threat Detection

Review Event Threat Detection findings in the Security Command Center dashboard and see examples of Event Threat Detection findings.

Event Threat Detection is a built-in service for the Security Command Center Premium tier that monitors your organization's Cloud Logging stream and detects threats in near-real time. To learn more, see Event Threat Detection overview.

The following video shows the steps to set up Event Threat Detection and provides information about how to use the dashboard. Learn more about viewing and managing Event Threat Detection findings in Reviewing findings on this page.

Reviewing findings

To view Event Threat Detection findings, it must be enabled in Security Command Center Services settings. After you enable Event Threat Detection and turn on logs for your organization, folders, and projects, Event Threat Detection generates findings.

You can view Event Threat Detection findings in Security Command Center. You can also view findings in Cloud Logging if you configured Security Command Center sinks to write logs to Google Cloud's operations suite. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Event Threat Detection.

Event Threat Detection activation occurs within seconds. Detection latencies are generally less than 15 minutes from the time a log is written to when a finding is available in Security Command Center. For more information on latency, see Security Command Center latency overview.

Reviewing findings in Security Command Center

To review Event Threat Detection findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Event Threat Detection.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection priority, for example High
    • The actions taken, like adding an Identity and Access Management (IAM) role to a Gmail user
    • The user who took the action, listed next to properties_principalEmail
  5. To display all findings that were caused by the same user's actions:
    1. On the finding detail panel, copy the email address next to properties_principalEmail.
    2. Close the finding detail panel.
    3. In the Findings tab Filter box, enter sourceProperties.properties_principalEmail:USER_EMAIL, where USER_EMAIL is the email address you copied previously.

Security Command Center displays all findings that are associated with actions taken by the user you specified.

Viewing findings in Cloud Logging

To view Event Threat Detection findings in Cloud Logging:

  1. Go to the Logs Viewer page for Cloud Logging in the Cloud Console.
    Go to the Logs Viewer page
  2. On the Logs Viewer page, click Select, and then click the project where you are storing your Event Threat Detection logs.
  3. In the resource drop-down list, select Threat Detector.
    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.

Example findings

Example Event Threat Detection findings include the following:

Monitoring & Logging Description
Data exfiltration

Event Threat Detection detects data exfiltration from BigQuery by examining audit logs for two scenarios:

  • A resource is saved outside of your organization, or a copy operation is attempted that is blocked by VPC Service Controls.
  • An attempt is made to access BigQuery resources that are protected by VPC Service Controls.
Brute force SSH Event Threat Detection detects brute force of password authentication SSH by examining syslog logs for repeated failures followed by a success.
Cryptomining Event Threat Detection detects coin mining malware by examining VPC flow logs and Cloud DNS logs for connections to known bad domains for mining pools.
IAM abuse

Anomalous IAM grants: Event Threat Detection detects the addition of IAM grants that might be considered anomalous, like:

  • Adding a user to a policy with the project editor role.
  • Inviting a user as a project owner from the Google Cloud Console.
  • Service account granting sensitive permissions.
  • Custom role granted sensitive permissions.
  • Service account added from outside your organization.
Malware Event Threat Detection detects malware by examining VPC flow logs and Cloud DNS logs for connections to known command and control domains and IPs.
Phishing Event Threat Detection detects phishing by examining VPC flow logs and Cloud DNS logs for connections to known phishing domains and IPs.
Anomalous IAM Behavior
Event Threat Detection detects anomalous IAM behavior by examining Cloud Audit Logs for accesses from anomalous IP addresses and anomalous user agents.
Service account self-investigation
Event Threat Detection detects when a service account credential is used to investigate the roles and permissions associated with that same service account.

What's next