Configuring Security Command Center

Configure Security Command Center, including adding security services, managing which services apply to which resources, and setting up logging for Event Threat Detection and Container Threat Detection.

To configure Security Command Center, go to the Security Command Center Settings page in the Google Cloud console, and then click the tab for the setting you want to change.

Activation levels

You can activate Security Command Center at one of two levels: at the organization level for an organization or at the project level for an individual project.

The activation level affects the types of services that you can configure. If Security Command Center is activated at the project level, integrated services are not supported. You can configure only the built-in Security Command Center services.

Built-in and integrated services are explained in the following section.

For more information about the activation levels, see Overview of activating Security Command Center.

Services

Two types of services run on Security Command Center: built-in services and integrated services. Built in services are part of Security Command Center. Integrated services are Google Cloud or third-party services that provide findings to Security Command Center.

To add a new integrated service to an organization-level activation of Security Command Center, complete its integration guide, and then enable it as a security service in the Security Command Center dashboard. This capability enables you to have a complete view of the security risks, vulnerabilities, and threats in your project or organization.

After you enable an integrated service, you can configure which resources each security service monitors.

Built-in services

The following built-in services are part of Security Command Center:

  • Container Threat Detection
  • Event Threat Detection
  • Rapid Vulnerability DetectionPreview
  • Secured Landing Zone servicePreview

  • Security Health Analytics

  • Security posture

  • Virtual Machine Threat Detection

  • Web Security Scanner

Some built-in services are only available with the Security Command Center Premium tier. Learn more about Security Command Center tiers.

Enable or disable a built-in service

You can enable built-in services for the following resources:

  • An organization
  • A folder
  • A project
  • With Container Threat Detection only, a cluster

By default, resources inherit the service settings of their parent resource.

To enable or disable a Security Command Center service for a resource, do the following:

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select the organization, folder, or project for which you need to manage services.

  3. Click Settings.

  4. For the service that you want to modify, click Manage settings.

  5. On the Service enablement tab, find the resource for which you need to enable the service. You can enable the built-in services for an organization, a folder, a project, or (with Container Threat Detection only) a cluster.

  6. For that resource, set the service to Enable, Disable, or Inherit.

View the modules of a service

For some services, you can enable or disable certain detectors, also known as modules. To view the modules of a service and their current statuses, do the following:

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select the organization, folder, or project for which you need to manage services.

  3. Click Settings.

  4. For the service that you want to view, click Manage settings.

  5. Click the Modules tab.

    The service's modules are displayed, along with their respective statuses.

Enable or disable a module

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select the organization, folder, or project for which you need to manage services.

  3. Click Settings.

  4. For the service that you want to view, click Manage settings.

  5. Click the Modules tab.

    The service's modules are displayed, along with their respective statuses.

  6. Find the detector that you want to modify, and set its status to Enable or Disable.

Add services to Security Command Center

When Security Command Center is activated at the organization level, you can add integrated Google Cloud services or third-party security services to Security Command Center.

Add a Google Cloud integrated service

You can add to certain integrated Google Cloud services to Security Command Center.

Project-level activations do not support integrated Google Cloud services.

On the Settings page, click the Integrated Services tab to view available services. The following are Google Cloud security services that integrate with organization-level activations of Security Command Center:

  • Anomaly Detection
  • Google Cloud Armor
  • Sensitive Data Protection
  • Forseti Security

For more information about these services, see Security sources for vulnerabilities and threats.

Findings from Google Cloud security services are available after you complete their integration guides.

  • To add a new service, click Add More Services. The Security Command Center Services page on Google Cloud Marketplace is displayed. Click the service you're interested in and follow provider instructions to add it as an integrated service.
  • To view findings from security services, enable the service by clicking the toggle next to the service name. To limit a service to certain folders, projects, or clusters in your organization, use the Advanced settings menu that's described later on this page.

Integrated sources use service accounts that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com.

If your organization policies are set to restrict identities by domain, you need to add the Security Command Center service account to an identity in a group that's within an allowed domain. Organization-level Security Command Center service account names have the following format:

service-org-ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com

ORGANIZATION_NUMBER is the numerical ID of your organization.

On the Integrated Services tab, you add new sources or enable and disable existing ones:

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select your organization or project.

  3. Click Settings.

  4. Click the Integrated services tab.

  5. Next to the integrated source that you want to enable, click the Status list and select Enable.

Findings for the integrated sources you select are displayed on the Findings page in the Security Command Center dashboard.

To disable an integrated service, next to its name, click the drop-down list and select Disable by default.

VM Manager vulnerability reports

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.

Project-level activations do not support VM Manager.

If you enable VM Manager with the Security Command Center Premium tier, VM Manager writes high and critical findings from its vulnerability reports to Security Command Center by default. The reports identify vulnerabilities in operating systems that are installed on Compute Engine VMs.

For more information, see VM Manager.

Adding a third-party security service

Organization-level activations of Security Command Center can display findings from third-party security services that have registered as Cloud Marketplace partners.

Project-level activations of Security Command Center do not support third-party services.

Third-party security services that are registered as Cloud Marketplace partners include the following:

  • Acalvio
  • Capsule8
  • Cavirin
  • Chef
  • Check Point CloudGuard Dome9
  • CloudQuest
  • McAfee
  • Qualys
  • Reblaze
  • Prisma Cloud by Palo Alto Networks
  • StackRox
  • Tenable.io

To integrate security services that aren't registered as Cloud Marketplace partners, ask the providers to complete the guide to Onboard as a Security Command Center partner.

To add a new third-party security service to Security Command Center, you set up the security service, and then enable it in the Security Command Center dashboard.

Before you begin

To add a security service for a registered Cloud Marketplace partner, you need:

  • The following Identity and Access Management (IAM) roles:
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
  • A Google Cloud project that you want to use for the security service.

Step 1: Setting up a security service

To set up a third-party security service, you need a service account for that service. When you add the new security service, you can choose from the following service account options:

  • Create a service account.
  • Use your own existing service account.
  • Use a service account from the service provider.

To set up a new security service that's already registered as a Cloud Marketplace partner, follow the steps below:

  1. Go to the Security Command Center Services Marketplace page in the Google Cloud console.

    Go to Marketplace

  2. The Marketplace page displays security services that are directly associated with Security Command Center.

    • If you don't see the security service that you want to add, search for Security, and then select the security service provider.
    • If the security service provider isn't registered in the Cloud Marketplace, ask your provider to complete the guide to Onboard as a Security Command Center partner.
  3. On the security service provider page in the Cloud Marketplace, follow any provider setup instructions in the Overview.

  4. After you complete the provider's setup process, click Visit [provider name] site to sign up on the provider's Marketplace page.

  5. On the Google Cloud console Security Command Center page that appears, select the organization for which you want to use the security service.

  6. On the Create Service Account & Enable [provider name] Security Events page that appears, accept the provider's service account, if available, or create or select your own service account that you want to use:

    • To create a service account:
      1. Select Create a new service account.
      2. Next to Project, click Change to select the project you want to use for this security service.
      3. Add a Service account name and Service account ID.
    • To use an existing service account:
      1. Select Use an existing service account, then select the service account you want to use from the Service account name drop-down list.
    • If the security service provider manages the service account, enter the Service account ID they provided.
  7. When you're finished adding service account information, click Submit or Accept.

  8. On the Source connect page that appears, click the link under Installation Steps for information about how to complete installation.

  9. When you're finished, click Done.

When configured correctly, the security service you added is available in Security Command Center.

Step 2: Enabling the security service

After you set up a new security service, you need to enable it in the Security Command Center dashboard.

Integrated sources use service accounts that might be outside your organization. For example, Google Cloud security sources use a service account at security-center-fpr.iam.gserviceaccount.com.

If your organization policies are set to restrict identities by domain, you need to add the Security Command Center service account to an identity in a group that's within an allowed domain. Organization-level Security Command Center service account names have the following format:

service-org-ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com

ORGANIZATION_NUMBER is the numerical ID of your organization.

On the Integrated Services tab, you add new sources or enable and disable existing ones:

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select your organization or project.

  3. Click Settings.

  4. Click the Integrated services tab.

  5. Next to the integrated source that you want to enable, click the Status list and select Enable.

Findings for the integrated sources you select are displayed on the Findings page in the Security Command Center dashboard.

Changing provider service accounts

You can change the service account used for a third-party security service, for example to address service account leakage or rotation. To change the service account for a security service, you need to update it in the Security Command Center dashboard. Afterward, follow the service provider's instructions to update the service account for their service.

The following procedure does not apply to project-level activations of Security Command Center, which does not support integrated third-party services.

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select your organization or project.

  3. Click Settings.

  4. Click the Integrated services tab.

  5. In the drop-down list next to the integrated service:

    1. Select Disabled to temporarily disable the integrated service.
    2. Then, select Manage service account.
  6. On the Edit [provider name] panel that appears, enter the new service account, then click Submit.

  7. In the drop-down list next to the integrated service, select Enabled to enable the security service.

When configured correctly, the service account for the integrated service is updated in Security Command Center. Follow the service provider's instructions to update the service account information for their service.

Cloud Logging export

On the Continuous exports tab, you set up logging for Event Threat Detection and Container Threat Detection findings. Findings are exported to the Cloud Logging project you select.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost, see Cost optimization for Google Cloud Observability.

To log findings, do the following:

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select your organization or project.

  3. Click Settings.

  4. Click the Continuous Exports tab.

  5. Under Export name, click Logging Export.

  6. Under Sinks, turn on Log Findings to Logging.

  7. Under Logging project, enter or search for the project where you want to log findings.

  8. Click Save.

When Event Threat Detection and Container Threat Detection write logs, each log entry includes the threat_detector resource type and contains the same information as findings. For instructions on reviewing logs, see Using Event Threat Detection and Using Container Threat Detection.

Specify your high-value resources

Security Command Center calculates attack exposure scores and illustrates potential attack paths for vulnerability and misconfiguration findings that expose resources that you define as high-value.

To get attack exposure scores and attack paths that accurately reflect which of your resources are truly high value, you need to create resource value configurations.

The collection of resource value configurations that you create defines your high-value resource set.

Until you create your own high-value resource set, Security Command Center uses a default high-value resource set that applies generally to all of the resource types that attack exposure scores support.

For more information, see the following:

Mute rules

The Mute rules tab lists any mute rules that are set in your organization, folders, and projects. On this tab, you can create a mute rule or manage existing ones.

Mute rules automatically suppress future findings based on filters that you define. For more information about muting findings and working with mute rules, see Mute findings in Security Command Center.

Roles

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

For information about how to grant, change, and revoke IAM roles, see Manage access to projects, folders, and organizations.

What's next