Event Threat Detection
A service that continuously monitors log data to detect and mitigate threats in real-time within cloud environments.
| Category | Threat Detection & Response |
|---|---|
| This page updated | a month ago |
| Pricing Details | Pricing is based on the volume of logs processed and retained. |
| Target Audience | Cloud security teams, DevOps engineers, and IT administrators. |
Event Threat Detection (ETD) in Google Cloud's Security Command Center Premium manages identifying and mitigating threats in real-time within cloud environments. This service continuously monitors log data from various sources, including Google Cloud audit logs, VPC flow logs, Cloud firewall logs, Cloud NAT logs, DNS logs, and Linux syslogs, to detect suspicious activities and potential threats.
The technical architecture of ETD relies on integrating with Cloud Logging to consume log entries as they are generated. It applies advanced detection logic, including proprietary threat intelligence, machine learning, and anomaly detection, to identify threats such as brute force SSH attempts, cloud IDS threats, and data exfiltration scenarios like BigQuery data extraction to Google Drive.
Key operational considerations include ensuring that VPC flow logging and Cloud DNS logging are active, as these enhance the effectiveness of ETD. The service is automatically enabled with a Security Command Center Premium subscription, and findings are written to both the Security Command Center and a designated logging project. Users can manage these findings through the SCC interface, filtering and investigating threats based on source properties and detection severity.
From a technical standpoint, ETD's detection rules are predefined but can be extended through custom configurations. For instance, the BRUTE_FORCE_SSH rule detects successful brute force attempts on SSH, while DATA_EXFILTRATION_BIG_QUERY_EXTRACTION identifies data exfiltration attempts from BigQuery. These findings can trigger automated responses via Cloud Functions and Pub/Sub messages, enabling real-time remediation actions such as updating firewalls or notifying security teams.
However, there are limitations to consider, such as the potential for query performance degradation when handling large volumes of logs, and the costs associated with log retention and processing in multi-account setups. Additionally, the effectiveness of ETD depends on the granularity and completeness of the log data being analyzed, highlighting the importance of comprehensive logging configurations.