Activate the Security Command Center Enterprise tier

The Security Command Center Enterprise tier provides security enhancements such as advanced security operations, integrations with other Google Cloud products such as Sensitive Data Protection and Assured OSS, multi-cloud support, and risk analysis. For a description of the Enterprise tier features, see Security Command Center overview.

You complete the activation process for the Enterprise tier using the setup guide in the Google Cloud console. After the initial mandatory tasks, you can complete additional tasks to set up the optional features that your organization requires.

For information about pricing and getting a subscription, see Security Command Center pricing.

For instructions on activating Security Command Center at another tier, see Activate the Security Command Center Standard tier or Premium tier for an organization.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Create an organization

Security Command Center requires an organization resource that is associated with a domain. If you haven't created an organization, see Creating and managing organizations.

Set up permissions

This section lists the Identity and Access Management roles that you need to set up Security Command Center and describes how to grant them.

1. Make sure that you have the following role or roles on the organization: Organization Admin, Cloud Asset Owner, Security Center Admin, Security Admin, Create Service Accounts, and Chronicle Service Admin.

   Check for the roles

   1. In the Google Cloud console, go to the IAM page.

      Go to IAM
   2. Select the organization.

   3. In the Principal column, find the row that has your email address.

      If your email address isn't in that column, then you do not have any roles.

   4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

   Grant the roles

   1. In the Google Cloud console, go to the IAM page.

      Go to IAM
   2. Select the organization.
   3. Click person_add Grant access.
   4. In the New principals field, enter your email address.
   5. In the Select a role list, select a role.
   6. To grant additional roles, click add Add another role and add each additional role.
   7. Click Save.

Learn more about Security Command Center roles.

Verify organization policies

If your organization policies are set to restrict identities by domain, consider the following:

• You must be signed in to the Google Cloud console on an account that's in an allowed domain.
• Your service accounts must be in an allowed domain, or members of a group within your domain. This requirement lets you allow services that use the @*.gserviceaccount.com service account to access resources when domain restricted sharing is enabled.

If your organization policies are set to restrict resource usage, verify that securitycenter.googleapis.com is permitted.

Create the management project

Security Command Center Enterprise requires a project, which is called the management project, to enable its security operations and Mandiant integration.

If you enabled Google SecOps previously, you can use your existing management project. Otherwise, create a new one. Verify the roles and APIs on the project.

1. In the Google Cloud console, go to the project selector page.

   Go to project selector

2. Select or create a Google Cloud project.

3. Enable the Cloud Asset, Cloud Pub/Sub, Cloud Resource Manager, Compute Engine, Policy Analyzer, and Recommender APIs.

   Enable the APIs

4. Make sure that you have the following role or roles on the project: Service Usage Admin, Create Service Accounts, Service Account Token Creator, Chronicle Service Admin, Chronicle SOAR Admin, Service Account Key Admin, and Service Account Admin.

   Check for the roles

   1. In the Google Cloud console, go to the IAM page.

      Go to IAM
   2. Select the project.

   3. In the Principal column, find the row that has your email address.

      If your email address isn't in that column, then you do not have any roles.

   4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

   Grant the roles

   1. In the Google Cloud console, go to the IAM page.

      Go to IAM
   2. Select the project.
   3. Click person_add Grant access.
   4. In the New principals field, enter your email address.
   5. In the Select a role list, select a role.
   6. To grant additional roles, click add Add another role and add each additional role.
   7. Click Save.

Obtain your Google Security Operations access code

If you already have an instance of Google SecOps, you can use an access code during activation to connect the Security Command Center Enterprise tier to it. Contact Google Cloud sales to obtain your access code.

Configure notification contacts

Configure your Essential Contacts so that your security administrators can receive important notifications. For instructions, see Managing contacts for notifications.

Activate the Security Command Center Enterprise tier for the first time

1. In the Google Cloud console, go to the Security Command Center Risk Overview page.

   Go to Security Command Center

2. Verify that you are viewing the organization that you want to activate the Security Command Center Enterprise tier on.

3. In the Get started with Security Command Center Enterprise page, click Activate Enterprise. This option automatically creates the service accounts and roles for all services included with the Security Command Center Enterprise tier, including Google Security Operations and Mandiant. To view those options, click View service accounts and permissions.

   If you don't see the Get started with Security Command Center Enterprise page, contact Google Cloud sales to verify that your subscription entitlement is active.

4. Select the management project and click Next.

5. Click Enable API and click Next.

6. Complete one of the following:

   • If you have a Google SecOps instance enabled, select Yes, connect to an existing Chronicle instance and paste your access code.
   • If you don't have Google SecOps, select No, create a new Chronicle instance for me. Enter your contact information, company information, and select the region where you want to enable Google SecOps. This region is only used for Google SecOps, and not for other Security Command Center features.

7. Click Activate. You are returned to the Risk Overview page, and the provisioning status displays. It can take some time before your security operations features are ready and findings become available.

You can use the setup guide in the Google Cloud console to configure additional features.

Configure additional Security Command Center features

The setup guide in the Google Cloud console consists of six steps and additional configuration recommendations. You complete the first two steps when you activate Security Command Center. You can complete the remaining steps and recommendations over time, as required by your organization.

1. In the Google Cloud console, go to the Security Command Center Risk Overview page.

   Go to Overview

2. Navigate to settings Settings > Tier Detail.

3. Verify that you are viewing the organization that you activated the Security Command Center Enterprise tier on.

4. Click View setup guide.

5. If you're also using Amazon Web Services (AWS) and want to connect Security Command Center to AWS for vulnerability and risk assessment, click Step 3: Set up Amazon Web Services (AWS) integration. For instructions, see Connect to AWS for vulnerability detection and risk assessment.

6. To add users and groups to perform security operations, click Step 4: Set up users and groups. For instructions, see Control access to SecOps features using IAM.

7. To configure security orchestration, automation, and response (SOAR), click Step 5: Configure integrations. Depending on the setup of your Google Security Operations instance, your use case might already be installed. If it's not installed, contact your account representative or Google Cloud sales. To integrate with ticketing systems, see Integrate Security Command Center Enterprise with ticketing systems.

8. To configure data ingestion into the security information and event management (SIEM), see Step 6: Configure log ingestion. For instructions, see Connect SecOps to AWS for threat detection.

9. To monitor for sensitive data in your Google Cloud organization, click Set up sensitive data protection. Sensitive data discovery is charged separately from Security Command Center regardless of your service tier. If you don't purchase a subscription for discovery, you are charged based on your consumption (bytes scanned). For more information, see Discovery pricing in the Sensitive Data Protection documentation. For instructions, see Enable sensitive data discovery.

10. To enhance your code security, click Set up code security. For instructions, see Integrate with Assured OSS for code security.

What's next

• Learn how to configure Security Command Center.
• Learn how to work with Security Command Center findings.
• Learn about Google Cloud security sources.
• Investigate threats with Google Security Operations curated detections.