Configuring Security Command Center

Configure Security Command Center, including adding security services, managing which services apply to which resources, and setting up logging for Event Threat Detection and Container Threat Detection.

To configure Security Command Center, go to the Security Command Center Settings page in the Cloud Console, and then click the tab for the setting you want to change.

Services

In this context, an integrated service provides vulnerability and threat findings to Security Command Center. To add a new integrated service, you complete its integration guide, and then enable it as a security service in the Security Command Center dashboard. You can add Google Cloud integrated services to Security Command Center along with other, third-party security services. This capability enables you to have a complete view of your organization's security risks, vulnerabilities, and threats.

After you enable an integrated service, you can configure which resources each security service monitors.

Built-in services

The following built-in services are part of Security Command Center:

  • Security Health Analytics
  • Web Security Scanner
  • Event Threat Detection
  • Container Threat Detection

Some built-in services are only available if your organization is subscribed to the Security Command Center Premium tier. Learn more about Security Command Center tiers.

To enable or disable a built-in service for all of your resources that the service supports, click the drop-down list next to the service name and choose an enablement option.

  • Enable by default: the service is enabled for the resource.
  • Disable by default: the service is disabled for the resource.

To limit a service to certain folders, projects, or clusters in your organization, navigate to Advanced settings to display a hierarchical list of your organization's resources. The Advanced settings menu is described later on this page.

Adding a Google Cloud integrated service

On the Settings page, click the Integrated Services tab to view available services. Google Cloud offers the following Google Cloud security services that integrate with Security Command Center:

  • Anomaly Detection
  • Google Cloud Armor
  • Cloud Data Loss Prevention
  • Forseti Security
  • Phishing Protection

For more information about these services, read Security sources for vulnerabilities and threats.

Findings from Google Cloud security services are available after you complete their integration guides.

  • To add a new service, click Add More Services. The Security Command Center Services page on Google Cloud Marketplace is displayed. Click the service you're interested in and follow provider instructions to add it as an integrated service.
  • To view findings from security services, enable the service by clicking the toggle next to the service name. To limit a service to certain folders, projects, or clusters in your organization, use the Advanced settings menu that's described later on this page.

Integrated sources use service accounts that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com. If your organization policies are set to restrict identities by domain, you need to add the service account to an identity in a group that's within an allowed domain.

On the Integrated Services tab, you add new sources or enable and disable existing ones:

  1. Go to the Services page in the Cloud Console.
    Go to the Services page
  2. Select the organization for which you want to add a security source.
  3. Select the Integrated Services tab.
  4. Next to the integrated source that you want to enable, click the drop-down list and select Enable by default.

Findings for the integrated sources you select are displayed on the Findings page in the Security Command Center dashboard.

To disable an integrated service, next to its name, click the drop-down list and select Disable by default.

Adding a third-party security service

Security Command Center can display findings from third-party security services that have registered as a Google Cloud Marketplace partner. Third-party security partners that are already registered include the following:

  • Acalvio
  • Capsule8
  • Cavirin
  • Chef
  • Check Point CloudGuard Dome9
  • Cloudflare
  • CloudQuest
  • McAfee
  • Qualys
  • Reblaze
  • Prisma Cloud by Palo Alto Networks
  • StackRox
  • Tenable.io

To integrate security services that aren't registered as Google Cloud Marketplace partners, ask the providers to complete the guide to Onboard as a Security Command Center partner.

To add a new third-party security service to Security Command Center, you set up the security service, and then enable it in the Security Command Center dashboard.

Before you begin

To add a security service for a registered Cloud Marketplace partner, you need:

  • The following Identity and Access Management (IAM) roles:
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
  • A Google Cloud project that you want to use for the security service.

Step 1: Setting up a security service

To set up a third-party security service, you need a service account for that service. When you add the new security service, you can choose from the following service account options:

  • Create a service account.
  • Use your own existing service account.
  • Use a service account from the service provider.

To set up a new security service that's already registered as a Cloud Marketplace partner, follow the steps below:

  1. Go to the Security Command Center Services Marketplace page in the Cloud Console.
    Go to the Marketplace page
  2. The Marketplace page displays security services that are directly associated with Security Command Center.
    • If you don't see the security service that you want to add, search for Security, and then select the security service provider.
    • If the security service provider isn't registered in the Cloud Marketplace, ask your provider to complete the guide to Onboard as a Security Command Center partner.
  3. On the security service provider page in the Cloud Marketplace, follow any provider setup instructions in the Overview.
  4. After you complete the provider's setup process, click Visit [provider name] site to sign up on the provider's Marketplace page.
  5. On the Cloud Console Security Command Center page that appears, select the organization for which you want to use the security service.
  6. On the Create Service Account & Enable [provider name] Security Events page that appears, accept the provider's service account, if available, or create or select your own service account that you want to use:
    • To create a service account:
      1. Select Create a new service account.
      2. Next to Project, click Change to select the project you want to use for this security service.
      3. Add a Service account name and Service account ID.
    • To use an existing service account:
      1. Select Use an existing service account, then select the service account you want to use from the Service account name drop-down list.
    • If the security service provider manages the service account, enter the Service account ID they provided.
  7. When you're finished adding service account information, click Submit or Accept.
  8. On the Source connect page that appears, click the link under Installation Steps for information about how to complete installation.
  9. When you're finished, click Done.

When configured correctly, the security service you added is available in Security Command Center.

Step 2: Enabling the security service

After you set up a new security service, you need to enable it in the Security Command Center dashboard.

Integrated sources use service accounts that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com. If your organization policies are set to restrict identities by domain, you need to add the service account to an identity in a group that's within an allowed domain.

On the Integrated Services tab, you add new sources or enable and disable existing ones:

  1. Go to the Services page in the Cloud Console.
    Go to the Services page
  2. Select the organization for which you want to add a security source.
  3. Select the Integrated Services tab.
  4. Next to the integrated source that you want to enable, click the drop-down list and select Enable by default.

Findings for the integrated sources you select are displayed on the Findings page in the Security Command Center dashboard.

Changing provider service accounts

You can change the service account used for a third-party security service, for example to address service account leakage or rotation. To change the service account for a security service, you need to update it in the Security Command Center dashboard. Afterward, follow the service provider's instructions to update the service account for their service.

  1. Go to the Security Command Center Integrated Services page in the Cloud Console.
    Go to the Integrated Services page
  2. Select your organization, if prompted.
  3. In the drop-down list next to the integrated service:
    1. Select Disabled to temporarily disable the integrated service.
    2. Then, select Manage service account.
  4. On the Edit [provider name] panel that appears, enter the new service account, then click Submit.
  5. In the drop-down list next to the integrated service, select Enabled to enable the security service.

When configured correctly, the service account for the integrated service is updated in Security Command Center. Follow the service provider's instructions to update the service account information for their service.

Advanced settings

The Advanced settings menu lets you change supported service settings for each supported resource. By default, resources inherit the service settings for the organization. To optionally enable or disable services for individual resources, click the drop-down list in the service column to select service enablement on a resource.

  • Enable by default: the service is enabled for the resource.
  • Disable by default: the service is disabled for the resource.
  • Inherit: the resource uses the service setting that's selected for its parent in the resource hierarchy.

Clicking Search for a folder or project launches a window that lets you enter search terms to quickly find resources and change their settings.

Sinks

On the Sinks tab, you set up logging for Event Threat Detection and Container Threat Detection findings. Findings are exported to the Cloud Logging project you select.

To log findings:

  1. Click the toggle next to Log Findings to Stackdriver.
  2. In the Logging Project box, select the project that you want to write logs to.
  3. When finished, click Save.

Permissions

To view and configure IAM roles for Security Command Center, navigate to the Permissions panel on the Settings page. Permissions are grouped by role. If the panel is not visible, click the Show permissions link at the top of the page.

To edit the roles that are granted to a user:

  1. Expand the node by clicking the arrow icon next to the role name.
  2. Next to the name of the user that you want to edit roles for, click an icon then select the action you want to take:
    1. To remove a role, click the delete icon to Remove member.
    2. To add a role, click the pencil icon to Edit member. In the Edit permissions panel that appears, add or remove roles and then click Save.

To add roles for a new user:

  1. Click Add Member.
  2. On the Add members and roles panel that appears:
    1. Enter the user's email address.
    2. Add one or more roles and then click Save.

Legacy UI settings

Expand the following section for information about how to manage Security Command Center using the Legacy UI. The Legacy UI is only visible if you haven't migrated to the Security Command Center Premium or Standard tier.

What's next