Security Command Center overview

This page provides an overview of Security Command Center, a risk management solution that, with the Enterprise tier, combines cloud security and enterprise security operations, and provides insights from Mandiant expertise and Gemini artificial intelligence.

Security Command Center enables security operations center (SOC) analysts, vulnerability and posture analysts, compliance managers, and other security professionals to quickly assess, investigate, and respond to security issues across multiple cloud environments.

Every cloud deployment has unique risks. Security Command Center can help you understand and evaluate the attack surface of your projects or organization on Google Cloud, as well as the attack surface of your other cloud environments. Properly configured to protect your resources, Security Command Center can help you make sense of the vulnerabilities and threats detected in your cloud environments and prioritize their fixes.

Security Command Center integrates with many Google Cloud services to detect security issues in multiple cloud environments. These services detect issues in a variety of ways, such as scanning resource metadata, scanning cloud logs, scanning containers, and scanning virtual machines.

Some of these integrated services, such as Google Security Operations and Mandiant, also provide capabilities and information that are critical to prioritizing and managing your investigations and response to detected issues.

Manage threats

In the Premium and Enterprise tiers, Security Command Center uses both built-in and integrated Google Cloud services to detect threats. These services scan your Google Cloud logs, containers, and virtual machines looking for threat indicators.

When these services, such as Event Threat Detection or Container Threat Detection, detect a threat indicator, they issue a finding. A finding is a report or record of an individual threat or other issue that a service has found in your cloud environment. The services that issue findings are also referred to as finding sources.

In Security Command Center Enterprise, findings trigger alerts, which, depending on the severity of the finding, can generate a case. You can use a case with a ticketing system to assign owners to the investigation of and response to one or more alerts in the case.

Security Command Center Enterprise can also detect threats in your deployments on other cloud platforms. To detect threats in deployments on other cloud platforms, Security Command Center ingests the logs from the other cloud platform, after you establish a connection.

For more information, see the following pages:

Threat detection and response features

With Security Command Center, SOC analysts can achieve the following security goals:

  • Detect events in your cloud environments that indicate a potential threat and triage the associated findings or alerts.
  • Assign owners and track progress of investigations and responses with an integrated case workflow. Optionally, you can integrate your preferred ticketing systems, like Jira or ServiceNow.
  • Investigate the threat alerts with powerful search and cross-referencing capabilities.
  • Define response workflows and automate actions to address potential attacks on your cloud environments. For more information about defining response workflows and automated actions with playbooks, see Work with playbooks.
  • Mute or exclude findings or alerts that are false positives.
  • Focus on threats related to compromised identities and access permissions.
  • Use Security Command Center to detect, investigate, and respond to potential threats in your other cloud environments, like AWS.

Manage vulnerabilities

Security Command Center provides comprehensive vulnerability detection, automatically scanning the resources in your environment for software vulnerabilities, misconfigurations, and other types of security issues that might expose you to attack. Together, these type of issues are referred to collectively as vulnerabilities.

Security Command Center uses both built-in and integrated Google Cloud services to detect security issues. The services that issue findings are also referred to as finding sources. When a service detects an issue, it issues a finding to record the issue.

By default, cases are opened automatically for high-severity and critical-severity vulnerability findings to help you prioritize their remediation. You can assign owners and track the progress of remediation efforts with a case.

For more information, see the following:

Toxic combinations

Security Command Center Risk Engine, a feature of the Enterprise tier, detects groups of security issues that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources.

This type of patterned group of security issues is referred to as a toxic combination. When Risk Engine detects a toxic combination, it issues a finding. For each toxic combination finding, Security Command Center creates a case in the Security Operations console, so that you can manage and track the resolution of the toxic combination.

For more information, see Overview of toxic combinations.

Software vulnerabilities

To help you identify, understand, and prioritize software vulnerabilities, Security Command Center can assess the virtual machines (VMs) and containers in your cloud environments for vulnerabilities. For each detected vulnerability, Security Command Center provides in-depth information in a finding record or finding. The information provided with a finding can include:

  • Details of the affected resource
  • Information about any associated CVE record, including an assessment from Mandiant of the impact and exploitability of the CVE item
  • An attack exposure score to help you prioritize remediation
  • A visual representation of the path an attacker might take to the high-value resources that are exposed by the vulnerability

Software vulnerabilities are detected by the following services:

Misconfigurations

Security Command Center maps the detectors of the services that scan for misconfigurations to the controls of the common industry compliance standards. In addition to showing you the compliance standards that a misconfiguration violates, the mapping enables you to see a measure of your compliance with the various standards, which you can then export as a report.

For more information, see Assess and report compliance.

Posture violations

The Premium and Enterprise tiers of Security Command Center include the security posture service, which issues findings when your cloud resources violate the policies that are defined in the security postures that you deployed in your cloud environment.

For more information, see Security posture service.

Validate infrastructure as code

You can verify that your infrastructure-as-code (IaC) files align with the organization policies and the Security Health Analytics detectors that you define in your Google Cloud organization. This feature helps ensure that you don't deploy resources that will violate your organization's standards. After you define your organizational policies and, if necessary, enable the Security Health Analytics service, you can use Google Cloud CLI to validate your Terraform plan file, or you can integrate the validation process into your Cloud Build, Jenkins, or GitHub Actions developer workflow. For more information, see Validate your IaC against your organization's policies.

Detect vulnerabilities and misconfigurations on other cloud platforms

Security Command Center Enterprise can detect vulnerabilities in multiple cloud environments. To detect vulnerabilities in other cloud service providers, you first need to establish a connection to the provider to ingest resource metadata.

For more information, see Connect to AWS for vulnerability detection and risk assessment.

Vulnerability and posture management features

With Security Command Center, vulnerability analysts, posture administrators, and similar security professionals can achieve the following security goals:

  • Detect different types of vulnerabilities, including software vulnerabilities, misconfigurations, and posture violations, that can expose your cloud environments to potential attacks.
  • Focus your response and remediation efforts on the highest risk issues by using the attack exposure scores on the findings and alerts for vulnerabilities.
  • Assign owners and track progress of vulnerability remediations by using cases and integrating your preferred ticketing systems, like Jira or ServiceNow.
  • Proactively secure the high-value resources in your cloud environments by lowering their attack exposure scores
  • Define custom security postures for your cloud environments that Security Command Center uses to assess your posture and alert you to violations.
  • Mute or exclude findings or alerts that are false positives.
  • Focus on vulnerabilities that are related to identities and excessive permissions.
  • Detect and manage in Security Command Center vulnerabilities and risk assessments for your other cloud environments, like AWS.

Assess risk with attack exposure scores and attack paths

With organization-level activations of the Premium and Enterprise tiers, Security Command Center provides attack exposure scores for high-value resources and the vulnerability and misconfiguration findings that affect the high-value resources.

You can use these scores to prioritize the remediation of vulnerabilities and misconfigurations, to prioritize the security of your most exposed high-value resources, and generally assess how exposed your cloud environments are to attack.

In the Active vulnerabilities pane of the Risk overview page in the Google Cloud console, the Findings by attack exposure score tab, shows you the findings that have highest attack exposure scores in your environment, as well as the distribution of finding scores.

For more information, see Attack exposure scores and attack paths.

Manage findings and alerts with cases

Security Command Center Enterprise creates cases to help you manage findings and alerts, assign owners, and manage the investigations and responses to detected security issues. Cases are opened automatically for high-severity and critical-severity issues.

You can integrate cases with your preferred ticketing system, like Jira or ServiceNow. When cases are updated, any open tickets for the case can be updated automatically. Similarly, if a ticket is updated, the corresponding case can be updated as well.

For more information, see Cases overview in the Google SecOps documentation.

Define response workflows and automated actions

Define response workflows and automate actions to investigate and respond to the security issues that are detected in your cloud environments.

For more information about defining response workflows and automated actions with playbooks, see Work with playbooks.

Multicloud support: Secure your deployments on other cloud platforms

You can extend Security Command Center services and capabilities to cover your deployments on other cloud platforms, so that you can manage in a single location all of the threats and vulnerabilities that are detected in all of your cloud environments.

For more information about connecting Security Command Center to another cloud service provider, see the following pages:

Supported cloud service providers

Security Command Center can connect to Amazon Web Services (AWS).

Define and manage security postures

With organization-level activations of the Premium and Enterprise tiers of Security Command Center, you can create and manage security postures that define the required state of your cloud assets, including your cloud network and cloud services, for optimal security in your cloud environment. You can customize security postures to match your business's security and regulatory needs. By defining a security posture, you can minimize cybersecurity risks to your organization and help prevent attacks from occurring.

You use the Security Command Center security posture service to define and deploy a security posture and detect any drift or unauthorized change from your defined posture.

The security posture service is automatically enabled when you activate Security Command Center at the organization level.

For more information, see Security posture overview.

Identify your assets

Security Command Center includes asset information from Cloud Asset Inventory, which continuously monitors assets in your cloud environment. For most assets, configuration changes, including IAM and organization policies, are detected in near-real time.

On the Assets page in the Google Cloud console, you can quickly apply, edit, and run sample asset queries, add a preset time constraint, or you can write your own asset queries.

If you have the Premium or Enterprise tier of Security Command Center, you can see which of your assets are designated as high-value resources for risk assessments by attack path simulations.

You can quickly identify changes in your organization or project and answer questions like:

  • How many projects do you have and when were they created?
  • What Google Cloud resources are deployed or in use, like Compute Engine virtual machines (VMs), Cloud Storage buckets, or App Engine instances?
  • What's your deployment history?
  • How to organize, annotate, search, select, filter, and sort across the following categories:
    • Assets and asset properties
    • Security marks, which enable you to annotate assets or findings in Security Command Center
    • Time period

Cloud Asset Inventory always knows the current state of supported assets and, in the Google Cloud console, lets you review historical discovery scans to compare assets between points in time. You can also look for underused assets, like virtual machines or idle IP addresses.

Gemini features in Security Command Center

Security Command Center incorporates Gemini to provide summaries of findings and attack paths, and to assist your searches and investigations of detected threats and vulnerabilities.

For information about Gemini, see Gemini overview.

Gemini summaries of findings and attack paths

If you are using Security Command Center Enterprise or Premium, Gemini provides dynamically generated explanations of each finding and of each simulated attack path that Security Command Center generates for Vulnerability and Misconfiguration class findings.

The summaries are written in natural language to help you quickly understand and act on findings and any attack paths that might accompany them.

The summaries appear in the following places in the Google Cloud console:

  • When you click the name of an individual finding, the summary at the top of the details page of the finding.
  • With the Premium and Enterprise tiers of Security Command Center, if a finding has an attack exposure score, you can display the summary to the right of the attack path by clicking the attack exposure score and then AI summary.

Required IAM permissions for AI-generated summaries

To view the AI summaries, you need the required IAM permissions.

For findings, you need the securitycenter.findingexplanations.get IAM permission. The least-permissive predefined IAM role that contains this permission is the Security Center Findings Viewer (roles/securitycenter.findingsViewer) role.

For attack paths, you need the securitycenter.exposurepathexplan.get IAM permission. The least-permissive predefined IAM role that contains this permission is the Security Center Exposure Paths Reader (roles/securitycenter.exposurePathsViewer) role.

During the preview, these permissions are not available in the Google Cloud console to add to custom IAM roles.

To add the permission to a custom role, you can use the Google Cloud CLI.

For information about using the Google Cloud CLI to add permissions to a custom role, see Create and manage custom roles.

Natural language search for threat investigations

You can generate searches for threat findings, alerts, and other information by using natural language queries and Gemini. For more information, see Use natural language to generate UDM Search queries in the Google SecOps documentation.

AI Investigation widget for cases

To help you understand and investigate cases for findings and alerts, Gemini provides a summary of each case and suggests the next steps you can take to investigate the case. The summary and next steps appear in the AI investigation widget when you are viewing a case.

Actionable security insights

Security Command Center's built-in and integrated Google Cloud services continuously monitor your assets and logs for indicators of compromise and configuration changes that match known threats, vulnerabilities, and misconfigurations. To provide context for incidents, findings are enriched with information from the following sources:

  • With the Enterprise and Premium tiers:
    • AI-generated summaries that help you understand and act on Security Command Center findings and any attack paths included with them. For more information, see AI-generated summaries.
    • Vulnerability findings include information from their corresponding CVE entries, including the CVE score, and assessments from Mandiant of the vulnerability's potential impact, and potential for being exploited.
    • Powerful SIEM and SOAR search capabilities, which let you investigate threats and vulnerabilities and pivot through related entities in a unified timeline.
  • VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.
  • MITRE ATT&CK framework, which explains techniques for attacks against cloud resources and provides remediation guidance.
  • Cloud Audit Logs (Admin Activity logs and Data Access logs).

You get notifications for new findings in near real-time, helping your security teams gather data, identify threats, and act on recommendations before they result in business damage or loss.

With a centralized view of your security posture and a robust API, you can quickly do the following:

  • Answer questions like:
    • What static IP addresses are open to the public?
    • What images are running on your VMs?
    • Is there evidence that your VMs are being used for cryptocurrency mining or other abusive operations?
    • Which service accounts have been added or removed?
    • How are firewalls configured?
    • Which storage buckets contain personally-identifiable information (PII) or sensitive data? This feature requires integration with Sensitive Data Protection.
    • Which cloud applications are vulnerable to cross-site-scripting (XSS) vulnerabilities?
    • Are any of my Cloud Storage buckets open to the internet?
  • Take actions to protect your assets:
    • Implement verified remediation steps for asset misconfigurations and compliance violations.
    • Combine threat intelligence from Google Cloud and third party providers, such as Palo Alto Networks, to better protect your enterprise from costly compute layer threats.
    • Ensure the appropriate IAM policies are in place and get alerts when policies are misconfigured or unexpectedly changed.
    • Integrate findings from your own or third-party sources for Google Cloud resources, or other hybrid or multicloud resources. For more information, see Adding a third-party security service.
    • Respond to threats in your Google Workspace environment and unsafe changes in Google Groups.

Identity and access misconfigurations

Security Command Center makes it easier for you to identify and resolve findings of identity and access misconfigurations on Google Cloud. Misconfiguration findings identify principals (identities) that are misconfigured or that have excessive or sensitive IAM permissions (access) to Google Cloud resources.

Cloud Infrastructure Entitlement Management

The management of identity and access-related security issues is sometimes referred to as cloud infrastructure entitlement management (CIEM). Security Command Center offers CIEM capabilities that help provide a comprehensive view of the security of your organization's identity and access configuration. Security Command Center offers these capabilities for multiple cloud platforms including Google Cloud and Amazon Web Services (AWS). With CIEM, you can see which principals have excessive permissions in your cloud environments. In addition to Google Cloud IAM, CIEM supports the ability to investigate the permissions that principals from other identity providers (such as Entra ID (Azure AD) and Okta) have on your Google Cloud resources. You can see the most severe identity and access findings from multiple cloud providers in the Identity and access findings pane on the Security Command Center Overview page in the Google Cloud console.

For more information regarding Security Command Center's CIEM capabilities, see Overview of Cloud Infrastructure Entitlement Management.

Identity and access query presets

On the Vulnerability page in the Google Cloud console, you can select query presets (predefined queries) that show the vulnerability detectors or categories that are related to identity and access. For each category, the number of active findings is displayed.

For more information about the query presets, see Apply query presets.

Manage compliance with industry standards

Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

For more information about managing compliance, see Assess and report compliance with security standards.

Supported security standards

Google Cloud

Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:

AWS

Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:

Flexible platform to meet your security needs

Security Command Center includes customization and integration options that let you enhance the service's utility to meet your evolving security needs.

Customization options

Customization options include the following:

Integration options

Integration options include the following:

When to use Security Command Center

The following table includes high-level product features, use cases, and links to relevant documentation to help you quickly find the content you need.

Feature Use cases Related docs
Asset identification and review
  • View in one place all of the assets, services, and data from across your organization or project, and from across your cloud platforms.
  • Assess vulnerabilities for supported assets, and take action to prioritize fixes for the most severe issues.

Security Command Center best practices

Access control

Using Security Command Center in the Google Cloud console

Sensitive data identification
  • Find out where sensitive and regulated data is stored using Sensitive Data Protection.
  • Help prevent unintended exposure and ensure access is on a need-to-know basis.
  • Designate resources that contain medium-sensitivity data or high-sensitivity data as _high-value resources automatically.
Sending Sensitive Data Protection results to Security Command Center
Third-party SIEM and SOAR product integration
  • Easily export Security Command Center data to external SIEM and SOAR systems.

Exporting Security Command Center data

Continuous exports

Misconfiguration detection

Security Health Analytics overview

Web Security Scanner overview

Vulnerabilities findings

Software vulnerability detection
  • Detect software vulnerabilities in workloads on virtual machines and containers across cloud service providers.
  • Be proactively alerted to new vulnerabilities and changes in your attack surface.
  • Uncover common vulnerabilities like cross-site-scripting (XSS) and Flash injection that put your applications at risk.
  • With Security Command Center Premium, prioritize vulnerability findings by using CVE information, including assessments of exploitability and impact provided by Mandiant.

GKE security posture dashboard

VM Manager

Web Security Scanner overview

Vulnerabilities findings

Identity and access control monitoring
  • Help ensure the appropriate access control policies are in place across your Google Cloud resources and get alerted when policies are misconfigured or unexpectedly change.
  • Use query presets to quickly view findings for identity and access misconfigurations and roles that are granted excessive permissions.

IAM Recommender

Access control

Identity and access misconfigurations

Threat detection
  • Detect malicious activities and actors in your infrastructure, and get alerts for active threats.
  • Detect threats on other cloud platforms

Manage threats

Event Threat Detection overview

Container Threat Detection overview

Error detection
  • Be alerted to errors and misconfigurations that prevent Security Command Center and its services from working as intended.
Security Command Center errors overview
Prioritize remediations
  • Use attack exposure scores to prioritize the remediation of vulnerability and misconfiguration findings.
  • Use attack exposure scores on resources to proactively secure the resources that are the most valuable to your business.
Overview of attack exposure scores and attack paths
Remediate risks
  • Implement verified and recommended remediation instructions to quickly safeguard assets.
  • Focus on the most important fields in findings to help security analysts quickly make informed triage decisions.
  • Enrich and connect related vulnerabilities and threats to identify and capture TTPs.
  • Resolve errors and misconfigurations that prevent Security Command Center and its services from working as intended.

Investigating and responding to threats

Remediating Security Health Analytics findings

Remediating Web Security Scanner findings

Security response automation

Remediating Security Command Center errors

Posture management
  • Ensure that your workloads conform to security standards, compliance regulations, and your organization's custom security requirements.
  • Apply your security controls to Google Cloud projects, folders, or organizations before you deploy any workloads.
  • Continuously monitor for and resolve any drift from your defined security controls.

Security posture overview

Manage a security posture

Third-party security tool inputs
  • Integrate output from your existing security tools like Cloudflare, CrowdStrike, Prisma Cloud by Palo Alto Networks, and Qualys, into Security Command Center. Integrating output can help you to detect the following:

    • DDoS attacks
    • Compromised endpoints
    • Compliance policy violations
    • Network attacks
    • Instance vulnerabilities and threats

Configuring Security Command Center

Creating and managing security sources

Real-time notifications
  • Get Security Command Center alerts through email, SMS, Slack, WebEx, and other services with Pub/Sub notifications.
  • Adjust finding filters to exclude findings on allowlists.

Setting up finding notifications

Enabling real-time email and chat notifications

Using security marks

Exporting Security Command Center data

Filtering notifications

Add assets to allowlists

REST API and Client SDKs
  • Use the Security Command Center REST API or client SDKs for easy integration with your existing security systems and workflows.

Configuring Security Command Center

Security Command Center client libraries

Security Command Center API

Data residency controls

To meet data residency requirements, when you activate Security Command Center Standard or Premium for the first time, you can enable data residency controls.

Enabling data residency controls restricts the storage and processing of Security Command Center findings, mute rules, continuous exports, and BigQuery exports to one of the data residency multi-regions that Security Command Center supports.

For more information, see Planning for data residency.

Security Command Center service tiers

Security Command Center offers three service tiers: Standard, Premium, and Enterprise.

The tier you select determines the features and services that are available with Security Command Center.

If you have questions about the Security Command Center service tiers, contact your account representative or Google Cloud sales.

For information about costs associated with using a Security Command Center tier, see Pricing.

Standard tier

The Standard tier includes the following services and features:

  • Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:

    • Dataproc image outdated
    • Legacy authorization enabled
    • MFA not enforced
    • Non org IAM member
    • Open ciscosecure websm port
    • Open directory services port
    • Open firewall
    • Open group IAM member
    • Open RDP port
    • Open SSH port
    • Open Telnet port
    • Public bucket ACL
    • Public Compute image
    • Public dataset
    • Public IP address
    • Public log bucket
    • Public SQL instance
    • SSL not enforced
    • Web UI enabled
  • Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren't behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten.
  • Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly.
  • Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub.
  • Access to integrated Google Cloud services, including the following:

    • Sensitive Data Protection discovers, classifies, and protects sensitive data.
    • Google Cloud Armor protects Google Cloud deployments against threats.
    • Anomaly Detection identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining.
    • Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters.
  • GKE security posture dashboard findings: view findings about Kubernetes workload security misconfigurations, actionable security bulletins, and vulnerabilities in the container operating system or in language packages. The integration of GKE security posture dashboard findings with Security Command Center is available in Preview.
  • Integration with BigQuery, which exports findings to BigQuery for analysis.
  • Sensitive Actions Service, which detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor.
  • When Security Command Center is activated at the organization level, you can grant users IAM roles at the organization, folder, and project levels.
  • Data residency controls that restrict the storage and processing of Security Command Center findings, mute rules, continuous exports, and BigQuery exports to one of the data residency multi-regions that Security Command Center supports.

    For more information, see Planning for data residency.

Premium tier

The Premium tier includes all of the Standard tier services and features and the following additional services and features:

  • Attack path simulations help you identify and prioritize vulnerability and misconfiguration findings by identifying the paths that a potential attacker could take to reach your high-value resources. The simulations calculate and assign attack exposure scores to any findings that expose those resources. Interactive attack paths help you visualize the possible attack paths and provide information about the paths, related findings, and the affected resources.
  • Vulnerability findings include CVE assessments provided by Mandiant to help you prioritize their remediation.

    On the Overview page in the console, the Top CVE findings section shows you vulnerability findings grouped by their exploitability and potential impact, as assessed by Mandiant. On the Findings page, you can query findings by CVE ID.

    For more information, see Prioritize by CVE impact and exploitability.

  • Event Threat Detection monitors Cloud Logging and Google Workspace, using threat intelligence, machine learning, and other advanced methods to detect threats, such as malware, cryptocurrency mining, and data exfiltration. For a full list of built-in Event Threat Detection detectors, see Event Threat Detection rules. You can also create custom Event Threat Detection detectors. For information about module templates that you can use to create custom detection rules, see Overview of custom modules for Event Threat Detection.
  • Container Threat Detection detects the following container runtime attacks:
    • Added Binary Executed
    • Added Library Loaded
    • Execution: Added Malicious Binary Executed
    • Execution: Added Malicious Library Loaded
    • Execution: Built in Malicious Binary Executed
    • Execution: Modified Malicious Binary Executed
    • Execution: Modified Malicious Library Loaded
    • Malicious Script Executed
    • Reverse Shell
    • Unexpected Child Shell
  • The following Policy Intelligence features are available:

    • Advanced IAM recommender features, including the following:
      • Recommendations for non-basic roles
      • Recommendations for roles granted on resources other than organizations, folders, and projects—for example, recommendations for roles granted on Cloud Storage buckets
      • Recommendations that suggest custom roles
      • Policy insights
      • Lateral movement insights
    • Policy Analyzer at scale (above 20 queries per organization per day). This limit is shared among all Policy Analyzer tools.
    • Visualizations for Organization Policy analysis.
  • You can query assets in Cloud Asset Inventory.
  • Virtual Machine Threat Detection detects potentially malicious applications running in VM instances.
  • Security Health Analytics at the Premium tier includes the following features:

    • Managed vulnerability scans for all Security Health Analytics detectors
    • Monitoring for many industry best practices
    • Compliance monitoring. Security Health Analytics detectors map to the controls of the common security benchmarks.
    • Custom module support, which you can use to create your own custom Security Health Analytics detectors.

    In the Premium tier, Security Health Analytics supports the standards described in Manage compliance with industry standards.

  • Web Security Scanner in the Premium tier includes all Standard tier features and additional detectors that support categories in the OWASP Top Ten. Web Security Scanner also adds managed scans that are automatically configured.
  • Compliance monitoring across your Google Cloud assets.

    To measure your compliance with common security benchmarks and standards, detectors of the Security Command Center vulnerability scanners are mapped to common security standard controls.

    You can view your compliance with the standards, identify non-compliant controls, export reports, and more. For more information, see Assess and report compliance with security standards.

  • You can request for additional Cloud Asset Inventory quota if the need for extended asset monitoring arises.
  • The security posture service lets you define, assess, and monitor the overall status of your security in Google Cloud. To use the security posture service, you must activate the Security Command Center Premium tier at the organization level.
  • IaC validation lets you validate your infrastructure as code (IaC) against the organization policies and Security Health Analytics detectors that you have defined in your Google Cloud organization. To use IaC validation, you must activate the Security Command Center Premium tier at the organization level.
  • VM Manager vulnerability reports
    • If you enable VM Manager, the service automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in the operating systems installed on Compute Engine virtual machines. For more information, see VM Manager.

Enterprise tier

The Enterprise tier is a full cloud-native application protection platform (CNAPP) that enables SOC analysts, vulnerability analysts, and other cloud security professionals to manage security across multiple cloud service providers in one centralized place.

The Enterprise tier offers detection and investigation capabilities, case management support, and posture management, including the ability to define and deploy custom posture rules and quantify and visualize the risk that vulnerabilities and misconfigurations pose to your cloud environment.

The Enterprise tier includes all of the Standard and Premium tier services and features, as well as the following additional services and features:

Enterprise tier functions and services summary

The Enterprise tier includes all of the Standard tier and Premium tier services and features that are released to General Availability.

The Enterprise tier adds the following services and features to Security Command Center:

  • Toxic combination detection, powered by the Security Command Center Risk Engine. For more information, see Overview of toxic combinations.
  • Multicloud support. You can connect Security Command Center to other cloud providers, such as AWS, to detect threats, vulnerabilities, and misconfigurations. Also, after specifying your high-value resources on the other provider, you can also assess their exposure to attack with attack exposure scores and attack paths.
  • SIEM (security information and event management) capabilities for cloud environments. Scan logs and other data for threats for multiple cloud environments, define threat detection rules, and search the accumulated data. For more information, see Google SecOps SIEM documentation.
  • SOAR (security orchestration, automation, and response) capabilities for cloud environments. Manage cases, define response workflows, and search the response data. For more information, see Google SecOps SOAR documentation.
  • CIEM (Cloud Infrastructure Entitlement Management) capabilities for cloud environments. Identify principal accounts (identities) that are misconfigured or that are granted excessive or sensitive IAM permissions (access) to your cloud resources. For more information, see Overview of Cloud Infrastructure Entitlement Management.
  • Expanded detection of software vulnerabilities in VMs and containers across your cloud environments with the following built-in and integrated Google Cloud services:
    • Google Kubernetes Engine (GKE) Enterprise edition
    • Vulnerability Assessment for AWS
    • VM Manager

Enterprise tier functions powered by Google Security Operations

The case management function, playbook features, and other SIEM and SOAR functionalities of the Enterprise tier of Security Command Center are powered by Google Security Operations. When you use some of these features and functions, you might see the Google SecOps name in the web interface and might be directed to the Google SecOps documentation for guidance.

Certain Google SecOps features are unsupported or limited with Security Command Center, but their use might not be disabled or limited in early subscriptions to the Enterprise tier. Use the following features and functions only in accordance with their stated limitations:

  • Ingestion of cloud logs is limited to logs that are relevant for cloud threat detection, such as the following;

    • Google Cloud

      • Cloud Audit Logs Admin Activity Logs
      • Cloud Audit Logs Data Access Logs
      • Compute Engine syslog
      • GKE Audit Log
    • Google Workspace

      • Google Workspace events
      • Google Workspace alerts
    • AWS

      • CloudTrail audit logs
      • Syslog
      • Auth logs
      • GuardDuty events
  • Curated detections are limited to those that detect threats in cloud environments.

  • Google Cloud Marketplace integrations are limited to the following:

    • Siemplify
    • Tools
    • VirusTotal V3
    • Google Cloud Asset Inventory
    • Google Security Command Center
    • Jira
    • Functions
    • Google Cloud IAM
    • Email V2
    • Google Cloud Compute
    • Google Chronicle
    • Mitre Att&ck
    • Mandiant Threat Intelligence
    • Google Cloud Policy Intelligence
    • Google Cloud Recommender
    • Siemplify Utilities
    • Service Now
    • CSV
    • SCC Enterprise
    • AWS IAM
    • AWS EC2
  • The number of custom single-event rules is limited to 20 rules.

  • Risk Analytics for UEBA (user and entity behavior analytics) is unavailable.

  • Applied Threat Intelligence is unavailable.

  • Gemini support for Google SecOps is limited to natural-language search and case investigation summaries.

  • Data retention is limited to three months.

Security Command Center activation levels

You can activate Security Command Center on an individual project, which is known as project-level activation, or an entire organization, which is known as organization-level activation.

The Enterprise tier requires an organization-level activation.

For more information about activating Security Command Center, see Overview of activating Security Command Center.

What's next