Configuring Security Command Center

Configure Security Command Center, including adding security sources, managing which sources apply to which resources, and setting up logging for Event Threat Detection and Container Threat Detection.

To configure Security Command Center, go to the Security Command Center Settings page in the Cloud Console, and then click the tab for the setting you want to change.

Sources & services

In this context, a security source is a service that provides vulnerability and threat findings to Security Command Center.To add a new security source, you complete its integration guide, and then enable it as a security source in the Security Command Center dashboard. You can add Google Cloud security sources to Security Command Center along with other, third-party security sources. This enables you to have a complete view of your organization's security risks, vulnerabilities, and threats.

After you enable a security source, you can configure which resources each security source monitors.

Built-in services

Built-in services

The following built-in services are part of Security Command Center:

  • Security Health Analytics
  • Web Security Scanner
  • Event Threat Detection
  • Container Threat Detection

Some built-in services are only available if your organization is subscribed to the Security Command Center Premium tier. Learn more about Security Command Center tiers

To enable or disable a built-in service for all of your resources that the service supports, click the toggle next to the service name. To limit a service to certain folders, projects, or clusters in your organization, click Edit Resources to display the Resources tab that's described later on this page.

Adding a Google Cloud integrated security source

Google Cloud offers the following Google Cloud security sources that integrate with Security Command Center:

  • Anomaly Detection
  • Cloud Data Loss Prevention
  • Forseti Security
  • Phishing Protection

For more information about what these sources offer, see security sources for vulnerabilities and threats.

Findings from Google Cloud security sources are available after you complete their integration guides.

  • To add a new source, click Add More Sources. The Security Command Center Services Google Cloud Marketplace page is displayed. Click any service that you want to add and follow the service provider's instructions to add them as an integrated source.
  • To view findings from security sources, enable the service by clicking the toggle next to the service name. To limit a service to certain folders, projects, or clusters in your organization, use the Resources tab that's described later on this page.

Integrated security source uses a service account that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com. If your organization policies are set to restrict identities by domain, you need to add the service account to an identity in a group that's within an allowed domain.

On the Security Sources tab, you add new sources or enable and disable existing ones:

  1. Go to the Sources & Services page in the Cloud Console.
    Go to the Sources & Services page
  2. Select the organization for which you want to add a security source.
  3. Next to the security source that you want to enable, click the toggle.

Findings for the security sources you select are displayed on the Findings page in the Security Command Center dashboard.

Adding a third-party security source

Security Command Center can display findings from third-party security sources that have registered as a Google Cloud Marketplace partner. Third-party security partners that are already registered include the following:

  • Acalvio
  • Capsule8
  • Cavirin
  • Chef
  • Check Point CloudGuard Dome9
  • Cloudflare
  • CloudQuest
  • McAfee
  • Qualys
  • Reblaze
  • Redlock by Palo Alto Networks
  • StackRox
  • Tenable.io
  • Twistlock

If you want to integrate a security source that isn't already registered as a Google Cloud Marketplace partner, ask your provider to complete the guide to Onboard as a Security Command Center partner.

To add a new third-party security source to Security Command Center, you set up the security source, and then enable it in the Security Command Center dashboard.

Before you begin

To add a security source for a registered Cloud Marketplace partner, you need:

  • The following Identity and Access Management (IAM) roles:
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
  • A Google Cloud project that you want to use for the security source.

Step 1: Setting up a security source

To set up a third-party security source, you need a service account for that source. When you add the new security source, you can choose from the following service account options:

  • Create a service account.
  • Use your own existing service account.
  • Use a service account from the source provider.

To set up a new security source that's already registered as a Cloud Marketplace partner, follow the steps below:

  1. Go to the Security Command Center Services Marketplace page in the Cloud Console.
    Go to the Marketplace page
  2. The Marketplace page displays security sources that are directly associated with Security Command Center.
    • If you don't see the security source that you want to add, search for Security, and then select the security source provider.
    • If the security source provider isn't registered in the Cloud Marketplace, ask your provider to complete the guide to Onboard as a Security Command Center partner.
  3. On the security source provider page in the Cloud Marketplace, follow any provider setup instructions in the Overview.
  4. After you complete the provider's setup process, click Visit [provider name] site to sign up on the provider's Marketplace page.
  5. On the Cloud Console Security Command Center page that appears, select the organization for which you want to use the security source.
  6. On the Create Service Account & Enable [provider name] Security Events page that appears, accept the provider's service account, if available, or create or select your own service account that you want to use:
    • To create a service account:
      1. Select Create a new service account.
      2. Next to Project, click Change to select the project you want to use for this security source.
      3. Add a Service account name and Service account ID.
    • To use an existing service account:
      1. Select Use an existing service account, then select the service account you want to use from the Service account name drop-down list.
    • If the security source provider manages the service account, enter the Service account ID they provided.
  7. When you're finished adding service account information, click Submit or Accept.
  8. On the Source connect page that appears, click the link under Installation Steps for information about how to complete installation.
  9. When you're finished, click Done.

When configured correctly, the security source you added is available in Security Command Center.

Step 2: Enabling the security source

After you set up a new security source, you need to enable it in the Security Command Center dashboard.

Integrated security source uses a service account that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com. If your organization policies are set to restrict identities by domain, you need to add the service account to an identity in a group that's within an allowed domain.

On the Security Sources tab, you add new sources or enable and disable existing ones:

  1. Go to the Sources & Services page in the Cloud Console.
    Go to the Sources & Services page
  2. Select the organization for which you want to add a security source.
  3. Next to the security source that you want to enable, click the toggle.

Findings for the security sources you select are displayed on the Findings page in the Security Command Center dashboard.

Changing provider service accounts

You can change the service account used for a third-party security source, for example to address service account leakage or rotation. To change the service account for a security source, you need to update it in the Security Command Center dashboard, and then follow the service provider's instructions to update the service account for their service.

  1. Go to the Security Command Center Security Sources page in the Cloud Console.
    Go to the Security Sources page
  2. Under Enabled, click to temporarily disable the security source for which you want to change the service account.
  3. Next to the service account name, click Edit.
  4. On the Edit [provider name] panel that appears, enter the new service account, then click Submit.
  5. Under Enabled, click to enable the security source.

When configured correctly, the service account for the security source is updated in Security Command Center. You must also follow the source provider's instructions to update the service account information for their service.

Resources

The Resources tab lets you change supported service settings for each supported resource. By default, resources inherit the service settings for the organization. To optionally enable or disable services for individual resources, click the drop-down list in the service column to select service enablement on a resource.

  • On: the service is enabled for the resource.
  • Off: the service is disabled for the resource.
  • Inherit from parent resource: the resource uses the service setting that's selected for its parent in the resource hierarchy.

Sinks

On the Sinks tab, you set up logging for Event Threat Detection and Container Threat Detection findings. Findings are exported to the Cloud Logging project you select.

To log findings:

  1. Click the toggle next to Log Findings to Stackdriver.
  2. In the Logging Project box, select the project that you want to write logs to.

Permissions

To view and configure IAM roles for Security Command Center, click Show Permissions on the Configuration page. Permissions are grouped by role.

To edit the roles that are granted to a user:

  1. Click next to the role name to expand the node.
  2. Next to the name of the user that you want to edit roles for, click to select the action you want to take:
    1. To remove a role, click Remove member.
    2. To add a role, click Edit member. In the Edit permissions panel that appears, add or remove roles and then click Save.

To add roles for a new user: 1. Click Add Member. 1. On the Add members and roles panel that appears: 2. Enter the user's email address. 2. Add one or more roles and then click Save.

Legacy UI settings

Expand the following section for information about how to manage Security Command Center using the Legacy UI. The Legacy UI is only visible if you haven't migrated to the Security Command Center Premium or Standard tier.

What's next