[MUSIC PLAYING]
STEPHANIE WONG: Event
Threat Detection, ETD,
is a built-in service in
Security Command Center
Premium.
It uses log data from
Google Cloud audit logs,
Cloud networking logs,
and operating system logs.
When a threat is detected, ETD
writes a finding to Cloud SCC
and to a logging project.
Event Threat Detection
analyzes Cloud audit logs,
VPC flow logs, Cloud firewall
logs, Cloud NAT logs, DNS logs,
and Linux syslogs
to find threats.
ETD works best when VPC flow
logging and Cloud DNS logging
are active.
Event Threat Detection
is automatically
enabled when you subscribe
to Security Command Center
Premium.
If you need to
re-enable ETD, first
make sure you have
Security Command Center
Admin and Security Center
Sources Admin IAM roles,
along with an SCC
Premium subscription.
On the SCC home page, go to the
Sources and Services Settings
page.
Then click the toggle next
to Event Threat Detection
to enable it.
Click Save.
Then under the Resources tab,
select the scope for ETD.
We recommend enabling
it at the org node level
and allowing the rest of the
org to inherit the On setting.
ETD can quickly detect
a number of potential
high-risk and costly threats.
Brute force SSH.
ETD detects successful
brute force of SSH on a host
by examining Linux auth logs
for repeated failures followed
by a successful logging.
Cryptomining.
ETD detects coin mining
malware by examining
VPC logs for connections to,
or lookup of, a known mining
domain or IP address.
Cloud IAM abuse
malicious grants.
ETD detects privileges
granted to identity and access
management users and service
accounts that are not
members of the organization.
Malware.
ETD detects malware
based on a connection to,
or lookup of, a known
bad domain or IP address
by examining VPC
logs for connections
to known bad domains
and other log data.
Phishing.
ETD examines VPC logs for
suspicious connections
and other log data.
Outgoing denial of service.
ETD detects outgoing
denial-of-service traffic
by examining the sizes, types,
and numbers of VPC flow Logs.
Data exfiltration from BigQuery.
ETD detects when data
is leaving a table owned
by your organization
or when a copy
is attempted that is blocked
by a VPC Service Control.
You can learn more about these
findings in the documentation
linked below.
You can view findings
in Cloud logging
if you configured SCC
sinks to write logs
to the Google Cloud
operation suite
or in the SCC Findings tab.
Filter by source type and
select Event Threat Detection.
In our environment, we
can see our top findings.
Let's drill into the
Malware Bad IP finding.
We're able to see what the event
was, when the event occurred,
the source of the finding data,
and the detection severity.
Under Source Properties, we
can find additional evidence.
Drilling into the
evidence, we can find out
the log ID, project,
timestamps, and insert ID.
We can also see the
affected resources.
And under Properties,
we can even
see the source IP,
port, destination IP,
and instance details.
To display all findings that
were affected by this source
IP, we can apply a filter.
In the Findings tab
filter box, enter
sourceProperties properties
ips, and paste the source IP.
Security Command
Center displays all
of the findings that are
associated with event findings
affected by this source IP.
Next, we can continue to
pivot on either this IP
or the project in the filter
bar to do further detections
and create firewall rules
blocking access from this IP.
Congratulations.
You've enabled Event
Threat Detection
and learned how to respond
to a finding from it.
[MUSIC PLAYING]
