Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
Cloud IDS findings aregenerated by Cloud IDS,
which is a security service that monitors traffic to and from your
Google Cloud resources for threats. When Cloud IDS detects a
threat, it sends information about the threat, such as the source IP address,
destination address, and port number, to Event Threat Detection, which then
generates a threat finding.
You can find more information about the detected event in the original log
entry by clicking the link in theCloud Logging URIfield in the finding
details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nCloud IDS findings are\n[generated by Cloud IDS](/intrusion-detection-system/docs/overview),\nwhich is a security service that monitors traffic to and from your\nGoogle Cloud resources for threats. When Cloud IDS detects a\nthreat, it sends information about the threat, such as the source IP address,\ndestination address, and port number, to Event Threat Detection, which then\ngenerates a threat finding.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open\n the `Cloud IDS: `\u003cvar translate=\"no\"\u003eTHREAT_ID\u003c/var\u003e finding, as directed in\n [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n\n2. In the finding details, on the **Summary** tab, review the listed values in\n the following sections:\n\n - **What was detected** , especially the following fields:\n - **Protocol**: the network protocol used\n - **Event time**: When the event occurred\n - **Description**: More information about the finding\n - **Severity**: What severity the alert was\n - **Destination IP**: The target IP of the network traffic\n - **Destination Port**: The target port of the network traffic\n - **Source IP**: The source IP of the network traffic\n - **Source Port**: The source port of the network traffic\n - **Affected resource** , especially the following fields:\n - **Resource full name**: The project containing the network with the threat\n - **Related links** , especially the following fields:\n - **Cloud Logging URI** : link to Cloud IDS Logging entries - these entries have the necessary information to search Palo Alto Networks' [Threat Vault](https://www.paloaltonetworks.com/blog/threat-vault/)\n - **Detection Service**\n - **Finding Category** The Cloud IDS threat name\n3. To see the complete JSON for the finding, click the **JSON** tab.\n\nStep 2: Look up attack and response methods\n\nAfter you have reviewed the finding details, refer to the\n[Cloud IDS documentation on investigating threat alerts](/intrusion-detection-system/docs/investigate)\nto determine an appropriate response.\n\nYou can find more information about the detected event in the original log\nentry by clicking the link in the **Cloud Logging URI** field in the finding\ndetails.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
