Testing Event Threat Detection

Premium and Enterpriseservice tiers

Verify that Event Threat Detection is working by intentionally triggering theIAM Anomalous Grant detector and checking for findings.

Event Threat Detection is a built-in service that monitors your organization'sCloud Logging and Google Workspace logging streams and detects threats innear-real time. To learn more, readEvent Threat Detection overview.

Before you begin

To view Event Threat Detection findings, the service must be enabled inSecurity Command CenterServicessettings.

To complete this guide, you must have an Identity and Access Management (IAM) rolewith theresourcemanager.projects.setIamPolicy permission, like the ProjectIAM Admin role.

Testing Event Threat Detection

To test Event Threat Detection, you create a test user, grant permissions, and thenview the finding in the Google Cloud console and in Cloud Logging.

Step 1: Creating a test user

To trigger the detector, you need a test user with a gmail.com email address.You can create a gmail.com account and then grant it access to the project whereyou want to perform the test. Make sure that this gmail.com account doesn't alreadyhave any IAM permissions in the project where you are performing the test.

Step 2: Triggering the IAM Anomalous Grant detector

Trigger the IAM Anomalous Grant detector by inviting the gmail.com email addressto the Project Owner role.

Note: Currently, this finding is only triggeredfor Security Command Center users with a gmail.com email address.
  1. Go to theIAM & Admin page in theGoogle Cloud console.
    Go to the IAM & Admin page
  2. On theIAM & Admin page, clickAdd.
  3. In theAdd principals window, underNew principals, enter the testuser's gmail.com address.
  4. UnderSelect a role, selectProject > Owner.
  5. ClickSave.

Next, you verify that the IAM Anomalous Grant detector has written a finding.

Step 3: Viewing the finding in Security Command Center

To view the Event Threat Detection finding in Security Command Center:

  1. Go to the Security Command CenterFindings page in the Google Cloud console.

    Go to Findings

  2. In theCategory section of theQuick filters panel, selectPersistence: IAM anomalous grant. If necessary, clickView moreto find it. TheFindings query results panel updates to show onlythe selected finding category.

  3. To sort the list in theFindings query results panel, click theEvent time column header so that the most recent finding displays first.

  4. In theFindings query results panel, display the details of the findingby clickingPersistence: IAM Anomalous Grant in theCategory column.The details panel for the finding opens and displays theSummary tab.

  5. Check the value on thePrincipal email row. It should be the testgmail.com email address that you granted ownership to.

If a finding doesn't appear that matches your test gmail.com account, verifyyour Event Threat Detection settings.

Step 4: Viewing the finding in Cloud Logging

If you enabled logging findings to Cloud Logging, you can view thefinding there. Viewing logging findings in Cloud Logging is onlyavailable if you activate Security Command Center Premium tier at theorganization level.

Prerequisite: Before you can view Event Threat Detectionfindings in Logging,configure log export.

  1. Go toLogs Explorer in the Google Cloud console.

    Go to Logs Explorer

  2. Select the Google Cloud project where you are storing your Event Threat Detection logs.

  3. Use theQuery pane to build your query in one of the following ways:

    • In theAll resources list, do the following:
      1. SelectThreat Detector to display a list of all the detectors.
      2. UnderDETECTOR_NAME, selectiam_anomalous_grant.
      3. ClickApply. TheQuery results table is updated with the logsyou selected.

    • Enter the following query in the query editor and clickRun query:

      resource.type="threat_detector"

      TheQuery results table is updated with the logs you selected.

  4. To view a log, click a table row, and then clickExpand nested fields.

If you don't see a finding for the IAM Anomalous Grant rule, verify yourEvent Threat Detection settings.

Clean up

When you're finished testing, remove the test user from the project.

  1. Go to theIAM & Admin page in theGoogle Cloud console.
    Go to the IAM & Admin page
  2. Next to the test user's gmail.com address, clickEdit.
  3. On theEdit permissions panel that appears, clickDelete for allroles granted to the test user.
  4. ClickSave.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.