Security Command Center is offered in three service tiers: Standard, Premium, and Enterprise. Each tier determines the features and services that are available to you in Security Command Center. A short description of each service tier follows:
- Standard. Basic security posture management for Google Cloud only. The Standard tier can be activated at the project or organization level. Best for Google Cloud environments with minimal security requirements.
- Premium. Everything in Standard, plus security posture management, attack paths, threat detection, and compliance monitoring for Google Cloud only. The Premium tier can be activated at the project or organization level. Best for Google Cloud customers who need pay-as-you-go billing.
- Enterprise. Complete multi-cloud CNAPP security that helps you to triage and remediate your most critical issues. Includes most of the services that are in Premium. The Enterprise tier can only be activated at the organization level. Best for helping to protect Google Cloud, AWS, and Azure.
The Standard tier is offered at no additional charge, while the Premium and Enterprise tiers have different pricing structures. For more information, see Security Command Center pricing.
For a list of services included in each tier, see Service tier comparison.
For the Google SecOps features supported with the Security Command Center Enterprise tier, see Google Security Operations feature limits in Security Command Center Enterprise.
Service tier comparison
| Service | Service tier | ||
|---|---|---|---|
| Standard | Premium | Enterprise | |
|
Vulnerability detection |
|||
| Security Health Analytics | |||
|
Managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. |
|||
| Compliance monitoring. Security Health Analytics detectors map to the controls of common security benchmarks like NIST, HIPAA, PCI-DSS, and CIS. | |||
| Custom module support. Create your own custom Security Health Analytics detectors. | |||
| Web Security Scanner | |||
| Custom scans. Schedule and run custom scans on deployed Compute Engine, Google Kubernetes Engine, or App Engine web applications that have public URLs and IP addresses and aren't behind firewalls. | |||
| Additional OWASP Top Ten detectors | |||
| Managed scans. Scan public web endpoints for vulnerabilities weekly, with scans configured and managed by Security Command Center. | |||
| Virtual red teaming | |||
| Virtual red teaming, performed by running Attack Path Simulations, helps you to identify and prioritize vulnerability and misconfiguration findings by identifying the paths that a potential attacker could take to reach your high-value resources. | 2 | ||
| Mandiant CVE assessments | |||
| CVE assessments are grouped by their exploitability and potential impact. You can query findings by CVE ID. | |||
| Other vulnerability services | |||
| Anomaly Detection1. Identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining. | 2 | 2 | |
| Container image vulnerability findings (Preview). Automatically write findings to Security Command Center from Artifact Registry scans that detect vulnerable container images deployed to specific assets. | |||
| GKE security posture dashboard findings (Preview). View findings about Kubernetes workload security misconfigurations, actionable security bulletins, and vulnerabilities in the container operating system or in language packages. | |||
| Sensitive Data Protection1 discovery. Discovers, classifies, and helps protect sensitive data. | 3 | 3 | |
| VM Manager1 vulnerability reports (Preview). If you enable VM Manager, it automatically writes findings from its vulnerability reports to Security Command Center. | 2 | ||
|
Expanded detection of software vulnerabilities and containers across cloud environments, with the following built-in and integrated services:
|
|||
|
Mandiant Attack Surface Management. Discovers and analyzes your internet assets across environments, while continually monitoring the external ecosystem for exploitable exposures. |
|||
| Toxic combinations. Detects groups of risks that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources. | |||
|
Threat detection and response |
|||
| Google Cloud Armor1. Protects Google Cloud deployments against threats such as distributed denial-of-service (DDoS) attacks, cross-site scripting (XSS), and SQL injection (SQLi). | 2 | 2 | |
| Sensitive Actions Service. Detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor. | |||
|
Container Threat Detection. Detects runtime attacks in Container-Optimized OS node images. |
|||
|
Cloud Run Threat Detection. Detects runtime attacks in Cloud Run containers. (Preview) |
|||
| Event Threat Detection. Monitors Cloud Logging and Google Workspace, using threat intelligence, machine learning, and other advanced methods to detect threats, such as malware, cryptocurrency mining, and data exfiltration. | |||
| Virtual Machine Threat Detection. Detects potentially malicious applications running in VM instances. | |||
| Google SecOps security information and event management (SIEM). Scan logs and other data for threats across multiple cloud environments, define threat detection rules, and search the accumulated data. See also Google Security Operations feature limits in Security Command Center Enterprise. | |||
| Google SecOps security orchestration, automation, and response (SOAR). Manage cases, define response workflows, and search the response data. See also Google Security Operations feature limits in Security Command Center Enterprise. | |||
| Mandiant Hunt. Rely on Mandiant experts to provide continual threat hunting to expose attacker activity and reduce impact to your business. | 3 | ||
|
Postures and policies |
|||
| Binary Authorization1. Implement software supply-chain security measures when you develop and deploy container-based applications. Monitor and limit the deployment of container images. | 2 | 2 | |
| Policy Controller1. Enables the application and enforcement of programmable policies for your Kubernetes clusters. | 2 | 2 | |
| Cyber Insurance Hub1. Profile and generate reports for your organization's technical risk posture. | 2 | 2 | |
|
Policy Intelligence. Additional features for Security Command Center Premium and Enterprise users, including the following:
|
|||
| Security posture. Define and deploy a security posture to monitor the security status of your Google Cloud resources. Address posture drift and unauthorized changes to the posture. On the Enterprise tier, you can also monitor your AWS environment. | 2 | ||
| Cloud Infrastructure Entitlement Management (CIEM). Identify principal accounts (identities) that are misconfigured or that are granted excessive or sensitive IAM permissions to your cloud resources. | |||
|
Data management |
|||
| Data residency | |||
| Data residency controls that restrict the storage and processing of Security Command Center findings, mute rules, continuous exports, and BigQuery exports to one of the data residency multi-regions that Security Command Center supports. | 2 | 2 | |
| Findings export | |||
| BigQuery exports | |||
| Pub/Sub continuous exports | |||
|
Other features |
|||
|
Infrastructure as code (IaC) validation. Validate against organization policies and Security Health Analytics detectors. |
2 | ||
|
Assured Open Source Software. Take advantage of the security and experience that Google applies to open source software by incorporating the same packages that Google secures and uses into your own developer workflows. |
|||
|
Audit Manager. A compliance audit solution that evaluates your resources against select controls from multiple compliance frameworks. Security Command Center Enterprise users get access to the Premium tier of Audit Manager at no extra cost. |
|||
|
Multicloud support. Connect Security Command Center to other cloud providers to detect threats, vulnerabilities, and misconfigurations. Assess attack exposure scores and attack paths on external cloud high value resources. Supported cloud providers: AWS, Azure. |
|||
- This is a Google Cloud service that integrates with organization-level activations of Security Command Center to provide findings. One or more features of this service might be priced separately from Security Command Center.
- Requires an organization-level activation for the Standard and Premium tiers.
- Not activated by default. For more information and pricing details, contact your sales representative or Google Cloud partner.
Google Security Operations feature limits in Security Command Center Enterprise
The Security Command Center Enterprise tier offers additional features compared to the Standard and Premium tiers, including a selection of Google Security Operations features and the ability to ingest data from other cloud providers. These features make Security Command Center a full cloud-native application protection platform (CNAPP), and are available in the Security Operations console.
The Google Security Operations features in the Security Command Center Enterprise tier have different limits to those found in the Google Security Operations plans. These limits are described in the following table.
| Feature | Limits |
|---|---|
| Applied Threat Intelligence | No access |
| Curated detections | Limited to detecting cloud threats, including Google Cloud and AWS |
| Custom rules | 20 custom single-event rules, multi-event rules aren't supported. |
| Data retention | 3 months |
| Gemini for Google Security Operations | Limited to natural language search and case investigation summaries |
| Google SecOps security information and event management (SIEM) | Cloud data only. |
| Google SecOps security orchestration, automation, and response (SOAR) | Cloud response integrations only. For the list of supported integrations, see Supported Google Security Operations integrations |
| Log ingestion |
Limited to logs that are supported for cloud threat detection. For the list, see Supported log data collection in Google SecOps |
| Risk analytics | No access |
Supported Google Security Operations integrations
The following sections list the Google Security Operations Marketplace integrations that are supported with Security Command Center Enterprise. They are listed in separate columns in the following table.
Packaged and preconfigured integrations: are included in the SCC Enterprise - Cloud Orchestration and Remediation use case and are preconfigured to support cloud-native application protection platform (CNAPP) use cases. They are available when you activate Security Command Center Enterprise and update the Enterprise use case.
Configurations in the SCC Enterprise - Cloud Orchestration and Remediation use case include, as an example, dedicated playbooks that use Jira and ServiceNow with predefined handling of response cases. The integrations are preconfigured to support all cloud providers that Security Command Center Enterprise supports.
Downloadable integrations: with Security Command Center Enterprise, you can download the following integrations and use them in a playbook. The versions that you download from Google Security Operations Marketplace are not configured specifically for Security Command Center Enterprise and require additional manual configuration.
Each integration is listed by name. For information about a specific integration, see Google Security Operations Marketplace integrations.
Type of application or information |
Packaged and preconfigured integrations |
Downloadable integrations |
|---|---|---|
Google Cloud and Google Workspace integrations |
|
|
Amazon Web Services integrations |
|
|
Microsoft Azure and Office365 integrations |
|
|
IT service management (ITSM)-related applications |
|
|
Communication-related applications |
|
|
Threat intelligence |
|
|
| * Integration is not packaged in the SCC Enterprise - Cloud Orchestration and Remediation use case | ||
Supported Google SecOps log data collection
The following sections describe the type of log data that customers with Security Command Center Enterprise can ingest directly to the Google Security Operations tenant. This data collection mechanism is different than the AWS connector in Security Command Center that collects resource and configuration data.
The information is grouped by cloud provider.
- Google Cloud log data
- Amazon Web Services log data
- Microsoft Azure log data
For each type of log listed, the Google SecOps ingestion label
is provided, for example GCP_CLOUDAUDIT. See
Supported log types and default parsers
for a complete list of Google SecOps ingestion labels.
Google Cloud
The following Google Cloud data can be ingested to Google SecOps:
- Cloud Audit Logs (
GCP_CLOUDAUDIT) - Cloud Intrusion Detection System (
GCP_IDS) - Cloud Next Generation Firewall (
GCP_NGFW_ENTERPRISE) - Cloud Asset Inventory metadata
- Sensitive Data Protection context
- Model Armor logs
The following must also be enabled and routed to Cloud Logging:
- AlloyDB for PostgreSQL Data Access audit logs
- Cloud DNS logs
- Cloud NAT logs
- Cloud Run
- Cloud SQL for SQL Server Data Access audit logs
- Cloud SQL for MySQL Data Access audit logs
- Cloud SQL for PostgreSQL Data Access audit logs
- Compute Engine VM authlogs
- External Application Load Balancer backend service logs
- Generic Data Access audit logs
- Google Kubernetes Engine Data Access audit logs
- Google Workspace Admin Audit logs
- Google Workspace Login Audit logs
- IAM Data Access audit logs
- Sensitive Data Protection context
- Model Armor logs
- AuditD logs
- Windows event logs
For information about how to collect logs from Linux and Windows VM instances and send to Cloud Logging, see Google Cloud Observability agents.
The Security Command Center Enterprise activation process automatically configures the ingestion of Google Cloud data to Google SecOps. For more information about this, see Activate the Security Command Center Enterprise tier > Provision a new instance.
For information about how to modify the Google Cloud data ingestion configuration, see Ingest Google Cloud data to Google Security Operations.
Amazon Web Services
The following AWS data can be ingested to Google SecOps:
- AWS CloudTrail (
AWS_CLOUDTRAIL) - AWS GuardDuty (
GUARDDUTY) - AWS EC2 HOSTS (
AWS_EC2_HOSTS) - AWS EC2 INSTANCES (
AWS_EC2_INSTANCES) - AWS EC2 VPCS (
AWS_EC2_VPCS) - AWS Identity and Access Management (IAM) (
AWS_IAM)
For information about collecting AWS log data and using curated detections, see Connect to AWS for log data collection.
Microsoft Azure
The following Microsoft data can be ingested to Google SecOps:
- Microsoft Azure Cloud Services (
AZURE_ACTIVITY). See Ingest Microsoft Azure activity logs for information about how to set up data collection. - Microsoft Entra ID, previously Azure Active Directory (
AZURE_AD). See Collect Microsoft Azure AD logs for information about how to set up data collection. - Microsoft Entra ID audit logs, previously Azure AD audit logs (
AZURE_AD_AUDIT). See Collect Microsoft Azure AD logs for information about how to set up data collection. - Microsoft Defender for Cloud (
MICROSOFT_GRAPH_ALERT). See Collect Microsoft Graph API alert logs for information about how to set up data collection.
For information about collecting Azure log data and using curated detections, see Connect to Microsoft Azure for log data collection.