Configuring Security Command Center

Configure Security Command Center, including adding security services, managing which services apply to which resources, and setting up logging for Event Threat Detection and Container Threat Detection.

To configure Security Command Center, go to the Security Command Center Settings page in the console, and then click the tab for the setting you want to change.

Services

Two types of services run on Security Command Center: built-in services and integrated services. Built in services are part of Security Command Center. Integrated services are Google Cloud or third-party services that provide findings to Security Command Center.

To add a new integrated service, you complete its integration guide, and then enable it as a security service in the Security Command Center dashboard. This capability enables you to have a complete view of your organization's security risks, vulnerabilities, and threats.

After you enable an integrated service, you can configure which resources each security service monitors.

Built-in services

The following built-in services are part of Security Command Center:

  • Security Health Analytics
  • Web Security Scanner
  • Event Threat Detection
  • Container Threat Detection
  • Virtual Machine Threat Detection
  • Secured Landing Zone servicePreview

Some built-in services are only available if your organization is subscribed to the Security Command Center Premium tier. Learn more about Security Command Center tiers.

Enable or disable a built-in service

By default, resources inherit the service settings of their parent resource. To enable or disable a Security Command Center service at the organization, folder, or project level, do the following:

  1. In the Google Cloud console, go to the Services page.

    Go to Services

  2. Select your organization.

  3. For the service that you want to modify, click Manage settings.

  4. On the Service enablement tab, find the resource—the organization, folder, or project—that you want to modify.

  5. For that resource, set the service to Enable, Disable, or Inherit.

View the modules of a service

For some services, you can enable or disable certain detectors, also known as modules. To view the modules of a service and their current statuses, do the following:

  1. In the Google Cloud console, go to the Services tab on the Settings page.

    Go to Services

  2. Select your organization.

  3. For the service that you want to modify, click Manage settings.

  4. Click the Modules tab.

    The service's modules are displayed, along with their respective statuses.

Enable or disable a module

  1. In the Google Cloud console, go to the Services tab on the Settings page.

    Go to Services

  2. Select your organization.

  3. For the service that you want to modify, click Manage settings.

  4. On the Modules tab, find the detector that you want to modify, and set its status to Enable or Disable.

Adding a Google Cloud integrated service

You can add Google Cloud integrated services to Security Command Center along with third-party security services.

On the Settings page, click the Integrated Services tab to view available services. The following are Google Cloud security services that integrate with Security Command Center:

  • Anomaly Detection
  • Google Cloud Armor
  • Cloud Data Loss Prevention
  • Forseti Security
  • Phishing Protection

For more information about these services, see Security sources for vulnerabilities and threats.

Findings from Google Cloud security services are available after you complete their integration guides.

  • To add a new service, click Add More Services. The Security Command Center Services page on Google Cloud Marketplace is displayed. Click the service you're interested in and follow provider instructions to add it as an integrated service.
  • To view findings from security services, enable the service by clicking the toggle next to the service name. To limit a service to certain folders, projects, or clusters in your organization, use the Advanced settings menu that's described later on this page.

Integrated sources use service accounts that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com. If your organization policies are set to restrict identities by domain, you need to add the service account to an identity in a group that's within an allowed domain. Such service accounts have the format service-org-ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com, where ORGANIZATION_NUMBER is the numerical ID of your organization.

On the Integrated Services tab, you add new sources or enable and disable existing ones:

  1. Go to the Services page in the console.

    Go to Services

  2. Select the organization for which you want to add a security source.

  3. Select the Integrated Services tab.

  4. Next to the integrated source that you want to enable, click the drop-down list and select Enable by default.

Findings for the integrated sources you select are displayed on the Findings page in the Security Command Center dashboard.

To disable an integrated service, next to its name, click the drop-down list and select Disable by default.

VM Manager vulnerability reports

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.

If you enable VM Manager and are subscribed to Security Command Center Premium, VM Manager writes its vulnerability reports to Security Command Center by default. The reports identify vulnerabilities in operating systems installed on Compute Engine VMs.

For more information, see VM Manager.

Adding a third-party security service

Security Command Center can display findings from third-party security services that have registered as Cloud Marketplace partners. Third-party security services that are already registered include the following:

  • Acalvio
  • Capsule8
  • Cavirin
  • Chef
  • Check Point CloudGuard Dome9
  • CloudQuest
  • McAfee
  • Qualys
  • Reblaze
  • Prisma Cloud by Palo Alto Networks
  • StackRox
  • Tenable.io

To integrate security services that aren't registered as Cloud Marketplace partners, ask the providers to complete the guide to Onboard as a Security Command Center partner.

To add a new third-party security service to Security Command Center, you set up the security service, and then enable it in the Security Command Center dashboard.

Before you begin

To add a security service for a registered Cloud Marketplace partner, you need:

  • The following Identity and Access Management (IAM) roles:
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
  • A Google Cloud project that you want to use for the security service.

Step 1: Setting up a security service

To set up a third-party security service, you need a service account for that service. When you add the new security service, you can choose from the following service account options:

  • Create a service account.
  • Use your own existing service account.
  • Use a service account from the service provider.

To set up a new security service that's already registered as a Cloud Marketplace partner, follow the steps below:

  1. Go to the Security Command Center Services Marketplace page in the console.

    Go to Marketplace

  2. The Marketplace page displays security services that are directly associated with Security Command Center.

    • If you don't see the security service that you want to add, search for Security, and then select the security service provider.
    • If the security service provider isn't registered in the Cloud Marketplace, ask your provider to complete the guide to Onboard as a Security Command Center partner.
  3. On the security service provider page in the Cloud Marketplace, follow any provider setup instructions in the Overview.

  4. After you complete the provider's setup process, click Visit [provider name] site to sign up on the provider's Marketplace page.

  5. On the console Security Command Center page that appears, select the organization for which you want to use the security service.

  6. On the Create Service Account & Enable [provider name] Security Events page that appears, accept the provider's service account, if available, or create or select your own service account that you want to use:

    • To create a service account:
      1. Select Create a new service account.
      2. Next to Project, click Change to select the project you want to use for this security service.
      3. Add a Service account name and Service account ID.
    • To use an existing service account:
      1. Select Use an existing service account, then select the service account you want to use from the Service account name drop-down list.
    • If the security service provider manages the service account, enter the Service account ID they provided.
  7. When you're finished adding service account information, click Submit or Accept.

  8. On the Source connect page that appears, click the link under Installation Steps for information about how to complete installation.

  9. When you're finished, click Done.

When configured correctly, the security service you added is available in Security Command Center.

Step 2: Enabling the security service

After you set up a new security service, you need to enable it in the Security Command Center dashboard.

Integrated sources use service accounts that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com. If your organization policies are set to restrict identities by domain, you need to add the service account to an identity in a group that's within an allowed domain. Such service accounts have the format service-org-ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com, where ORGANIZATION_NUMBER is the numerical ID of your organization.

On the Integrated Services tab, you add new sources or enable and disable existing ones:

  1. Go to the Services page in the console.

    Go to Services

  2. Select the organization for which you want to add a security source.

  3. Select the Integrated Services tab.

  4. Next to the integrated source that you want to enable, click the drop-down list and select Enable by default.

Findings for the integrated sources you select are displayed on the Findings page in the Security Command Center dashboard.

Changing provider service accounts

You can change the service account used for a third-party security service, for example to address service account leakage or rotation. To change the service account for a security service, you need to update it in the Security Command Center dashboard. Afterward, follow the service provider's instructions to update the service account for their service.

  1. Go to the Security Command Center Integrated Services page in the console.

    Go to Integrated Services

  2. If prompted, select your organization.

  3. In the drop-down list next to the integrated service:

    1. Select Disabled to temporarily disable the integrated service.
    2. Then, select Manage service account.
  4. On the Edit [provider name] panel that appears, enter the new service account, then click Submit.

  5. In the drop-down list next to the integrated service, select Enabled to enable the security service.

When configured correctly, the service account for the integrated service is updated in Security Command Center. Follow the service provider's instructions to update the service account information for their service.

Cloud Logging export

On the Continuous Exports tab, you set up logging for Event Threat Detection and Container Threat Detection findings. Findings are exported to the Cloud Logging project you select.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost, see Cost optimization for Google Cloud's operations suite.

To log findings, do the following:

  1. Go to Security Command Center's Settings page.

    Go to Settings

  2. If necessary, select your organization or project.

  3. Click the Continuous Exports tab.

  4. Under Export name, click Cloud Logging Export.

  5. Under Sinks, turn on Log Findings to Cloud Logging.

  6. Under Logging Project, enter or search for the project where you want to log findings.

  7. Click Save.

When Event Threat Detection and Container Threat Detection write logs, each log entry includes the threat_detector resource type and contains the same information as findings. For instructions on reviewing logs, see Using Event Threat Detection and Using Container Threat Detection.

Mute rules

The Mute rules tab lists any mute rules that are set in your organization, folders, and projects. On this tab, you can create a mute rule or manage existing ones.

Mute rules automatically suppress future findings based on filters that you define. For more information about muting findings and working with mute rules, see Mute findings in Security Command Center.

Roles

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

For information about how to grant, change, and revoke IAM roles, see Manage access to projects, folders, and organizations.

What's next