Google Cloud Platform: Event Threat Detection (ETD)

One of the notable new security services released at NEXT `19 is Google Cloud’s Event Threat Detection (ETD). This article will focus on the high level components of ETD and how you may be able to fit ETD into your current architecture.

Expect a follow up post with more technical details and examples once we’ve had a chance to get hands-on with ETD.



What is ETD

Event Threat Detection (ETD) aims to provide customers a managed service in which ingested log data is analyzed for potential threats using Google’s own threat intelligence and machine learning capabilities.

As many security operations professionals can attest, the number of logs captured in todays environments has skyrocketed, making it very expensive to run top SIEM and threat detection tools. ETD helps to solve this problem by analyzing the logs and only sending the discovered incidents to your SIEM tools, drastically reducing the amount of logs which are coming into your systems.

Log Sources

System logs are the foundational element from which most products are to detect threats from, ETD is no different. The following log sources are currently available to ETD:

More log sources, including third-party integrations, are planned for future iterations of ETD.

Available Threat Detection Signatures

The pre-created threat detection signatures are a big draw to teams who are just starting out on Google Cloud or do not have the existing skillsets to create their own alerts.

ETD provides the following Threat Detections out-of-the-box today:



Response and Remediation

The ability to detect threats is only part of the solution, in order to truly provide seamless protections to our cloud workloads, our responses to security threats must be automated in order to respond in a timely manner.

Example Event Threat Detection Stackdriver Log

Example Event Threat Detection Stackdriver Log

ETD sends findings to Cloud Security Command Center (CSCC) for dashboard visibility and the findings are also logged in Stackdriver. These logs and alerts can then be configured to trigger an automated response to these events by triggering a CloudFunction via a pub/sub message. The CloudFunction takes the inputs from the log contents and remediates the issue in real time.

Additionally, the CloudFunction can include code to notify team members or kick off an additional workflow.

For example, if ETD detects brute force SSH attempts on an instance, the triggered CloudFunction could automatically respond by taking the following actions:

  1. Update the Firewall to deny a specific IP range
  2. Send a notification to a Slack channel (see example code here)
  3. Create a JIRA ticket of the incident

Custom Detection

Pre-defined events are great if you are just getting started on the Google Cloud Platform, but for the advanced teams out there, ETD can be a piece of a larger threat detection architecture as shown below:

ETD in larger threat detection architectures

ETD in larger threat detection architectures

By leveraging Google’s managed services, threat detection teams who already have a solution in place can easily enhance their current capabilities and lower costs while continuing to utilize their previous technical investments.


Pricing for ETD is free during beta, however, you may incur costs for services used with ETD, such as Stackdriver, Pub/Sub, CloudFunctions.


As cybersecurity remains to be a hot-button topic for the near future, Google Cloud continues to show progress and commitment to helping their users secure workloads and services running on GCP. ETD appears to be another great addition to the ecosystem of Google Cloud security products and closes a current gap when compared to their competitors. Look for Google Cloud to continue to be an industry leader in cloud platform security.

How can I get started with ETD?

Sign up for the private beta version of ETD here!

Thanks to Jason Dyke and Ryan Canty.

The information presented in this article is accurate as of April 15, 2019. Follow the ScaleSec blog for new articles and updates.

About ScaleSec

ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.

Get in touch!

Event Driven Security on Google Cloud Platform

How to use Stackdriver logging events to trigger Google Cloud Functions to protect your cloud infrastructure.

Next article

ScaleSec is a Cloud Security Alliance Member.
ScaleSec is a Cloud Security Alliance Trusted Cloud Consultant.
ScaleSec is a Better Business Bureau® Accredited Business.
ScaleSec is a PCI Security Standards Council Participating Organization.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security.
ScaleSec is a certified Veteran’s Business Enterprise™ (VBE) from the National Veteran Owned Business Association.

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

San Diego, CA 92120, United States


© 2023 ScaleSec. All rights reserved. | Privacy Policy