[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-19。"],[[["\u003cp\u003eSecurity Command Center, Google Cloud's security database, integrates with Google Cloud Armor to highlight security risks across an organization.\u003c/p\u003e\n"],["\u003cp\u003eThe "Allowed traffic spike" finding in Security Command Center alerts users to sudden increases in allowed requests per second (RPS), potentially indicating a layer 7 DDoS attack.\u003c/p\u003e\n"],["\u003cp\u003eThe "Increasing deny ratio" finding informs users about a rise in traffic blocked by Google Cloud Armor, suggesting an increase in unwanted or malicious traffic.\u003c/p\u003e\n"],["\u003cp\u003eThese findings provide key data, such as RPS values for allowed and denied traffic, enabling users to identify targeted services and evaluate mitigation strategies.\u003c/p\u003e\n"],["\u003cp\u003eSecurity Command Center findings notify users of observed behaviors at a specific time, with no further notification if the situation clears, though existing findings may be updated if traffic characteristics increase.\u003c/p\u003e\n"]]],[],null,["# Security Command Center findings\n\n[Security Command Center](/security-command-center/docs) is the security and risk\ndatabase for Google Cloud. Security Command Center includes a risk dashboard\nand analytics system for surfacing, understanding, and remediating\nGoogle Cloud security and data risks across an organization.\n\nGoogle Cloud Armor is integrated automatically with Security Command Center and\nexports two findings to the Security Command Center dashboard:\n**Allowed traffic spike** and **Increasing deny ratio**. This guide\ndescribes the findings and how to interpret them.\n\nIf you do not already have Cloud Armor enabled in\nSecurity Command Center, see\n[Configuring Security Command Center](/security-command-center/docs/how-to-configure-security-command-center).\nYou see findings in Security Command Center only for projects that have\nSecurity Command Center enabled at the organization level.\n\nAllowed traffic spike finding\n-----------------------------\n\nAllowed traffic consists of well-formed HTTP(S) requests that are\ndestined to reach your backend services after a Cloud Armor\nsecurity policy is enforced.\n\nThe **Allowed traffic spike** finding notifies you of a spike in allowed traffic\non a per-backend-service basis. A finding is generated when there is a sudden\nincrease in the allowed number of requests per second (RPS) compared to the\nnormal volume observed in recent history. The RPS that constituted the spike and\nthe RPS of the recent history are provided as part of the finding.\n\n### Use case: Potential L7 attacks\n\nDistributed denial-of-service (DDoS) attacks occur when attackers send large\nvolumes of requests to overload a target service. Layer 7 DDoS attack traffic\ntypically presents a spike in the number of requests per second.\n\nAn **Allowed traffic spike** finding identifies the backend service to which\nthe RPS spike is directed and provides the traffic characteristics that caused\nCloud Armor to classify it as an RPS spike. Use this information to\ndetermine the following:\n\n- Whether a potential layer 7 DDoS attack is underway.\n- The service that is being targeted.\n- The actions that you can take to mitigate the potential attack.\n\nThe following is a screenshot of a sample **Allowed traffic spike** finding on\nthe Security Command Center dashboard.\n[](/static/armor/images/ca-cscc-allowed.png) **Allowed traffic spike** finding (click to enlarge).\n\nGoogle Cloud calculates the values **Long_Term_Allowed_RPS** and **Short_Term_Allowed_RPS** based on Cloud Armor historical\ninformation.\n\nIncreasing deny ratio finding\n-----------------------------\n\nThe **Increasing deny ratio** finding notifies you that there is an increase in\nthe ratio of traffic that Cloud Armor blocks because of a user-configured\nrule in a security policy. Although the denial is expected and does\nnot affect the backend service, this finding helps alert you to increases in\nunwanted and potentially malicious traffic targeting your applications. The RPS\nof the denied traffic and the total incoming traffic are provided as part of the\nfinding.\n\n### Use case: Mitigating L7 attacks\n\nAn **Increasing deny ratio** finding enables you to see both the impact of\nsuccessful mitigations and significant changes in the behavior of malicious\nclients. The finding identifies the backend to which the denied traffic was\ndirected and provides the traffic characteristics that caused\nCloud Armor to raise the finding. Use this information to evaluate\nwhether the denied traffic must be studied in detail to further strengthen your\nmitigations.\n\nThe following is a screenshot of a sample **Increasing deny ratio** finding on\nthe Security Command Center dashboard.\n[](/static/armor/images/ca-cscc-increasing.png) Increasing deny ratio finding (click to enlarge).\n\nGoogle Cloud calculates the values **Long_Term_Denied_RPS** and **Long_Term_Incoming_RPS** based on Cloud Armor historical\ninformation.\n\nGoogle Cloud Armor Adaptive Protection\n--------------------------------------\n\nAdaptive Protection sends telemetry to the Security Command Center. For more\ninformation about Adaptive Protection findings, see\n[Monitoring, alerting, and logging](/armor/docs/adaptive-protection-overview#monitor-alert-log)\nin the Adaptive Protection overview.\n\nAdvanced network DDoS protection\n--------------------------------\n\nAdvanced network DDoS protection sends telemetry to the Security Command Center. For more\ninformation about advanced network DDoS protection findings, see\n[Security Command Center findings](/armor/docs/advanced-network-ddos#scc).\n\nAfter traffic returns to normal\n-------------------------------\n\nSecurity Command Center findings are notifications that a particular behavior was\nobserved at a point in time. No notification is sent when the behavior clears.\n\nThere might be updates to existing findings if the current traffic\ncharacteristics increase substantially in comparison to existing\ncharacteristics. If there is no follow-up finding, then either the behavior\ncleared or the traffic volume did not increase (allow or deny) substantially\nafter the initial finding was generated.\n\nWhat's next\n-----------\n\n- [Troubleshoot issues](/armor/docs/troubleshooting)\n- [Use the custom rules language reference](/armor/docs/rules-language-reference)"]]