Finding severities

This page describes the severity property of Security Command Center findings and its possible values.

The severity property provides a general indicator of how important it is to remediate the findings of a particular finding category or, in some cases, subcategory.

Generally, you should remediate HIGH severity findings before LOW severity findings, but depending on the affected resource or other considerations, it's possible that remediating a particular LOW severity finding might be more important than a HIGH severity finding.

Severity compared to attack exposure score

You can use both finding severities and finding attack exposure scores to prioritize the remediation of findings, but it's important to understand the differences between the two.

A severity is a general indicator that is predetermined based on the category of the finding. The same default severity is assigned to all findings within a given category or subcategory.

An attack exposure score is a dynamic indicator that is calculated for a finding after the finding is issued. The score is specific to the finding instance and is based on a number of factors, including which resource instances the finding affects and the difficulty that a hypothetical attacker would face traversing the path from a potential point of access to the affected high-value resource.

All findings can have a severity. Only vulnerability and misconfiguration findings that are supported by attack path simulations can have an attack exposure score.

When prioritizing vulnerability and misconfiguration findings, prioritize by attack exposure scores before prioritizing by severity.

Severity classifications

Security Command Center uses the following severity classifications, which are displayed in the Severity column when findings are displayed in the Google Cloud console:

  • Critical
  • High
  • Medium
  • Low
  • Unspecified

Critical severity

A critical vulnerability is easily discoverable and it can be exploited to result in the direct ability to execute arbitrary code, exfiltrate data, and otherwise gain additional access and privileges in cloud resources and workflows. Examples include publicly accessible user data and public SSH access with weak or no passwords.

A critical threat is able to access, modify, or delete data, or execute unauthorized code within your existing resources.

A critical SCC error class finding means any of the following:

  • A configuration error prevents Security Command Center from generating new findings of any severity.
  • A configuration error prevents you from seeing all of a service's findings.
  • A configuration error prevents attack path simulations from generating attack exposure scores and attack paths.

High severity

A high-risk vulnerability is easily discoverable and could be exploited with other vulnerabilities to gain direct access to execute arbitrary code or exfiltrate data, and gain additional access and privileges to resources and workloads. For example, a database that has weak or no passwords and is only accessible internally could be compromised by an actor who has access to the internal network.

A high-risk threat is able to create computational resources in an environment, but is not able to access data or execute code in existing resources.

A high-risk SCC error class finding indicates that a configuration error is causing any of the following issues:

  • You cannot see or export some of a service's findings.
  • For attack path simulations, the attack exposure scores and attack paths might be incomplete or inaccurate.

Medium severity

A medium-risk vulnerability could allow an actor to gain access to resources or privileges that enable them to eventually gain access and the ability to exfiltrate data or execute arbitrary code. For example, if a service account has unnecessary access to projects and an actor gains access to the service account, the actor could use that service account to manipulate a project.

A medium-risk threat could lead to a more severe issue, but might not indicate current data access or unauthorized code execution.

Low severity

A low-risk vulnerability hampers a security team's ability to detect vulnerabilities or active threats in their deployment, or prevents the root cause investigation of security issues. For example, a scenario in which monitoring and logs are disabled for resource configurations and access.

A low-risk threat has obtained minimal access to an environment, but isn't able to access data, execute code, or create resources.

Unspecified severity

A severity classification of Unspecified indicates that the service that generated the finding did not set a severity value for the finding.

If you get a finding with a severity of Unspecified, you need to assess the severity yourself by investigating the finding and reviewing any documentation that the product or service that generated the finding provides.

Variable severity

The severity of the findings in a finding category can vary under certain circumstances.

Severities that vary based on attack exposure score

If you are using the Enterprise tier of Security Command Center, the severity levels of vulnerability and misconfiguration findings reflect more accurately the risk of each individual finding, because the severity of a finding can change to reflect the finding's attack exposure score.

With the Enterprise tier, vulnerability and misconfiguration findings are issued with a default or baseline severity level that is common to all of the findings within a given finding category. After a finding is issued, if the attack path simulations of Security Command Center determine that the finding exposes one or more resources that you have designated as a high-value resource, the simulations assign an attack exposure score to the finding and increase the severity level accordingly. If the finding remains active, but the simulations later reduce the attack exposure score, the severity level of the finding can also decrease, but no lower than the original default level.

If you are using the Premium tier or Standard tier of Security Command Center, the severity levels of all findings remain static.

Severities that vary based on the detected issue

For a few finding categories, Security Command Center can assign a different default severity level to a finding depending on the particulars of the security issue that was detected.

For example, the severity classification of the IAM anomalous grant finding that is generated by Event Threat Detection is usually HIGH, but if the finding is generated for the granting of sensitive permissions to a custom IAM role, the severity is MEDIUM.

View finding severities in the Google Cloud console

You can view Security Command Center findings by severity in several ways in the Google Cloud console:

  • On the Overview page, you can see how many findings at each severity level are active in your resources in the Vulnerabilities per resource type section.
  • On the Threats page, you can see how many threat findings exist at each severity level.
  • On the Vulnerabilities page, you can filter the displayed vulnerability detection modules by severity level to show only the modules that have active findings at that severity level.
  • On the Findings page, you can add filters for specific severity levels to your findings queries from the Quick filters panel.