Cloud IDS threat detections

Cloud IDS findings are generated by Cloud IDS, which is a security service that monitors traffic to and from your Google Cloud resources for threats. When Cloud IDS detects a threat, it sends information about the threat, such as the source IP address, destination address, and port number, to Event Threat Detection, which then generates a threat finding.

Step 1: Review finding details

  1. Open the Cloud IDS: THREAT_ID finding, as directed in Reviewing findings.

  2. In the finding details, on the Summary tab, review the listed values in the following sections:

    • What was detected, especially the following fields:
      • Protocol: the network protocol used
      • Event time: When the event occurred
      • Description: More information about the finding
      • Severity: What severity the alert was
      • Destination IP: The target IP of the network traffic
      • Destination Port: The target port of the network traffic
      • Source IP: The source IP of the network traffic
      • Source Port: The source port of the network traffic
    • Affected resource, especially the following fields:
      • Resource full name: The project containing the network with the threat
    • Related links, especially the following fields:
      • Cloud Logging URI: link to Cloud IDS Logging entries - these entries have the necessary information to search Palo Alto Networks' Threat Vault
    • Detection Service
      • Finding Category The Cloud IDS threat name

  3. To see the complete JSON for the finding, click the JSON tab.

Step 2: Look up attack and response methods

After you have reviewed the finding details, please refer the Cloud IDS documentation on investigating threat alerts to determine an appropriate response.

You can find more information about the detected event in the original log entry by clicking the link in the Cloud Logging URI field in the finding details.

What's next