This page shows you how to review Event Threat Detection findings in the Google Cloud console and includes examples of Event Threat Detection findings.
Event Threat Detection is a built-in service that monitors the Cloud Logging logging streams for your organization or projects and detects threats in near-real time. If you activate Security Command Center at the organization level, Event Threat Detection can also monitor your organization's Google Workspace logging streams. To learn more, see Event Threat Detection overview.
Enable or disable Event Threat Detection
By default, Event Threat Detection is enabled. For general information about how to enable or disable a built-in service or its modules, see Configure Security Command Center services.
Reviewing findings
To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings. After you enable Event Threat Detection, Event Threat Detection generates findings by scanning specific logs. Some of the logs Event Threat Detection can scan are turned off by default, so you might need to turn them on.
For more information about the built-in detection rules that Event Threat Detection uses and the logs that Event Threat Detection scans, see the following topics:
You can view Event Threat Detection findings in Security Command Center. If you configured Continuous Exports to write logs, you can also view findings in Cloud Logging. Continuous Exports to Cloud Logging are only available when you activate Security Command Center at the organization level. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Event Threat Detection.
Event Threat Detection activation occurs within seconds. Detection latencies are generally less than 15 minutes from the time a log is written to when a finding is available in Security Command Center. For more information on latency, see Security Command Center latency overview.
Reviewing findings in Security Command Center
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Use the following procedure to review findings in the Google Cloud console:
In the Google Cloud console, go to the Security Command Center Findings page.
If necessary, select your Google Cloud project or organization.
In the Quick filters section, in the Source display name subsection, select one or both of the following:
- Event Threat Detection: to filter for findings generated by built-in Event Threat Detection detectors
- Event Threat Detection Custom Modules: to filter for findings generated by custom modules for Event Threat Detection
The table is populated with Event Threat Detection findings.
To view details of a specific finding, click the finding name under
Category. The finding details pane expands to display information including the following:- When the event occurred
- The source of the finding data
- The detection severity, for example High
- The actions taken, like adding an Identity and Access Management (IAM) role to a Gmail user
- The user who took the action, listed next to Principal email
To display all findings that were caused by the same user's actions:
- On the finding details pane, copy the email address next to Principal email.
- Close the pane.
In query editor, enter the following query:
access.principal_email="USER_EMAIL"Replace USER_EMAIL with the email address you previously copied.
Security Command Center displays all findings that are associated with actions taken by the user you specified.
Viewing findings in Cloud Logging
If you configure Continuous Exports to write logs, you can view Event Threat Detection findings in Cloud Logging. This feature is only available if you activate Security Command Center Premium tier at the organization level.
To view Event Threat Detection findings in Cloud Logging, do the following:
Go to Logs Explorer in the Google Cloud console.
Select the Google Cloud project or other Google Cloud resource where you are storing your Event Threat Detection logs.
Use the Query pane to build your query in one of the following ways:
- In the All resources list, do the following:
- Select Threat Detector to display a list of all the detectors.
- To view findings from all detectors, select all detector_name. To view findings from a specific detector, select its name.
- Click Apply. The Query results table is updated with the logs you selected.
Enter the following query in the query editor and click Run query:
resource.type="threat_detector"
The Query results table is updated with the logs you selected.
- In the All resources list, do the following:
To view a log, select a table row, and then click Expand nested fields.
You can create advanced log queries to specify a set of log entries from any number of logs.
Example finding formats
This section provides links to examples of JSON output for Event Threat Detection findings. You see this output when you export findings using the Google Cloud console or list findings using the Security Command Center API or the Google Cloud CLI.
The examples on this page show different types of findings. Each example includes only the fields that are most relevant to that type of finding.
For a complete list of fields that are available in a
finding, see the Security Command Center API documentation for the
Finding
resource.
To see example findings, select one of the following links.
| Threat Finding | JSON Example |
|---|---|
Active Scan: Log4j Vulnerable to RCE |
View JSON Example |
Brute force SSH |
View JSON Example |
Cloud IDS: THREAT_IDENTIFIER |
View JSON Example |
Defense Evasion: Breakglass Workload Deployment Created |
View JSON Example |
Defense Evasion: Breakglass Workload Deployment Updated |
View JSON Example |
Defense Evasion: Modify VPC Service Control |
View JSON Example |
Discovery: Can get sensitive Kubernetes object check |
View JSON Example |
Discovery: Service Account Self-Investigation |
View JSON Example |
Evasion: Access from Anonymizing Proxy |
View JSON Example |
Execution: Cryptomining Docker Image |
View JSON Example |
Exfiltration: BigQuery Data Exfiltration |
View JSON Example |
Exfiltration: BigQuery Data Extraction |
View JSON Example |
Exfiltration: BigQuery Data to Google Drive |
View JSON Example |
Exfiltration: Cloud SQL Data Exfiltration |
View JSON Example |
Exfiltration: Cloud SQL Over-Privileged Grant |
View JSON Example |
Exfiltration: Cloud SQL Restore Backup to External Organization |
View JSON Example |
Impact: Cryptomining Commands |
View JSON Example |
Impact: Deleted Google Cloud Backup and DR Backup |
View JSON Example |
Impact: Deleted Google Cloud Backup and DR host |
View JSON Example |
Impact: Deleted Google Cloud Backup and DR plan association |
View JSON Example |
Impact: Deleted Google Cloud Backup and DR Vault |
View JSON Example |
Impact: Google Cloud Backup and DR delete policy |
View JSON Example |
Impact: Google Cloud Backup and DR delete profile |
View JSON Example |
Impact: Google Cloud Backup and DR delete storage pool |
View JSON Example |
Impact: Google Cloud Backup and DR delete template |
View JSON Example |
Impact: Google Cloud Backup and DR expire all images |
View JSON Example |
Impact: Google Cloud Backup and DR expire image |
View JSON Example |
Impact: Google Cloud Backup and DR reduced backup expiration |
View JSON Example |
Impact: Google Cloud Backup and DR reduced backup frequency |
View JSON Example |
Impact: Google Cloud Backup and DR remove appliance |
View JSON Example |
Impact: Google Cloud Backup and DR remove plan |
View JSON Example |
Initial Access: Account Disabled Hijacked |
View JSON Example |
Initial Access: Database Superuser Writes to User Tables |
View JSON Example |
Initial Access: Disabled Password Leak |
View JSON Example |
Initial Access: Dormant Service Account Action |
View JSON Example |
Initial Access: Dormant Service Account Activity in AI Service |
View JSON Example |
Initial Access: Dormant Service Account Key Created |
View JSON Example |
Initial Access: Excessive Permission Denied Actions |
View JSON Example |
Initial Access: Government Based Attack |
View JSON Example |
Initial Access: Leaked Service Account Key Used |
View JSON Example |
Initial Access: Log4j Compromise Attempt |
View JSON Example |
Initial Access: Suspicious Login Blocked |
View JSON Example |
Lateral Movement: Modified Boot Disk Attached to Instance |
View JSON Example |
Malware: bad domain |
View JSON Example |
Malware: bad IP |
View JSON Example |
Malware: Cryptomining Bad Domain |
View JSON Example |
Malware: Cryptomining Bad IP |
View JSON Example |
Persistence: GCE Admin Added SSH Key |
View JSON Example |
Persistence: GCE Admin Added Startup Script |
View JSON Example |
Persistence: IAM Anomalous Grant |
View JSON Example |
Persistence: New AI API Method |
View JSON Example |
Persistence: New API Method |
View JSON Example |
Persistence: New Geography |
View JSON Example |
Persistence: New Geography for AI Service |
View JSON Example |
Persistence: New User Agent |
View JSON Example |
Persistence: SSO Enablement Toggle |
View JSON Example |
Persistence: SSO Settings Changed |
View JSON Example |
Persistence: Strong Authentication Disabled |
View JSON Example |
Persistence: Two Step Verification Disabled |
View JSON Example |
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables |
View JSON Example |
Privilege Escalation: AlloyDB Over-Privileged Grant |
View JSON Example |
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity |
View JSON Example |
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity |
View JSON Example |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity |
View JSON Example |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity |
View JSON Example |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access |
View JSON Example |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access |
View JSON Example |
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity |
View JSON Example |
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity |
View JSON Example |
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access |
View JSON Example |
Privilege Escalation: Anomalous Service Account Impersonator for Data Access |
View JSON Example |
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects |
View JSON Example |
Privilege Escalation: Create Kubernetes CSR for master cert |
View JSON Example |
Privilege Escalation: Creation of sensitive Kubernetes bindings |
View JSON Example |
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy |
View JSON Example |
Privilege Escalation: Dormant Service Account Granted Sensitive Role |
View JSON Example |
Privilege Escalation: External Member Added To Privileged Group |
View JSON Example |
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials |
View JSON Example |
Privilege Escalation: Impersonation Role Granted For Dormant Service Account |
View JSON Example |
Privilege Escalation: Launch of privileged Kubernetes container |
View JSON Example |
Privilege Escalation: Privileged Group Opened To Public |
View JSON Example |
Privilege Escalation: Sensitive Role Granted To Hybrid Group |
View JSON Example |
What's next
- Learn more about how Event Threat Detection works.
- Learn how to investigate and develop response plans for threats.