Activate the Security Command Center Enterprise tier

The Security Command Center Enterprise tier provides security enhancements including the following:

• advanced security operations using Google Security Operations.
• integrations with other Google Cloud products, such as Mandiant Attack Surface Management, Sensitive Data Protection, and Assured OSS.
• multi-cloud support.
• risk analysis.

For a description of the Enterprise tier features, see Security Command Center overview.

You complete the activation process for the Enterprise tier using the setup guide in the Google Cloud console. After the initial mandatory tasks, you can complete additional tasks to set up the optional features that your organization requires.

For information about pricing and getting a subscription, see Security Command Center pricing.

For instructions on activating Security Command Center at another tier, see Activate the Security Command Center Standard tier or Premium tier for an organization.

Before you begin

Complete the following before you activate Security Command Center for the first time:

1. Plan for the activation
2. Create an organization
3. Create the management project
4. Configure permissions and APIs
5. Configure notification contacts

Plan for the activation

This section describes decisions and information you need to prepare for the activation.

Determine the support contact

When you activate a new Google SecOps instance, you provide your company name and an email address of a point of contact. Identify a point of contact from your organization. This configuration is not related to Essential Contacts.

Choose the Google SecOps configuration

During activation, you connect Security Command Center Enterprise to a Google SecOps instance.

• You can connect to an existing instance.

• You can provision and connect to a new instance. You can provision and connect to a new instance even if you have an existing instance.

Connect to an existing instance

You can't connect Security Command Center Enterprise to an existing Google SecOps SIEM standalone or Google SecOps SOAR standalone instance. If you have questions about the type of Google SecOps instance you have, contact your Google Cloud sales representative.

When you select an existing Google SecOps instance, the Connect to a SecOps instance page provides a link to the instance so you can verify your selection. You must have access to that instance to verify it. You need at least the Chronicle API Restricted Data Access Viewer (roles/chronicle.restrictedDataAccessViewer) role on the management project to sign in to the instance.

Provision a new instance

When you provision a new instance, only the new instance is associated with Security Command Center. When using Security Command Center, you navigate between Google Cloud console and the newly provisioned Security Operations console.

During activation, you specify the location where the new Google SecOps instance is to be provisioned. For a list of supported regions and multi-regions, see SecOps Services Locations Page. This location applies to only Google SecOps, and not other Security Command Center features or services.

Each Google SecOps instance must have a dedicated management project that you own and manage. This project must be in the same organization where you activate Security Command Center Enterprise. You can't use the same management project for multiple Google SecOps instances.

When you have an existing Google SecOps instance and provision a new instance for Security Command Center Enterprise, both instances use the same configuration for the direct ingestion of Google Cloud data. The same configuration settings control the ingestion to both Google SecOps instances and they receive the same data.

During activation of Security Command Center Enterprise, the activation process modifies the Google Cloud log ingestion settings to set all data type fields to enabled: Google Cloud Logging, Cloud Asset Metadata, and Security Command Center Premium findings. The export filter settings are not changed. Security Command Center Enterprise requires these data types for all features to function as designed. You can change the Google Cloud log ingestion settings after activation is complete.

Create an organization

Security Command Center requires an organization resource that is associated with a domain. If you haven't created an organization, see Creating and managing organizations.

If you have multiple organizations, identify which organizations you will activate Security Command Center Enterprise in. You must follow these activation steps for each organization where you plan to activate Security Command Center Enterprise.

Create a management project

Security Command Center Enterprise requires a project, which is called the management project, to enable Google SecOps and Mandiant Attack Surface Management integration. We recommend that you use this project exclusively for Security Command Center Enterprise.

If you enabled Google SecOps previously, and you want to connect to the existing instance, use the existing management project that is connected to Google SecOps.

If you plan to provision a new Google SecOps instance, create a new management project that is dedicated to the new instance. Don't reuse a management project that is connected to another Google SecOps instance.

Learn more about creating and managing projects.

Configure permissions and APIs

This section lists the Identity and Access Management roles that you need to set up Security Command Center Enterprise and describes how to grant them on the organization and the management project. It also describes how to enable all APIs required by Security Command Center Enterprise tier. Learn more about Security Command Center roles and Google Cloud APIs.

Configure permissions on the organization

Make sure that you have the following role or roles on the organization:

• Organization Administrator (roles/resourcemanager.organizationAdmin)
• Cloud Asset Owner (roles/cloudasset.owner)
• Security Center Admin (roles/securitycenter.admin)
• Security Admin (roles/iam.securityAdmin)
• Chronicle Service Viewer (roles/chroniclesm.viewer)

Check for the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the organization.

3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

Grant the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the organization.
3. Click person_add Grant access.

4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

5. In the Select a role list, select a role.
6. To grant additional roles, click add Add another role and add each additional role.
7. Click Save.

Configure permissions and enable APIs on the management project

1. In Google Cloud console, verify that you are viewing the organization that you want to activate the Security Command Center Enterprise tier on.
2. Select the management that project you created previously.

3. Make sure that you have the following role or roles on the project:

   • Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
   • Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
   • Chronicle API Admin (roles/chronicle.admin)
   • Chronicle Service Admin (roles/chroniclesm.admin)
   • Chronicle SOAR Admin (roles/chronicle.soarAdmin)
   • Service Account Key Admin (roles/iam.serviceAccountKeyAdmin)
   • Service Account Admin (roles/iam.serviceAccountAdmin)

   Check for the roles

   1. In the Google Cloud console, go to the IAM page.

      Go to IAM
   2. Select the project.

   3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

   4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

   Grant the roles

   1. In the Google Cloud console, go to the IAM page.

      Go to IAM
   2. Select the project.
   3. Click person_add Grant access.

   4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

   5. In the Select a role list, select a role.
   6. To grant additional roles, click add Add another role and add each additional role.
   7. Click Save.

4. Enable the Cloud Asset, Cloud Pub/Sub, Cloud Resource Manager, Compute Engine, Policy Analyzer, and Recommender APIs.

   Enable the APIs

Configure notification contacts

Configure your Essential Contacts so that your security administrators can receive important notifications. For instructions, see Managing contacts for notifications.

Activate the Security Command Center Enterprise tier

The activation process automatically configures the service accounts, permissions, and services included with Security Command Center Enterprise. You can connect to an existing Google SecOps Standard, Enterprise, or Enterprise Plus instance or provision a new one.

1. On the Google Cloud console, go to the Security Command Center Risk Overview page.

   Go to Security Command Center

2. Verify that you are viewing the organization that you want to activate the Security Command Center Enterprise tier on.

3. On the Security Command Center page, click Get Security Command Center.

4. On the Get started with Security Command Center Enterprise page, review the service accounts and APIs that will be configured, and then click Activate Enterprise.

   • To view the service accounts that will be created, click View service accounts and permissions.
   • To view APIs that will be enabled, click View Security Command Center Enterprise APIs.
   • To view the terms and conditions, click Security Command Center Enterprise terms and conditions.

   If you don't see the Get started with Security Command Center Enterprise page, contact Google Cloud sales to verify that your subscription entitlement is active.

   The next page displays a different view depending on your environment.

   • If you have an existing Google SecOps instance, you are prompted to use the existing one or create a new one. Continue with step 5 to choose the instance type.

   • If you don't have an existing Google SecOps instance, continue with step 6 to create a new Google SecOps instance.

5. Choose one of the following to create a new instance or use an existing instance.

   • Select Yes, connect to an existing Google Security Operations instance for me, and then choose an instance from the menu. Continue with step 7 to start the activation.

     The menu displays Google SecOps instances that are associated with the organization where you are activating Security Command Center Enterprise. Each item includes the Google SecOps customer ID, the region where it is provisioned, and the Google Cloud project name that it is associated with. You cannot select an instance that is incompatible with Security Command Center Enterprise.

     The page provides a link to the selected Google SecOps instance so you can verify it. If you get an error when opening the instance, check that you have the required IAM permissions to access the instance.

   • Select No, create a new Google Security Operations instance, and then continue with step 6 to create a new Google SecOps instance.

6. To create a new Google SecOps instance, provide additional setup details.

   1. Specify your company contact information.

      • Technical support contact: enter an individual email address or group email address.
      • Company name: enter your company name.

   2. Select the Location type where Google Security Operations will be provisioned.

      • Region: select a single region.
      • Multi-region: select a multi-regional location.

      This location is used for only Google SecOps, and not for other Security Command Center features. For a list of supported regions and multi-regions, see SecOps Services Locations Page.

   3. Click Next, and then select the dedicated Management project. You created the dedicated management project in a previous step.

      If you select a project that is linked to an existing Google SecOps instance, you will get an error when you start the activation.

   4. Continue with step 7 to start the activation.

7. Click Activate. The Setup guide page and the provisioning status displays. It can take some time before your security operations features are ready and findings become available.

You can use the setup guide in the Google Cloud console to configure additional features.

Configure additional Security Command Center features

The setup guide in the Google Cloud console consists of six steps and additional configuration recommendations. You complete the first two steps when you activate Security Command Center. You can complete the remaining steps and recommendations over time, as required by your organization.

1. On the Google Cloud console, go to the Security Command Center Risk Overview page.

   Go to Overview

2. Navigate to settings Settings > Tier Detail.

3. Verify that you are viewing the organization that you activated the Security Command Center Enterprise tier on.

4. Click View setup guide.

5. If you're using Amazon Web Services (AWS) and want to connect Security Command Center to AWS for vulnerability and risk assessment, click Step 3: Set up Amazon Web Services (AWS) integration. For instructions, see Connect to AWS for vulnerability detection and risk assessment.

6. To add users and groups to perform security operations, click Step 4: Set up users and groups. For instructions, see Control access to SecOps features using IAM.

7. To configure security orchestration, automation, and response (SOAR), click Step 5: Configure integrations. Depending on the setup of your Google Security Operations instance, your use case might already be installed. If it's not installed, contact your account representative or Google Cloud sales. To integrate with ticketing systems, see Integrate Security Command Center Enterprise with ticketing systems.

8. To configure data ingestion into the security information and event management (SIEM), click Step 6: Configure log ingestion. Configuring data ingestion is required to enable capabilities like curated detections and cloud infrastructure entitlement management. For instructions, see Connect to AWS for log ingestion.

9. To monitor for sensitive data in your Google Cloud organization, click Set up sensitive data protection. For instructions, see Enable sensitive data discovery.

10. To enhance your code security, click Set up code security. For instructions, see Integrate with Assured OSS for code security.

What's next

• Learn how to work with Security Command Center findings.
• Learn about Google Cloud security sources.
• Investigate threats with Google Security Operations curated detections.