Security sources for vulnerabilities and threats

A list of the Google Cloud security sources that are available in Security Command Center. When you enable a security source, it provides vulnerability and threat data in the Security Command Center dashboard.

Security Command Center enables you to filter and view vulnerability and threat findings in many different ways, like filtering on a specific finding type, resource type, or for a specific asset. Each security source might provide more filters to help you organize your organization's findings.

For more information see using the Security Command Center dashboard.

Vulnerabilities

Vulnerability detectors can help you find potential weaknesses.

Security Health Analytics vulnerability types

Security Health Analytics managed vulnerability assessment scanning for Google Cloud can automatically detect common vulnerabilities and misconfigurations across:

• Cloud Monitoring and Cloud Logging
• Compute Engine
• Google Kubernetes Engine containers and networks
• Cloud Storage
• Cloud SQL
• Identity and Access Management (IAM)
• Cloud Key Management Service (Cloud KMS)
• Cloud DNS

Security Health Analytics is automatically enabled when you select the Security Command Center Standard or Premium tier. When Security Health Analytics is enabled, scans automatically run twice a day, 12-hours apart.

Security Health Analytics scans for many vulnerability types. You can group findings by detector type. Use Security Health Analytics detector names to filter findings by the resource type the finding is for.

To view a complete list of Security Health Analytics detectors and findings, see the Security Health Analytics findings page, or expand the following section.

Security Health Analytics detectors

The following tables describe the detector types and specific vulnerability finding types that Security Health Analytics can generate. You can filter findings by detector name and finding type using the Security Command Center Vulnerabilities tab in the Google Cloud Console. Available finding categories include:

• 2-Step verification vulnerability findings
• API key vulnerability findings
• Compute image vulnerability findings
• Compute instance vulnerability findings
• Container vulnerability findings
• Dataset vulnerability findings
• DNS vulnerability findings
• Firewall vulnerability findings
• IAM vulnerability findings
• KMS vulnerability findings
• Logging vulnerability findings
• Monitoring vulnerability findings
• Network vulnerability findings
• ORG policy vulnerability findings
• SQL vulnerability findings
• Storage vulnerability findings
• Subnetwork vulnerability findings

These tables include a description of the mapping between supported detectors and the best effort mapping to relevant compliance regimes.

The CIS Google Cloud Foundation 1.0 mappings have been reviewed and certified by the Center for Internet Security for alignment for the CIS Google Cloud Computing Foundations Benchmark v1.0.0. Additional compliance mappings are included for reference and are not provided or reviewed by the Payment Card Industry Data Security Standard or the OWASP Foundation. You should refer to CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0), Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001) for how to check for these violations manually.

This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification or report of compliance of your products or services with any regulatory or industry benchmarks or standards.

2-Step verification findings

The 2SV_SCANNER detector identifies vulnerabilities related to 2-step verification for users.

Table 1. 2-Step verification scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
2SV_NOT_ENFORCED	There are users who aren't using 2-step verification.	Premium or Standard	1.2	8.3		IA-2	A.9.4.2

API key vulnerability findings

The API_KEY_SCANNER detector identifies vulnerabilities related to API keys used in your cloud deployment.

Table 2. API key scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
API_KEY_APIS_UNRESTRICTED	There are API keys being used too broadly. To resolve this, limit the API key usage to allow only the APIs needed by the application.	Premium	1.12
API_KEY_APPS_UNRESTRICTED	There are API keys being used in an unrestricted way, allowing use by any untrusted app.	Premium	1.11
API_KEY_EXISTS	A project is using API keys instead of standard authentication.	Premium	1.10
API_KEY_NOT_ROTATED	The API key hasn't been rotated for more than 90 days.	Premium	1.13

Compute image vulnerability findings

The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to Google Cloud image configurations.

Table 3. Compute image scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
PUBLIC_COMPUTE_IMAGE	A Compute Engine image is publicly accessible.	Premium or Standard

Compute instance vulnerability findings

The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to Compute Engine instance configurations.

Note that the COMPUTE_INSTANCE_SCANNER detector does not report findings on Compute Engine instances created by GKE. Such instances have names that start with "gke-" and cannot be directly edited by users. To secure these instances, refer to the Container vulnerability findings section.

Table 4. Compute instance scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED	Project-wide SSH keys are used, allowing login to all instances in the project.	Premium	4.2
COMPUTE_SECURE_BOOT_DISABLED	This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits.	Premium
COMPUTE_SERIAL_PORTS_ENABLED	Serial ports are enabled for an instance, allowing connections to the instance's serial console.	Premium	4.4
DISK_CSEK_DISABLED	Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. To enable this detector, apply the security mark enforce_customer_supplied_disk_encryption_keys with a value of true to the assets you want to monitor.	Premium	4.6
FULL_API_ACCESS	An instance is configured to use the default service account with full access to all Google Cloud APIs.	Premium	4.1	7.1.2		AC-6	A.9.2.3
HTTP_LOAD_BALANCER	An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.	Premium		2.3
IP_FORWARDING_ENABLED	IP forwarding is enabled on instances.	Premium	4.5
OS_LOGIN_DISABLED	OS Login is disabled on this instance.	Premium	4.3
PUBLIC_IP_ADDRESS	An instance has a public IP address.	Premium or Standard		1.2.1 1.3.5		CA-3 SC-7
SHIELDED_VM_DISABLED	Shielded VM is disabled on this instance.	Premium
WEAK_SSL_POLICY	An instance has a weak SSL policy.	Premium		4.1		SC-7	A.14.1.3
DEFAULT_SERVICE_ACCOUNT_USED	An instance is configured to use the default service account.	Premium

Container vulnerability findings

These finding types all relate to GKE container configurations, and belong to the CONTAINER_SCANNER detector type.

Table 5. Container scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
AUTO_REPAIR_DISABLED	The GKE clusters auto repair feature, which keeps nodes in a healthy, running state, is disabled.	Premium	7.7	2.2
AUTO_UPGRADE_DISABLED	GKE clusters auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.	Premium	7.8	2.2
CLUSTER_LOGGING_DISABLED	Logging isn't enabled for a GKE cluster.	Premium	7.1	10.2.2 10.2.7
CLUSTER_MONITORING_DISABLED	Cloud Monitoring is disabled on GKE clusters.	Premium	7.2	10.1 10.2
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED	Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.	Premium	7.1	1.3
COS_NOT_USED	Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.	Premium	7.9	2.2
IP_ALIAS_DISABLED	A GKE cluster was created with alias IP ranges disabled.	Premium	7.1	1.3.4 1.3.7
LEGACY_AUTHORIZATION_ENABLED	Legacy Authorization is enabled on GKE clusters.	Premium	7.3	4.1
LEGACY_METADATA_ENABLED	Legacy metadata is enabled on GKE clusters.	Premium
MASTER_AUTHORIZED_NETWORKS_DISABLED	Master authorized networks is not enabled on GKE clusters.	Premium	7.4	1.2.1 1.3.2
NETWORK_POLICY_DISABLED	Network policy is disabled on GKE clusters.	Premium	7.1	1.3		SC-7	A.13.1.1
OVER_PRIVILEGED_ACCOUNT	A service account has overly broad project access in a cluster.	Premium	7.1	2.1 7.1.2		AC-6 SC-7	A.9.2.3
OVER_PRIVILEGED_SCOPES	A node service account has broad access scopes.	Premium	7.1
POD_SECURITY_POLICY_DISABLED	That PodSecurityPolicy is disabled on a GKE cluster.	Premium	7.1
PRIVATE_CLUSTER_DISABLED	A GKE cluster has a Private cluster disabled.	Premium	7.1	1.3.2
WEB_UI_ENABLED	The GKE web UI (dashboard) is enabled.	Premium or Standard	7.6	6.6
WORKLOAD_IDENTITY_DISABLED	Workload Identity is disabled on a GKE cluster.	Premium

Dataset vulnerability findings

Vulnerabilities of this detector type all relate to BigQuery Dataset configurations, and belong to the DATASET_SCANNER detector type.

Table 6. Dataset scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
PUBLIC_DATASET	A dataset is configured to be open to public access.	Premium		7.1		AC-2	A.8.2.3 A.14.1.3

DNS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud DNS configurations, and belong to the DNS_SCANNER detector type.

Table 7. DNS scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
DNSSEC_DISABLED	DNSSEC is disabled for Cloud DNS zones.	Premium	3.3				A.8.2.3
RSASHA1_FOR_SIGNING	RSASHA1 is used for key signing in Cloud DNS zones.	Premium	3.4 3.5

Firewall vulnerability findings

Vulnerabilities of this detector type all relate to firewall configurations, and belong to the FIREWALL_SCANNER detector type.

Table 8. Firewall scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
EGRESS_DENY_RULE_NOT_SET	An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic.	Premium		7.2
FIREWALL_RULE_LOGGING_DISABLED	Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access.	Premium		10.1 10.2		SI-4	A.13.1.1
OPEN_CASSANDRA_PORT	A firewall is configured to have an open CASSANDRA port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_CISCOSECURE_WEBSM_PORT	A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_DIRECTORY_SERVICES_PORT	A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_DNS_PORT	A firewall is configured to have an open DNS port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_ELASTICSEARCH_PORT	A firewall is configured to have an open ELASTICSEARCH port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_FIREWALL	A firewall is configured to be open to public access.	Premium or Standard		1.2.1
OPEN_FTP_PORT	A firewall is configured to have an open FTP port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_HTTP_PORT	A firewall is configured to have an open HTTP port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_LDAP_PORT	A firewall is configured to have an open LDAP port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_MEMCACHED_PORT	A firewall is configured to have an open MEMCACHED port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_MONGODB_PORT	A firewall is configured to have an open MONGODB port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_MYSQL_PORT	A firewall is configured to have an open MYSQL port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_NETBIOS_PORT	A firewall is configured to have an open NETBIOS port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_ORACLEDB_PORT	A firewall is configured to have an open ORACLEDB port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_POP3_PORT	A firewall is configured to have an open POP3 port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_POSTGRESQL_PORT	A firewall is configured to have an open POSTGRESQL port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_RDP_PORT	A firewall is configured to have an open RDP port that allows generic access.	Premium or Standard	3.7	1.2.1		SC-7	A.13.1.1
OPEN_REDIS_PORT	A firewall is configured to have an open REDIS port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_SMTP_PORT	A firewall is configured to have an open SMTP port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1
OPEN_SSH_PORT	A firewall is configured to have an open SSH port that allows generic access.	Premium or Standard	3.6	1.2.1		SC-7	A.13.1.1
OPEN_TELNET_PORT	A firewall is configured to have an open TELNET port that allows generic access.	Premium		1.2.1		SC-7	A.13.1.1

IAM vulnerability findings

Vulnerabilities of this detector type all relate to Identity and Access Management (IAM) configuration, and belong to the IAM_SCANNER detector type.

Table 9. IAM Scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
ADMIN_SERVICE_ACCOUNT	A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts.	Premium	1.4
KMS_ROLE_SEPARATION	Separation of duties is not enforced, and a user exists who has any of the: Cloud Key Management Service (Cloud KMS) CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter roles at the same time.	Premium	1.9			AC-5	A.9.2.3 A.10.1.2
NON_ORG_IAM_MEMBER	There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, this detector is only triggered by identities with @gmail.com email addresses.	Premium or Standard	1.1	7.1.2		AC-3	A.9.2.3
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER	A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account.	Premium	1.5	7.1.2		AC-6	A.9.2.3
PRIMITIVE_ROLES_USED	A user has the basic role Owner, Writer, or Reader. These roles are too permissive and shouldn't be used.	Premium		7.1.2		AC-6	A.9.2.3
REDIS_ROLE_USED_ON_ORG	A Redis IAM role is assigned at the organization or folder level.	Premium		7.1.2			A.9.2.3
SERVICE_ACCOUNT_ROLE_SEPARATION	A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle.	Premium	1.7			AC-5	A.9.2.3
SERVICE_ACCOUNT_KEY_NOT_ROTATED	A service account key hasn't been rotated for more than 90 days.	Premium	1.6
USER_MANAGED_SERVICE_ACCOUNT_KEY	A service account key is managed by a user.	Premium	1.3

KMS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud KMS configurations, and belong to the KMS_SCANNER detector type.

Table 10. KMS scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
KMS_KEY_NOT_ROTATED	Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days.	Premium	1.8	3.5		SC-12	A.10.1.2
KMS_PROJECT_HAS_OWNER	A user has "Owner" permissions on a project that has cryptographic keys.	Premium		3.5		AC-6 SC-12	A.9.2.3 A.10.1.2
TOO_MANY_KMS_USERS	There are more than 3 users of cryptographic keys.	Premium		3.5.2			A.9.2.3

Logging vulnerability findings

Vulnerabilities of this detector type all relate to logging configurations, and belong to the LOGGING_SCANNER detector type.

Table 11. Logging scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
AUDIT_LOGGING_DISABLED	Audit logging has been disabled for this resource.	Premium	2.1	10.1 10.2		AC-2 AU-2	A.12.4.1 A.16.1.7
BUCKET_LOGGING_DISABLED	There is a storage bucket without logging enabled.	Premium	5.3
LOG_NOT_EXPORTED	There is a resource that doesn't have an appropriate log sink configured.	Premium	2.2				A.18.1.3
LOCKED_RETENTION_POLICY_NOT_SET	A locked retention policy is not set for a logs.	Premium		10.5		AU-11	A.12.4.2 A.18.1.3
OBJECT_VERSIONING_DISABLED	Object versioning isn't enabled on a storage bucket where sinks are configured.	Premium	2.3	10.5		AU-11	A.12.4.2 A.18.1.3

Monitoring vulnerability findings

Vulnerabilities of this detector type all relate to monitoring configurations, and belong to the MONITORING_SCANNER type. All Monitoring detector finding properties will include:

• The RecommendedLogFilter to use in creating the log metrics.
• The QualifiedLogMetricNames that cover the conditions listed in the recommended log filter.
• TheAlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies do not have the recommended settings.

Table 12. Monitoring scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
AUDIT_CONFIG_NOT_MONITORED	Log metrics and alerts aren't configured to monitor Audit Configuration Changes.	Premium	2.5
BUCKET_IAM_NOT_MONITORED	Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes.	Premium	2.10
CUSTOM_ROLE_NOT_MONITORED	Log metrics and alerts aren't configured to monitor Custom Role changes.	Premium	2.6
FIREWALL_NOT_MONITORED	Log metrics and alerts aren't configured to monitor VPC Network Firewall rule changes.	Premium	2.7
NETWORK_NOT_MONITORED	Log metrics and alerts aren't configured to monitor VPC network changes.	Premium	2.9
OWNER_NOT_MONITORED	Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes.	Premium	2.4
ROUTE_NOT_MONITORED	Log metrics and alerts aren't configured to monitor VPC network route changes.	Premium	2.8
SQL_INSTANCE_NOT_MONITORED	Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes.	Premium	2.11

Network vulnerability findings

Vulnerabilities of this detector type all relate to an organization's network configurations, and belong to theNETWORK_SCANNERtype.

Table 13. Network scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
DEFAULT_NETWORK	The default network exists in a project.	Premium	3.1
LEGACY_NETWORK	A legacy network exists in a project.	Premium	3.2

ORG policy vulnerability findings

Vulnerabilities of this detector type all relate to configurations of organization policies, and belong to the ORG_POLICY type.

Table 14. Org policy scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
ORG_POLICY_CONFIDENTIAL_VM_POLICY	A Compute Engine resource is out of compliance with the constraints/compute.restrictNonConfidentialComputing organization policy. For more information about this org policy constraint, see Enforcing organization policy constraints in Confidential VM documentation.	Premium

SQL vulnerability findings

Vulnerabilities of this detector type all relate to Cloud SQL configurations, and belong to the SQL_SCANNER type.

Table 15. SQL scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
AUTO_BACKUP_DISABLED	A Cloud SQL database doesn't have automatic backups enabled.	Premium				CP-9	A.12.3.1
PUBLIC_SQL_INSTANCE	A Cloud SQL database instance accepts connections from all IP addresses.	Premium or Standard	6.2	1.2.1		CA-3 SC-7	A.8.2.3 A.13.1.3 A.14.1.3
SSL_NOT_ENFORCED	A Cloud SQL database instance doesn't require all incoming connections to use SSL.	Premium or Standard	6.1	4.1		SC-7	A.8.2.3 A.13.2.1 A.14.1.3
SQL_NO_ROOT_PASSWORD	A Cloud SQL database doesn't have a password configured for the root account.	Premium	6.3	2.1		AC-3	A.8.2.3 A.9.4.2
SQL_PUBLIC_IP	A Cloud SQL database has a public IP address.	Premium
SQL_WEAK_ROOT_PASSWORD	A Cloud SQL database has a weak password configured for the root account.	Premium

Storage vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Storage Buckets configurations, and belong to theSTORAGE_SCANNERtype.

Table 16. Storage scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
BUCKET_POLICY_ONLY_DISABLED	Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.	Premium
PUBLIC_BUCKET_ACL	A Cloud Storage bucket is publicly accessible.	Premium or Standard	5.1	7.1		AC-2	A.8.2.3 A.14.1.3
PUBLIC_LOG_BUCKET	Storage buckets used as log sinks should not be publicly accessible.	Premium or Standard		10.5		AU-9	A.8.2.3 A.12.4.2 A.18.1.3

Subnetwork vulnerability findings

Vulnerabilities of this detector type all relate to an organization's subnetwork configurations, and belong to theSUBNETWORK_SCANNERtype.

Table 17. Subnetwork scanner

Category	Finding description	Pricing tier	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
FLOW_LOGS_DISABLED	There is a VPC subnetwork that has flow logs disabled.	Premium	3.9	10.1 10.2		SI-4	A.13.1.1
PRIVATE_GOOGLE_ACCESS_DISABLED	There are private subnets without access to Google public APIs.	Premium	3.8

Web Security Scanner

Web Security Scanner provides managed and custom web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications.

Managed scans

Web Security Scanner managed scans are configured and managed by Security Command Center. Managed scans automatically run once each week to detect and scan public web endpoints. These scans don't use authentication and they send GET-only requests so they don't submit any forms on live websites.

Managed scans run separately from custom scans that you define at the project level. You can use managed scans to centrally manage basic web application vulnerability detection for projects in your organization, without having to involve individual project teams. When findings are discovered, you can work with those teams to set up more comprehensive custom scans.

When you enable Web Security Scanner as a service, managed scan findings are automatically available in the Security Command Center vulnerabilities tab and related reports. For information about how to enable Web Security Scanner managed scans, see configuring Security Command Center.

Custom scans

Web Security Scanner custom scans provide granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content. Custom scan findings are available in Security Command Center after you complete the guide to set up Web Security Scanner custom scans.

These tables include a description of the mapping between supported detectors and the best effort mapping to relevant compliance regimes.

The CIS Google Cloud Foundation 1.0 mappings have been reviewed and certified by the Center for Internet Security for alignment for the CIS Google Cloud Computing Foundations Benchmark v1.0.0. Additional compliance mappings are included for reference and are not provided or reviewed by the Payment Card Industry Data Security Standard or the OWASP Foundation. You should refer to CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0), Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001) for how to check for these violations manually.

This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification or report of compliance of your products or services with any regulatory or industry benchmarks or standards.

Following are finding types that are identified by Web Security Scanner custom and managed scans. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.

Table 18.Web Security Scanner findings

Category	Finding description	CIS GCP Foundation 1.0	PCI-DSS v3.2.1	OWASP Top 10	NIST 800-53	ISO-27001
ACCESSIBLE_GIT_REPOSITORY	A GIT repository is exposed publicly. To resolve this, remove unintentional public access to the GIT repository.			A3
ACCESSIBLE_SVN_REPOSITORY	An SVN repository is exposed publicly. To resolve this, remove public unintentional access to the SVN repository.			A3
CLEAR_TEXT_PASSWORD	Passwords are being transmitted in clear text and can be intercepted. To resolve this, encrypt the password transmitted over the network.			A3
INVALID_CONTENT_TYPE	A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this, set `X-Content-Type-Options` HTTP header with the correct value.			A6
INVALID_HEADER	A security header has a syntax error and will be ignored by browsers. To resolve this, set HTTP security headers correctly.			A6
MISMATCHING_SECURITY_HEADER_VALUES	A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this, set HTTP security headers correctly.			A6
MISSPELLED_SECURITY_HEADER_NAME	A security header is misspelled and will be ignored. To resolve this, set HTTP security headers correctly.			A6
MIXED_CONTENT	Resources are being served over HTTP on an HTTPS page. To resolve this, make sure that all resources are served over HTTPS.			A6
OUTDATED_LIBRARY	A library was detected that has known vulnerabilities. To resolve this, upgrade libraries to a newer version.			A9
XSS	A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this, validate and escape untrusted user-supplied data.			A7
XSS_ANGULAR_CALLBACK	A user-provided string isn't escaped and can be interpolated by AngularJS. To resolve this, validate and escape untrusted user-supplied data handled by Angular framework.			A7
XSS_ERROR	A field in this web application is vulnerable to a cross-site scripting attack. To resolve this, validate and escape untrusted user-supplied data.			A7

Threats

Threat detectors can help you find potentially harmful events.

Anomaly Detection

Anomaly Detection is a built-in service that uses behavior signals from outside your system. It displays granular information about security anomalies detected for your projects and Virtual Machine (VM) instances, like potential leaked credentials and coin mining. Anomaly Detection is automatically enabled when you subscribe to Security Command Center Standard or Premium tier, and findings are available in the Security Command Center dashboard.

Example Anomaly Detection findings include the following:

Table B. Anomaly Detection finding categories

Potential for Compromise	Description
account_has_leaked_credentials	Credentials for a Google Cloud service account are accidentally leaked online or are compromised.
resource_compromised_alert	Potential compromise of a resource in your organization.
Abuse Scenarios	Description
resource_involved_in_coin_mining	Behavioral signals around a VM in your organization indicate that a resource might have been compromised and could be getting used for cryptomining.
outgoing_intrusion_attempt	Intrusion attempts and Port scans: One of the resources or Google Cloud services in your organization is being used for intrusion activities, like an attempt to break in or compromise a target system. These include SSH brute force attacks, Port scans, and FTP brute force attacks.
resource_used_for_phishing	One of the resources or Google Cloud services in your organization is being used for phishing.

Container Threat Detection

Container Threat Detection can detect the most common container runtime attacks and alert you in Security Command Center and optionally in Cloud Logging. Container Threat Detection includes several detection capabilities, an analysis tool, and an API.

Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel to detect the following events:

• Added Binary Executed
• Added Library Loaded
• Reverse Shell

Learn more about Container Threat Detection.

Cloud Data Loss Prevention

Cloud DLP Data Discovery enables you to surface the results of Cloud Data Loss Prevention (Cloud DLP) scans directly in the Security Command Center dashboard and Findings inventory. Cloud DLP can help you to better understand and manage sensitive data and Personally Identifiable Information (PII) like the following:

• Credit card numbers
• Names
• Social security numbers
• US and selected international identifying numbers
• Phone numbers
• Google Cloud credentials

Each Cloud DLP Data Discovery finding only includes the category type of the identified PII data and the resource it was found in. It doesn't include any of the specific underlying data.

After you complete the setup steps described in the guide to send DLP API results to Security Command Center, Cloud DLP scan results display in Security Command Center.

For more information:

• Learn more about the publishSummaryToCscc action in Cloud DLP.
• Learn more about scanning storage repositories for sensitive data using Cloud DLP.

Event Threat Detection

Event Threat Detection uses log data from inside your systems. It watches your organization's Cloud Logging stream for one or more projects, and consumes logs as they become available. When a threat is detected, Event Threat Detection writes a Finding to Security Command Center and to a Cloud Logging project. Event Threat Detection is automatically enabled when you subscribe to the Security Command Center Premium tier and findings are available in the Security Command Center dashboard.

Example Event Threat Detection findings include the following:

Table C. Event Threat Detection finding types

Data exfiltration	Event Threat Detection detects data exfiltration from BigQuery by examining audit logs for two scenarios: A resource is saved outside of your organization, or a copy operation is attempted that is blocked by VPC Service Controls. An attempt is made to access BigQuery resources that are protected by VPC Service Controls.
Brute force SSH	Event Threat Detection detects brute force of password authentication SSH by examining syslog logs for repeated failures followed by a success.
Cryptomining	Event Threat Detection detects coin mining malware by examining VPC flow logs and Cloud DNS logs for connections to known bad domains for mining pools.
IAM abuse	Anomalous IAM grants: Event Threat Detection detects the addition of IAM grants that might be considered anomalous, like: Adding a gmail.com user to a policy with the project editor role. Inviting a gmail.com user as a project owner from the Google Cloud Console. Service account granting sensitive permissions. Custom role granted sensitive permissions. Service account added from outside your organization.
Malware	Event Threat Detection detects malware by examining VPC flow logs and Cloud DNS logs for connections to known command and control domains and IPs.
Phishing	Event Threat Detection detects phishing by examining VPC flow logs and Cloud DNS logs for connections to known phishing domains and IPs.
Outgoing DoS	Event Threat Detection examines VPC flow logs to detect outgoing denial of service traffic.

Learn more about Event Threat Detection.

Forseti Security

Forseti Security gives you tools to understand all the resources you have in Google Cloud. The core Forseti modules work together to provide complete information so you can secure resources and minimize security risks.

To display Forseti violation notifications in Security Command Center, follow the Forseti Security Command Center notification guide.

For more information:

• Learn about Forseti.
• Get help with Forseti.

Phishing Protection

Phishing Protection helps prevent users from accessing phishing sites by classifying malicious content that uses your brand and reporting the unsafe URLs to Google Safe Browsing. After a site is propagated to Safe Browsing, users will see warnings across more than three billion devices.

To get started with Phishing Protection, follow the guide to Enable Phishing Protection. After you enable Phishing Protection, results are displayed in Security Command Center in the Phishing Protection card under Findings.

What's next

• Learn about Security Command Center and example use cases in the Security Command Center overview.
• Learn how to add new security sources by configuring Security Command Center.