You complete the activation process for the Enterprise tier using the setup guide in the Google Cloud console. After the initial mandatory tasks, you can complete additional tasks to set up the optional features that your organization requires.
For information about pricing and getting a subscription, see Security Command Center pricing.
For instructions on activating Security Command Center at another tier, see Activate the Security Command Center Standard tier or Premium tier for an organization.
Before you begin
Complete the following before you activate Security Command Center for the first time:
- Create an organization
- Create the management project
- Configure permissions and APIs
- Configure notification contacts
Create an organization
Security Command Center requires an organization resource that is associated with a domain. If you haven't created an organization, see Creating and managing organizations.
Create the management project
Security Command Center Enterprise requires a project, which is called the management project, to enable its security operations and Mandiant integration. We recommend that you use this project exclusively for Security Command Center.
If you enabled Google SecOps previously, we recommend that you use the existing management project that is bound to Google SecOps. Otherwise, create a new one.
Learn more about creating and managing projects.
Configure permissions and APIs
This section lists the Identity and Access Management roles that you need to set up Security Command Center and describes how to grant them on the organization and the management project. It also describes how to enable all APIs required by Security Command Center Enterprise tier. Learn more about Security Command Center roles and Google Cloud APIs.
Configure permissions on the organization
Make sure that you have the following role or roles on the organization:
- Organization Administrator (
roles/resourcemanager.organizationAdmin) - Cloud Asset Owner (
roles/cloudasset.owner) - Security Center Admin (
roles/securitycenter.admin) - Security Admin (
roles/iam.securityAdmin)
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
Configure permissions and enable APIs on the management project
- In Google Cloud console, verify that you are viewing the organization that you want to activate the Security Command Center Enterprise tier on.
- Select the management that project you created previously.
-
Make sure that you have the following role or roles on the project:
- Service Usage Admin (
roles/serviceusage.serviceUsageAdmin) - Service Account Token Creator (
roles/iam.serviceAccountTokenCreator) - Chronicle API Admin (
roles/chronicle.admin) - Chronicle Service Admin (
roles/chroniclesm.admin) - Chronicle SOAR Admin (
roles/chronicle.soarAdmin) - Service Account Key Admin (
roles/iam.serviceAccountKeyAdmin) - Service Account Admin (
roles/iam.serviceAccountAdmin)
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
- Service Usage Admin (
-
Enable the Cloud Asset, Cloud Pub/Sub, Cloud Resource Manager, Compute Engine, Policy Analyzer, and Recommender APIs.
Configure notification contacts
Configure your Essential Contacts so that your security administrators can receive important notifications. For instructions, see Managing contacts for notifications.
Activate the Security Command Center Enterprise tier
During activation, you can connect to an existing Google Security Operations Standard, Enterprise, or Enterprise Plus environment. After the connection, additional configuration is required. Contact your account team for guidance about configuring your Google Security Operations tenant to work with Security Command Center.
On the Google Cloud console, go to the Security Command Center Risk Overview page.
Verify that you are viewing the organization that you want to activate the Security Command Center Enterprise tier on.
On the Security Command Center page, click Get Security Command Center.
On the Get started with Security Command Center Enterprise page, click Activate Enterprise.
This automatically configures the service accounts, permissions, and services included with Security Command Center Enterprise tier, such as Google Security Operations and Mandiant.
- To view the service accounts that will be created, click View service accounts and permissions.
- To view APIs that will be enabled, click View Security Command Center Enterprise APIs.
- To view the terms and conditions, click Security Command Center Enterprise terms and conditions.
If you don't see the Get started with Security Command Center Enterprise page, contact Google Cloud sales to verify that your subscription entitlement is active.
The next page displays a different view depending on your environment.
On the next page, do one of the following.
If your organization is attached to a Google Security Operations instance, you see a message similar to The organization already has a Google Security Operations instance. Continue with step 6.
If your organization is not attached to a Google Security Operations instance, provide additional setup details. A new Google Security Operations instance will be provisioned.
Specify your company contact information.
- Technical support contact: enter an individual email address or group email address.
- Company name: enter your company name.
Select the Location type where Google Security Operations will be provisioned.
- Region: select a single region.
- Multi-region: select a multi-regional location.
This location is used only for Google SecOps, and not for other Security Command Center features. For a list of supported regions and multi-regions, see SecOps Services Locations Page.
Click Next, and then select a Management project. You created the management project in a previous step.
Click Activate. The Setup guide page and the provisioning status displays. It can take some time before your security operations features are ready and findings become available.
You can use the setup guide in the Google Cloud console to configure additional features.
Configure additional Security Command Center features
The setup guide in the Google Cloud console consists of six steps and additional configuration recommendations. You complete the first two steps when you activate Security Command Center. You can complete the remaining steps and recommendations over time, as required by your organization.
On the Google Cloud console, go to the Security Command Center Risk Overview page.
Navigate to Settings > Tier Detail.
Verify that you are viewing the organization that you activated the Security Command Center Enterprise tier on.
Click View setup guide.
If you're also using Amazon Web Services (AWS) and want to connect Security Command Center to AWS for vulnerability and risk assessment, click Step 3: Set up Amazon Web Services (AWS) integration. For instructions, see Connect to AWS for vulnerability detection and risk assessment.
To add users and groups to perform security operations, click Step 4: Set up users and groups. For instructions, see Control access to SecOps features using IAM.
To configure security orchestration, automation, and response (SOAR), click Step 5: Configure integrations. Depending on the setup of your Google Security Operations instance, your use case might already be installed. If it's not installed, contact your account representative or Google Cloud sales. To integrate with ticketing systems, see Integrate Security Command Center Enterprise with ticketing systems.
To configure data ingestion into the security information and event management (SIEM), click Step 6: Configure log ingestion. Configuring data ingestion is required to enable capabilities like curated detections and cloud infrastructure entitlement management. For instructions, see Connect to AWS for log ingestion.
To monitor for sensitive data in your Google Cloud organization, click Set up sensitive data protection. Sensitive data discovery is charged separately from Security Command Center regardless of your service tier. If you don't purchase a subscription for discovery, you are charged based on your consumption (bytes scanned). For more information, see Discovery pricing in the Sensitive Data Protection documentation. For instructions, see Enable sensitive data discovery.
To enhance your code security, click Set up code security. For instructions, see Integrate with Assured OSS for code security.
What's next
- Learn how to work with Security Command Center findings.
- Learn about Google Cloud security sources.
- Investigate threats with Google Security Operations curated detections.