Security sources

This page contains a list of the Google Cloud security sources that are available in Security Command Center. When you enable a security source, it provides vulnerabilities and threat data in the Security Command Center dashboard.

Security Command Center lets you filter and view vulnerabilities and threat findings in many different ways, like filtering on a specific finding type, resource type, or for a specific asset. Each security source might provide more filters to help you organize your organization's findings.

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Vulnerabilities

Vulnerability detectors can help you find potential weaknesses in your Google Cloud resources.

Security Health Analytics vulnerability types

Security Health Analytics managed vulnerability assessment scanning for Google Cloud can automatically detect common vulnerabilities and misconfigurations across:

  • Cloud Monitoring and Cloud Logging
  • Compute Engine
  • Google Kubernetes Engine containers and networks
  • Cloud Storage
  • Cloud SQL
  • Identity and Access Management (IAM)
  • Cloud Key Management Service (Cloud KMS)
  • Cloud DNS

Security Health Analytics is automatically enabled when you select the Security Command Center Standard or Premium tier. Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), using the following three scan modes to detect vulnerabilities:

  • Batch scan: All detectors are scheduled to run for all enrolled organizations two or more times a day. Detectors run on different schedules to meet specific service level objectives (SLO). To meet 12- and 24-hour SLOs, detectors run batch scans every six hours or 12 hours, respectively. Resource and policy changes that occur in between batch scans are not immediately captured and are applied in the next batch scan. Note: Batch scan schedules are performance objectives, not service guarantees.

  • Real-time scan: Supported detectors start scans whenever CAI reports a change in an asset's configuration. Findings are immediately written to Security Command Center.

  • Mixed-mode: Some detectors that support real-time scans may not detect changes in real time in all supported assets. In those cases, configuration changes for some assets are captured immediately and others are captured in batch scans.

To view a complete list of Security Health Analytics detectors and findings, see the Security Health Analytics findings page, or expand the following section.

Web Security Scanner

Web Security Scanner provides managed and custom web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications.

Managed scans

Web Security Scanner managed scans are configured and managed by Security Command Center. Managed scans automatically run once each week to detect and scan public web endpoints. These scans don't use authentication and they send GET-only requests so they don't submit any forms on live websites.

Managed scans run separately from custom scans that you define at the project level. You can use managed scans to centrally manage basic web application vulnerability detection for projects in your organization, without having to involve individual project teams. When findings are discovered, you can work with those teams to set up more comprehensive custom scans.

When you enable Web Security Scanner as a service, managed scan findings are automatically available in the Security Command Center vulnerabilities tab and related reports. For information about how to enable Web Security Scanner managed scans, see configuring Security Command Center.

Custom scans

Web Security Scanner custom scans provide granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content. Custom scan findings are available in Security Command Center after you complete the guide to set up Web Security Scanner custom scans.

Detectors and compliance

Web Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security Project (OWASP). For guidance on mitigating OWASP risks, see OWASP Top 10 mitigation options on Google Cloud.

The compliance mapping is included for reference and is not provided or reviewed by the OWASP Foundation.

This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance of your products or services with any regulatory or industry benchmarks or standards.

Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.

Table 21. Web Security Scanner findings
Category Finding description OWASP 2017 Top 10 OWASP 2021 Top 10
Accessible Git repository

Category name in the API: ACCESSIBLE_GIT_REPOSITORY

A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository.

Pricing tier: Standard

Fix this finding

A5 A01
Accessible SVN repository

Category name in the API: ACCESSIBLE_SVN_REPOSITORY

An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository.

Pricing tier: Standard

Fix this finding

A5 A01
Cacheable password input

Category name in the API: CACHEABLE_PASSWORD_INPUT

Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage.

Pricing tier: Premium

Fix this finding

A3 A04
Clear text password

Category name in the API: CLEAR_TEXT_PASSWORD

Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network.

Pricing tier: Standard

Fix this finding

A3 A02
Insecure allow origin ends with validation

Category name in the API: INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION

A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected root domain is part of the Origin header value before reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards, prepend the dot to the root domain—for example, .endsWith(".google.com").

Pricing tier: Premium

Fix this finding

A5 A01
Insecure allow origin starts with validation

Category name in the API: INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION

A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected domain fully matches the Origin header value before reflecting it in the Access-Control-Allow-Origin response header—for example, .equals(".google.com").

Pricing tier: Premium

Fix this finding

A5 A01
Invalid content type

Category name in the API: INVALID_CONTENT_TYPE

A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set X-Content-Type-Options HTTP header with the correct value.

Pricing tier: Standard

Fix this finding

A6 A05
Invalid header

Category name in the API: INVALID_HEADER

A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Standard

Fix this finding

A6 A05
Mismatching security header values

Category name in the API: MISMATCHING_SECURITY_HEADER_VALUES

A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Standard

Fix this finding

A6 A05
Misspelled security header name

Category name in the API: MISSPELLED_SECURITY_HEADER_NAME

A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Standard

Fix this finding

A6 A05
Mixed content

Category name in the API: MIXED_CONTENT

Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS.

Pricing tier: Standard

Fix this finding

A6 A05
Outdated library

Category name in the API: OUTDATED_LIBRARY

A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version.

Pricing tier: Standard

Fix this finding

A9 A06
Server side request forgery

Category name in the API: SERVER_SIDE_REQUEST_FORGERY

A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to.

Pricing tier: Standard

Fix this finding

Not applicable A10
Session ID leak

Category name in the API: SESSION_ID_LEAK

When making a cross-domain request, the web application includes the user's session identifier in its Referer request header. This vulnerability gives the receiving domain access to the session identifier, which can be used to impersonate or uniquely identify the user.

Pricing tier: Premium

Fix this finding

A2 A07
SQL injection

Category name in the API: SQL_INJECTION

A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query.

Pricing tier: Premium

Fix this finding

A1 A03
Struts insecure deserialization

Category name in the API: STRUTS_INSECURE_DESERIALIZATION

The use of a vulnerable version of Apache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.

Pricing tier: Premium

Fix this finding

A8 A08
XSS

Category name in the API: XSS

A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data.

Pricing tier: Standard

Fix this finding

A7 A03
XSS angular callback

Category name in the API: XSS_ANGULAR_CALLBACK

A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework.

Pricing tier: Standard

Fix this finding

A7 A03
XSS error

Category name in the API: XSS_ERROR

A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data.

Pricing tier: Standard

Fix this finding

A7 A03
XXE reflected file leakage

Category name in the API: XXE_REFLECTED_FILE_LEAKAGE

An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities.

Pricing tier: Premium

Fix this finding

A4 A05

VM Manager

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.

If you enable VM Manager and are subscribed to Security Command Center Premium, VM Manager automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in operating systems (OS) installed on VMs, including Common Vulnerabilities and Exposures (CVEs).

Vulnerability reports are not available for Security Command Center Standard.

Findings simplify the process of using VM Manager's Patch Compliance feature, which is in preview. The feature lets you conduct patch management at the organization level across all of your projects. Currently, VM Manager supports patch management at the single project level.

To remediate VM Manager findings, see Remediating VM Manager findings.

To stop vulnerability reports from being written to Security Command Center, see Disabling VM Manager vulnerability reports.

Vulnerabilities of this type all relate to installed operating system packages in supported Compute Engine VMs.

Table 20. VM Manager vulnerability reports
Detector Summary Asset scan settings Compliance standards
OS vulnerability

Category name in the API: OS_VULNERABILITY

Finding description: VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

VM Manager's vulnerability reports detail vulnerabilities in installed operating system packages for Compute Engine VMs, including Common Vulnerabilities and Exposures (CVEs).

  • Assets excluded from scans: SUSE Linux Enterprise Server (SLES), Windows operating systems

Findings appear in Security Command Center shortly after vulnerabilities are detected. Vulnerability reports in VM Manager are generated as follows:

  • For most vulnerabilities in the installed OS package, the OS Config API generates a vulnerability report within a few minutes of the change.
  • For CVEs, the OS Config API generates the vulnerability report within three to four hours after the CVE is published to the OS.

Threats

Threat detectors can help you find potentially harmful events.

Anomaly Detection

Anomaly Detection is a built-in service that uses behavior signals from outside your system. It displays granular information about security anomalies detected for your projects and Virtual Machine (VM) instances, like potential leaked credentials and coin mining. Anomaly Detection is automatically enabled when you subscribe to Security Command Center Standard or Premium tier, and findings are available in the Security Command Center dashboard.

Example Anomaly Detection findings include the following:

Table B. Anomaly Detection finding categories
Potential for Compromise Description
account_has_leaked_credentials Credentials for a Google Cloud service account are accidentally leaked online or are compromised.
Abuse Scenarios Description
resource_involved_in_coin_mining Behavioral signals around a VM in your organization indicate that a resource might have been compromised and could be getting used for cryptomining.

Container Threat Detection

Container Threat Detection can detect the most common container runtime attacks and alert you in Security Command Center and optionally in Cloud Logging. Container Threat Detection includes several detection capabilities, an analysis tool, and an API.

Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel and performs natural language processing on scripts to detect the following events:

  • Added Binary Executed
  • Added Library Loaded
  • Malicious Script Executed
  • Reverse Shell

Learn more about Container Threat Detection.

Cloud Data Loss Prevention

Cloud DLP Data Discovery enables you to surface the results of Cloud Data Loss Prevention (Cloud DLP) scans directly in the Security Command Center dashboard and findings inventory. Cloud DLP can help you to better understand and manage sensitive data and Personally Identifiable Information (PII) like the following:

  • Credit card numbers
  • Names
  • Social security numbers
  • US and selected international identifying numbers
  • Phone numbers
  • Google Cloud credentials

Each Cloud DLP Data Discovery finding only includes the category type of the identified PII data and the resource it was found in. It doesn't include any of the specific underlying data.

After you complete the setup steps described in the guide to send DLP API results to Security Command Center, Cloud DLP scan results display in Security Command Center.

For more information:

Event Threat Detection

Event Threat Detection uses log data from inside your systems. It watches your organization's Cloud Logging stream for one or more projects, and consumes logs as they become available. When a threat is detected, Event Threat Detection writes a finding to Security Command Center and to a Cloud Logging project. Event Threat Detection is automatically enabled when you subscribe to the Security Command Center Premium tier and findings are available in the Security Command Center dashboard.

Example Event Threat Detection findings include the following:

Table C. Event Threat Detection finding types
Data exfiltration

Event Threat Detection detects data exfiltration from BigQuery and Cloud SQL by examining audit logs for the following scenarios:

  • A BigQuery resource is saved outside of your organization, or a copy operation is attempted that is blocked by VPC Service Controls.
  • An attempt is made to access BigQuery resources that are protected by VPC Service Controls.
  • A Cloud SQL resource is fully or partially exported to a Cloud Storage bucket outside of your organization or to a bucket that is owned by your organization and is publicly accessible.
  • A Cloud SQL backup is restored to a Cloud SQL instance outside your organization.
  • A Cloud SQL user is granted all privileges to a Cloud SQL Postgres database, to all tables, procedures, or functions in a schema. Preview
  • A BigQuery resource that your organization owns is exported to a Cloud Storage bucket outside your organization, or to a bucket in your organization that is publicly accessible.
  • A BigQuery resource that your organization owns is exported to a Google Drive folder.
Brute force SSH Event Threat Detection detects brute force of password authentication SSH by examining syslog logs for repeated failures followed by a success.
Cryptomining Event Threat Detection detects coin mining malware by examining VPC flow logs and Cloud DNS logs for connections to known bad domains or IP addresses of mining pools.
IAM abuse

Anomalous IAM grants: Event Threat Detection detects the addition of IAM grants that might be considered anomalous, like:

  • Adding a gmail.com user to a policy with the project editor role.
  • Inviting a gmail.com user as a project owner from the Google Cloud console.
  • Service account granting sensitive permissions.
  • Custom role granted sensitive permissions.
  • Service account added from outside your organization.
Log4j Event Threat Detection detects possible attempts at Log4j exploitation and active Log4j vulnerabilities.
Malware Event Threat Detection detects malware by examining VPC flow logs and Cloud DNS logs for connections to known command and control domains and IPs.
Outgoing DoS Event Threat Detection examines VPC flow logs to detect outgoing denial of service traffic.
Anomalous access Event Threat Detection detects anomalous access by examining Cloud Audit Logs for Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses.
Anomalous IAM behavior Event Threat Detection detects anomalous IAM behavior by examining Cloud Audit Logs for accesses from anomalous IP addresses and anomalous user agents.
Service account self-investigation Event Threat Detection detects when a service account credential is used to investigate the roles and permissions associated with that same service account.
Compute Engine Admin Added SSH Key
Event Threat Detection detects a modification to the Compute Engine instance metadata ssh key value on an established instance (older than 1 week).
Compute Engine Admin Added Startup Script
Event Threat Detection detects a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week).
Suspicious account activity Event Threat Detection detects potential compromise of Google Workspace accounts by examining audit logs for anomalous account activities, including leaked passwords and attempted suspicious logins.
Government-backed attack Event Threat Detection examines Google Workspace audit logs to detect when government-backed attackers might have tried to compromise a user's account or computer.
Single sign-on (SSO) changes Event Threat Detection examines Google Workspace audit logs to detect when SSO is disabled or settings are changed for Google Workspace admin accounts.
2-step verification Event Threat Detection examines Google Workspace audit logs to detect when 2-step verification is disabled on user and admin accounts.
Anomalous API behavior Preview Event Threat Detection detects anomalous API behavior by examining Cloud Audit Logs for requests to Google Cloud services that a principal has not seen before.
Defense Evasion Event Threat Detection detects changes to existing VPC Service Controls perimeters that would lead to a reduction in the protection offered.
Discovery

Event Threat Detection detects discovery operations by examining audit logs for the following scenarios:

  • A malicious actor attempted to determine what sensitive objects in GKE they can query for, by using the kubectl command.Preview
  • A service account credential is being used to investigate the roles and permissions associated with that same service account.
Privilege escalationPreview

Event Threat Detection detects privilege escalation in GKE by examining audit logs for the following scenarios:

  • A malicious actor attempted to modify sensitive RBAC objects to escalate privilege.
  • A malicious actor created a Kubernetes master certificate, which gives them cluster-admin access.
  • A malicious actor attempted to create new sensitive RoleBindings or ClusterRoleBindings to escalate their privilege.
  • A malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials.
  • A malicious actor created pods containing privileged containers or containers with privilege escalation capabilities.

Learn more about Event Threat Detection.

Forseti Security

Forseti Security gives you tools to understand all the resources you have in Google Cloud. The core Forseti modules work together to provide complete information so you can secure resources and minimize security risks.

To display Forseti violation notifications in Security Command Center, follow the Forseti Security Command Center notification guide.

For more information:

Virtual Machine Threat Detection

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides threat detection through hypervisor-level instrumentation. VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

VM Threat Detection is part of Security Command Center Premium's threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.

VM Threat Detection has the following cryptocurrency mining detections:

VM Threat Detection threat findings
Category Detection technique Description
Execution: Cryptocurrency Mining Hash Match Hash matching Matches memory hashes of running programs against known memory hashes of cryptocurrency mining software.
Execution: Cryptocurrency Mining YARA Rule YARA rules Matches memory patterns, such as proof-of-work constants, known to be used by cryptocurrency mining software.
Execution: Cryptocurrency Mining Combined Detection Hash matching/YARA rules Combines multiple categories of findings detected within a 24-hour period. The threats are rolled into a single finding. For more information, see Combined detections.

VM Threat Detection also generates the following observation finding:

VM Threat Detection observation finding
Category name API name Summary Severity
VMTD disabled VMTD_DISABLED

VM Threat Detection is disabled for your organization. Until you enable it, this service can't scan your Compute Engine projects and VM instances for unwanted applications.

This finding is set to INACTIVE after 30 days. After that, this finding isn't generated again.

High

For more information about VM Threat Detection, see VM Threat Detection overview.

Errors

Error detectors can help you detect errors in your configuration that prevent security sources from generating findings. Error findings are generated by the Security Command Center security source and have the finding class SCC errors.

Inadvertent actions

The following finding categories represent errors possibly caused by unintentional actions.

Inadvertent actions
Category name API name Summary Severity
API disabled API_DISABLED

Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 60 hours

Fix this finding

Critical
Container Threat Detection service account missing permissions KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 30 minutes

Fix this finding

Critical
GKE service account missing permissions GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every week

Fix this finding

High
Misconfigured Cloud Logging Export MISCONFIGURED_CLOUD_LOGGING_EXPORT

Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Batch scans: Every 30 minutes

Fix this finding

High
VPC Service Controls Restriction VPC_SC_RESTRICTION

Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 6 hours

Fix this finding

High
Security Command Center service account missing permissions SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization

Batch scans: Every 30 minutes

Fix this finding

Critical

For more information, see Security Command Center errors.

What's next