CoursesGCP securityDetection & Security Command Center

Detection as code & response

Log metrics, Pub/Sub pipelines, auto-response.

Advanced35 min · lesson 12 of 15

Detection is only as good as what happens after a finding fires. A mature GCP setup treats detections as code and wires signals into an automated pipeline that correlates, prioritizes, and responds — the difference between spotting an incident and containing one.

Detection as code

Codify your custom detections — log-based metrics and alerting policies on sensitive actions (SetIamPolicy on a privileged role, cloudkms keys disable, mass storage.objects.get), SCC finding filters, and remediation logic — in version control, tested and reviewed like software. That makes rules auditable, repeatable across the org, and hard to silently weaken. Log-based metric alerts on abnormal use of permitted actions catch what per-permission checks never will: a legitimate action at an illegitimate volume or pattern.

alert on a privileged IAM change
# Log-based metric: count grants of the Owner role via SetIamPolicy.
gcloud logging metrics create owner-grants \
--description="Owner role granted" \
--log-filter='protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner" AND
protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"'
# Then attach an alerting policy that pages on any nonzero value.

Route, respond, and rehearse

Send findings and alerts through Pub/Sub to a SIEM (Chronicle/Google SecOps or your own) for correlation across sources, and to Cloud Functions or workflows for automated first response — isolate a resource, disable a key, revoke a session. A high-severity SCC finding can trigger containment before an analyst opens the console. Wrap it all in rehearsed runbooks so the first real run of "compromised service account" is a drill you have practiced, not an improvisation under pressure.

From signal to contained incident
1log metrics + SCC findings
custom + managed detections
2Pub/Sub
fan out to targets
3SIEM + Cloud Functions
correlate, prioritize, act
4auto-contain + page
isolate, revoke, ticket
Detection as code plus an automated pipeline turns a finding into a contained incident while the trail records every step.
Alert fatigue hides the real one
A firehose of low-signal alerts trains responders to ignore the queue, and the one finding that matters drowns. Ruthlessly tune and suppress benign patterns, prioritize by severity and asset criticality, and prefer a smaller stream of high-confidence, well-contextualized alerts.