Verify that Event Threat Detection is working by intentionally triggering the IAM Anomalous Grant detector and checking for findings.
Event Threat Detection is a built-in service for the Security Command Center Premium tier that monitors your organization's Cloud Logging and Google Workspace logging streams and detects threats in near-real time. To learn more, read Event Threat Detection overview.
Before you begin
To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings.
To complete this guide, you must have an Identity and Access Management (IAM) role
with the resourcemanager.projects.setIamPolicy
permission, like the Project
IAM Admin role.
Testing Event Threat Detection
To test Event Threat Detection, you create a test user, grant permissions, and then view the finding in the Google Cloud console and in Cloud Logging.
Step 1: Creating a test user
To trigger the detector, you need a test user with a gmail.com email address. You can create a gmail.com account and then grant it access to the project where you want to perform the test. Make sure that this gmail.com account doesn't already have any IAM permissions in the project where you are performing the test.
Step 2: Triggering the IAM Anomalous Grant detector
Trigger the IAM Anomalous Grant detector by inviting the gmail.com email address to the Project Owner role.
- Go to the IAM & Admin page in the
Google Cloud console.
Go to the IAM & Admin page - On the IAM & Admin page, click Add.
- In the Add principals window, under New principals, enter the test user's gmail.com address.
- Under Select a role, select Project > Owner.
- Click Save.
Next, you verify that the IAM Anomalous Grant detector has written a finding.
Step 3: Viewing the finding in Security Command Center
To view the Event Threat Detection finding in Security Command Center:
Go to the Security Command Center Findings page in the Google Cloud console.
In the Category section of the Quick filters panel, select Persistence: IAM anomalous grant. If necessary, click View more to find it. The Findings query results panel updates to show only the selected finding category.
To sort the list in the Findings query results panel, click the Event time column header so that the most recent finding displays first.
In the Findings query results panel, display the details of the finding by clicking Persistence: IAM Anomalous Grant in the Category column. The details panel for the finding opens and displays the Summary tab.
Check the value on the Principal email row. It should be the test gmail.com email address that you granted ownership to.
If a finding doesn't appear that matches your test gmail.com account, verify your Event Threat Detection settings.
Step 4: Viewing the finding in Cloud Logging
If you enabled logging findings to Cloud Logging, you can view the finding there. Viewing logging findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.
Go to Logs Explorer in the Google Cloud console.
Select the Google Cloud project where you are storing your Event Threat Detection logs.
Use the Query pane to build your query in one of the following ways:
- In the All resources list, do the following:
- Select Threat Detector to display a list of all the detectors.
- Under DETECTOR_NAME, select iam_anomalous_grant.
- Click Apply. The Query results table is updated with the logs you selected.
Enter the following query in the query editor and click Run query:
resource.type="threat_detector"
The Query results table is updated with the logs you selected.
- In the All resources list, do the following:
To view a log, click a table row, and then click Expand nested fields.
If you don't see a finding for the IAM Anomalous Grant rule, verify your Event Threat Detection settings.
Clean up
When you're finished testing, remove the test user from the project.
- Go to the IAM & Admin page in the
Google Cloud console.
Go to the IAM & Admin page - Next to the test user's gmail.com address, click Edit.
- On the Edit permissions panel that appears, click Delete for all roles granted to the test user.
- Click Save.
What's next
- Learn more about using Event Threat Detection.
- Read a high-level overview of Event Threat Detection concepts.
- Learn how to investigate and develop response plans for threats.