Cloud IDS threat detections

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

Cloud IDS findings are generated by Cloud IDS, which is a security service that monitors traffic to and from your Google Cloud resources for threats. When Cloud IDS detects a threat, it sends information about the threat, such as the source IP address, destination address, and port number, to Event Threat Detection, which then generates a threat finding.

Event Threat Detection is the source of this finding.

How to respond

To respond to this finding, do the following:

Step 1: Review finding details

1. Open the Cloud IDS: THREAT_ID finding, as directed in Reviewing findings.

2. In the finding details, on the Summary tab, review the listed values in the following sections:

   • What was detected, especially the following fields:
     • Protocol: the network protocol used
     • Event time: When the event occurred
     • Description: More information about the finding
     • Severity: What severity the alert was
     • Destination IP: The target IP of the network traffic
     • Destination Port: The target port of the network traffic
     • Source IP: The source IP of the network traffic
     • Source Port: The source port of the network traffic
   • Affected resource, especially the following fields:
     • Resource full name: The project containing the network with the threat
   • Related links, especially the following fields:
     • Cloud Logging URI: link to Cloud IDS Logging entries - these entries have the necessary information to search Palo Alto Networks' Threat Vault
   • Detection Service
     • Finding Category The Cloud IDS threat name

3. To see the complete JSON for the finding, click the JSON tab.

Step 2: Look up attack and response methods

After you have reviewed the finding details, refer to the Cloud IDS documentation on investigating threat alerts to determine an appropriate response.

You can find more information about the detected event in the original log entry by clicking the link in the Cloud Logging URI field in the finding details.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.