Test Event Threat Detection

Verify that Event Threat Detection is working by intentionally triggering either the IAM Anomalous Grant detector or the Malware: Bad Domain detector, and checking for findings.

Event Threat Detection is a built-in service that monitors your organization's Cloud Logging and Google Workspace logging streams and detects threats in near-real time. To learn more, read Event Threat Detection overview.

Before you begin

To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings.

Depending on which detector you want to test, you must have one of the following roles:

• IAM Anomalous Grant: An Identity and Access Management (IAM) role with the resourcemanager.projects.setIamPolicy permission, like the Project IAM Admin role.
• Malware: Bad Domain: An IAM role with the compute.instances.create and dns.policies.create permissions, like the Project Editor role.

Test Event Threat Detection

To test Event Threat Detection, choose one of the following options to trigger the service:

• IAM Anomalous Grant detector Trigger this detector by granting a sensitive role to an external test user account.
• Malware: Bad Domain detector Trigger this detector by executing a query to a test bad domain from a VM instance.

After you trigger findings, view the findings and perform cleanup:

• View the finding: Inspect the finding in Security Command Center or in Cloud Logging.
• Clean up: Delete the test resources to avoid leaving security anomalies or incurring costs.

Option A: IAM Anomalous Grant detector

To trigger the IAM Anomalous Grant detector, complete the following steps:

1. Create a test user
2. Trigger the IAM Anomalous Grant detector

Create a test user

To trigger the detector, you need a test user with a gmail.com email address. You can create a gmail.com account and then grant it access to the project where you want to perform the test. Make sure that this gmail.com account doesn't already have any IAM permissions in the project where you are performing the test.

Trigger the IAM Anomalous Grant detector

Trigger the IAM Anomalous Grant detector by inviting the gmail.com email address to the Project Owner role.

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. Click Grant access.

3. In the New principals field, enter the test user's gmail.com address.

4. In the Select a role drop-down list, select Project > Owner.

5. Click Save.

Option B: Malware: Bad Domain detector

To trigger the Malware: Bad Domain detector, complete the following steps:

1. Create a VM instance and enable Cloud DNS logs
2. Trigger the Malware: Bad Domain detector

Create a VM instance and enable Cloud DNS logs

1. Create a VM instance on a VPC network. For instructions, see Create and start a VM instance. Ensure that the project containing the VM instance is in scope for Event Threat Detection. That is, Event Threat Detection service is enabled for the project or its parent organization.

2. To enable logging, configure a DNS server policy for the VPC network:

   1. In the Google Cloud console, go to the Cloud DNS page.

      Go to Cloud DNS

   2. Select the DNS server policies tab.

   3. Click Create policy.

   4. In the Name field, enter a name for the policy.

   5. Under Logs, select On to enable logging of DNS queries.

   6. Under Networks, select the VPC network that your VM instance uses.

   7. Click Create.

Trigger the Malware: Bad Domain detector

1. In the Google Cloud console, go to the VM instances page.

   Go to VM instances

2. In the list of virtual machine instances, click SSH in the row of the VM instance you created. A terminal window opens on your VM instance.

3. Run the following command:

   curl etd-malware-trigger.goog
   

View findings

After triggering findings by using either Option A or Option B, verify that the findings are generated by viewing them in Security Command Center or Cloud Logging.

To view the findings, follow the steps for your selected viewing location:

• View the finding in Security Command Center
• View the finding in Cloud Logging

View the finding in Security Command Center

To view the Event Threat Detection finding in Security Command Center:

1. Go to the Security Command Center Findings page in the Google Cloud console.

   Go to Findings

2. In the Category section of the Quick filters panel, select the finding category:

   • For Option A, select Persistence: IAM anomalous grant (click View more if necessary).
   • For Option B, select Malware: Bad Domain (click View more if necessary).

3. To sort the list in the Findings query results panel, click the Event time column header so that the most recent finding displays first.

4. In the Findings query results panel, display the details of the finding by clicking the category name (Persistence: IAM Anomalous Grant or Malware: Bad Domain) in the Category column. The details panel for the finding opens and displays the Summary tab.

5. Verify the details of the finding:

   • For IAM anomalous grant, check that the value on the Principal email row contains your test gmail.com email address.
   • For Malware: Bad Domain, select the Source properties tab and check that the Domains row contains etd-malware-trigger.goog.

If a finding doesn't appear, verify your Event Threat Detection settings.

View the finding in Cloud Logging

If you enabled logging findings to Cloud Logging, you can view the finding there. Viewing logging findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.

1. In the Google Cloud console, go to Logs Explorer.

   Go to Logs Explorer

2. Select the Google Cloud project where you are storing your Event Threat Detection logs.

3. Use the Query pane to query findings using one of the following methods:

   • In the All resources list, do the following:
     1. Select Threat Detector to display a list of all detectors.
     2. Under DETECTOR_NAME, select iam_anomalous_grant (for Option A) or bad_domain (for Option B).
     3. Click Apply.

   • In the query editor, enter the following query and click Run query:

     resource.type="threat_detector"
     

4. To view the log, click a table row and click Expand nested fields.

If you don't see a finding, verify your Event Threat Detection settings.

Clean up

When you're finished testing, clean up the resources to avoid leaving security anomalies or incurring unwanted charges.

To clean up resources, follow the steps for the option you tested:

• Clean up Option A resources
• Clean up Option B resources

Clean up resources for IAM Anomalous Grant detector

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. In the row for the test user's gmail.com address, click edit Edit principal.

3. In the pane that appears, click delete Delete role next to the Owner role.

4. Click Save.

Clean up resources for Malware: Bad Domain detector

1. Delete the VM instance you created. For instructions, see Delete a VM instance.
2. Disassociate or delete the DNS server policy that you created. For instructions, see Delete a DNS policy.

What's next

• Learn more about using Event Threat Detection.
• Read a high-level overview of Event Threat Detection concepts.
• Learn how to investigate and develop response plans for threats.