Using Event Threat Detection

Review Event Threat Detection findings in the Security Command Center dashboard, and see examples of Event Threat Detection findings. Event Threat Detection is a built-in service for the Security Command Center Premium tier. To view Event Threat Detection findings, it must be enabled in Security Command Center Services settings.

Reviewing findings

When Event Threat Detection generates findings, you can view them in Security Command Center. You can also view findings in Cloud Logging if you have configured Security Command Center sinks to write logs to Google Cloud's operations suite. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Event Threat Detection.

Event Threat Detection activation occurs within seconds. Detection latencies are generally less than 15 minutes from the time a log is written to when a finding is available in Security Command Center. For more information, read Security Command Center latency overview.

Reviewing findings in Security Command Center

To review Event Threat Detection findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Event Threat Detection.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection priority, for example High
    • The actions taken, like adding an Identity and Access Management (IAM) role to a Gmail user
    • The user who took the action, listed next to properties_principalEmail
  5. To display all findings that were caused by the same user's actions:
    1. On the finding detail panel, copy the email address next to properties_principalEmail.
    2. Close the finding detail panel.
    3. In the Findings tab Filter box, enter sourceProperties.properties_principalEmail:user@domain, where user@domain is the email address you copied previously.

Security Command Center displays all findings that are associated with actions taken by the user you specified.

Viewing findings in Cloud Logging

To view Event Threat Detection findings in Cloud Logging:

  1. Go to the Logs Viewer page for Cloud Logging in the Cloud Console.
    Go to the Logs Viewer page
  2. On the Logs Viewer page, click Select, and then click the project where you are storing your Event Threat Detection logs.
  3. In the resource drop-down list, select Cloud Threat Detector.
    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.

Example findings

Example Event Threat Detection findings include the following:

Monitoring & Logging Description
Brute force SSH Event Threat Detection detects brute force of password authentication SSH by examining syslog logs for repeated failures followed by a success.
Cryptomining Event Threat Detection detects coin mining malware by examining VPC flow logs and Cloud DNS logs for connections to known bad domains for mining pools.
IAM abuse

Anomalous IAM grants: Event Threat Detection detects the addition of IAM grants that might be considered anomalous, like:

  • Adding a gmail.com user to a policy with the project editor role.
  • Inviting a gmail.com user as a project owner from the Google Cloud Console.
  • Service account granting sensitive permissions.
  • Custom role granted sensitive permissions.
  • Service account added from outside your organization.
Malware Event Threat Detection detects malware by examining VPC flow logs and Cloud DNS logs for connections to known command and control domains and IPs.
Phishing Event Threat Detection detects phishing by examining VPC flow logs and Cloud DNS logs for connections to known phishing domains and IPs.

What's next