Using Security Command Center Standard or Premium in the Google Cloud console

Stay organized with collections Save and categorize content based on your preferences.

This page provides an overview of Security Command Center Standard and Premium in the Google Cloud console and what you can do with Security Command Center's top-level pages. If you use Security Command Center Enterprise, see Security Command Center Enterprise consoles.

If Security Command Center isn't already set up, you must activate it before you can use Security Command Center in the Google Cloud console.

• To activate the Standard or Premium tier, see Overview of activating Security Command Center.
• To activate the Enterprise tier, see Activate the Security Command Center Enterprise tier.

For a general overview of Security Command Center, see Security Command Center overview.

Required IAM permissions

To use Security Command Center with all service tiers, you must have an Identity and Access Management (IAM) role that includes appropriate permissions:

• Security Center Admin Viewer (roles/securitycenter.adminViewer) lets you view Security Command Center.
• Security Center Admin Editor (roles/securitycenter.adminEditor) lets you view Security Command Center and make changes.

If your organization policies are set to restrict identities by domain, you must be signed in to the Google Cloud console on an account that's in an allowed domain.

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Access Security Command Center in the Google Cloud console

To access Security Command Center in the Google Cloud console:

1. Go to Security Command Center:

   Go to Security Command Center

2. Select the project or organization that you want to view.

   If Security Command Center is active in the organization or project you select, the Risk overview page displays with an overview of the new threat findings and the active vulnerability finding over the last seven days.

   If Security Command Center is not active, you are invited to activate it. For more information about activating Security Command Center, see one of the following specific to your service tier:

   • Standard or Premium: Overview of activating Security Command Center.
   • Enterprise: Activate the Security Command Center Enterprise tier.

Security Command Center features and navigation

The tasks that you can perform are dependent on your Security Command Center service tiers, which services that are enabled, and the IAM permissions that you are granted.

Beyond the Risk overview page, you can monitor and manage security issues in your Google Cloud environment through the following Security Command Center pages in the Google Cloud console.

The following describes the navigation in Security Command Center Standard and Premium. Click a navigation entry for an explanation of the page.

• Risk overview page
• Threats page
• Vulnerabilities page
• Compliance page
• Assets page
• Findings page
• Sources page
• Posture page

Risk overview page

The Risk overview page provides a quick view of both the new threats and the total number of active vulnerabilities in your Google Cloud environment from all built-in and integrated services. You can change the range of time displayed in all areas of this page from 1 hour to 6 months.

The Risk overview page includes various dashboards, including the following:

• Top vulnerability findings shows the ten findings that have the highest attack exposure scores.
• New threats over time (Premium tier only) shows a chart of the new threats detected per day, with hourly totals. Following the chart on the page are views of the threat findings by category, resource, and project. You can sort each view by finding severity.
• Top CVE findings (Premium and Enterprise tiers only) shows vulnerability findings grouped by the CVE exploitability and impact. Click a block in the heat map to see the corresponding findings listed by CVE ID.
• Vulnerabilities per resource type is a graphic display that shows the active vulnerabilities for the resources in your project or organization.
• Active vulnerabilities provides tabbed views of the vulnerability findings by category name, by affected resource, and by project. You can sort each view by finding severity.
• Identity and access findings (Premium tier only) shows misconfiguration findings that are related to principal accounts (identities) that are misconfigured or that are granted excessive or sensitive permissions to Google Cloud, AWS, or Azure resources (access). The management of identity and access controls is sometimes referred to as cloud infrastructure entitlement management.
• Data security findings shows findings from the Sensitive Data Protection discovery service. This summary includes any vulnerability findings that indicate the presence of secrets in environment variables and observation findings that indicate the sensitivity and data risk levels of your data.

Clicking the category name of any finding on the Risk overview page takes you to the Findings page where you can see the details of the finding.

Threats page

The Threats page helps you review potentially harmful events in your Google Cloud resources over a time period that you specify. The default time period is seven days.

On the threats page, you can view findings in the following sections:

• Threats by severity shows the number of threats in each severity level.
• Threats by category shows the number of findings in each category across all projects.
• Threats by resource shows the number of findings for each resource in your project or organization.

You can specify the time period for which to display threats by using the drop-down list in the Time range field. The drop-down list has several options between 1 hour and "all time," which shows all findings since the service was activated. The time period you select is saved between sessions.

Vulnerabilities page

The Vulnerabilities page lists all of the misconfiguration and software vulnerability detectors that the built-in detection services of Security Command Center run in your cloud environments. For each listed detector, the number of active findings is displayed.

Vulnerability detection services

The Vulnerability page lists detectors for the following built-in detection services of Security Command Center:

• Security Health Analytics
• Vulnerability Assessment for Amazon Web Services (AWS)
• Web Security Scanner

Other Google Cloud services that are integrated with Security Command Center also detect software vulnerabilities and misconfigurations. The findings from a selection of these services are also displayed on the Vulnerabilities page. For more information about the services that produce vulnerability findings in Security Command Center, see Detection services.

Information about vulnerability detector categories

For each misconfiguration or software vulnerability detector, the Vulnerabilities page shows the following information:

• Status: an icon indicates if the detector is active, and if the detector found a finding that needs to be addressed. When you hold the pointer over the status icon, a tooltip displays the date and time the detector found the result or information about how to validate the recommendation.
• Last scanned: the date and time of the last scan for the detector.
• Category: the category or type of vulnerability. For a list of the categories that each Security Command Center service detects, see the following:
  • Security Health Analytics findings
  • Vulnerability Assessment for AWS findings
  • Web Security Scanner findings
• Recommendation: a summary of how to remediate the finding. For more information, see remediating Security Health Analytics findings.
• Active: the total number of findings in the category.
• Standards: the compliance benchmark that the finding category applies to, if any. For more information about benchmarks, see Vulnerabilities findings.

Filtering vulnerability findings

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using filters that are available on the Security Command Center Vulnerabilities and Findings pages in the Google Cloud console, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, project, and more.

For more information about filtering vulnerability findings, see Filter vulnerability findings in Security Command Center.

Compliance page

The Compliance page helps you assess and take action on compliance with common security standards or benchmarks. The page shows all benchmarks that Security Command Center supports and the percentage of passing benchmark controls.

For each benchmark, you can open a Compliance details page that provides additional details about which controls Security Command Center checks, the number of violations detected for each control, and provides the option to export a compliance report for that benchmark.

Security Command Center vulnerability scanners monitor for violations of common compliance controls based on a best effort mapping provided by Google. Security Command Center compliance reports are not a replacement for a compliance audit, but can help you maintain your compliance status and catch violations early.

For more information about how Security Command Center supports compliance management, see Manage compliance.

Assets page

The Assets page provides a detailed display of all Google Cloud resources, also called assets, in your project or organization.

For more information about how to work with assets on the Assets page, see Work with resources in the console.

Findings page

On the Findings page, you can query, review, mute, and mark Security Command Center findings, the records that Security Command Center services create when they detect a security issue in your environment. For more information about how to work with findings on the Findings page, see Review and manage findings.

Sources page

The Sources page contains cards that provide a summary of assets and findings from the security sources you have enabled. The card for each security source shows some of the findings from that source. You can click the finding category name to view all findings in that category.

Findings summary

The Findings Summary card displays a count of each category of finding that your enabled security sources provide.

• To view details about the findings from a specific source, click the source name.
• To view details about all findings, click the Findings page, where you can group findings or view details about an individual finding.

Source summaries

Below the Findings Summary card, cards appear for any built-in, integrated, and third-party sources you enabled. Each card provides counts of active findings for that source.

Posture page

On the Posture page, you can view details about the security postures that you created in your organization and apply the postures to an organization, folder, or project. You can also view the available predefined posture templates.

What's next

• Learn about detection services.
• Learn how to use security marks.
• Learn how to configure Security Command Center services.