Using Security Command Center in the Google Cloud console

This page provides an overview of Security Command Center in the Google Cloud console and what you can do with Security Command Center's top-level pages.

If Security Command Center isn't already set up for your organization or a project in your organization, you need to activate it before you can use Security Command Center in the Google Cloud console. For information about activation, see Overview of activating Security Command Center.

For a general overview of Security Command Center, see Security Command Center overview.

Required IAM permissions

To use Security Command Center, you must have an Identity and Access Management (IAM) role that includes appropriate permissions:

  • Security Center Admin Viewer lets you view Security Command Center.
  • Security Center Admin Editor lets you view Security Command Center and make changes.

If your organization policies are set to restrict identities by domain, you must be signed in to the Google Cloud console on an account that's in an allowed domain.

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Accessing Security Command Center in the Google Cloud console

To access Security Command Center in the Google Cloud console:

  1. Go to Security Command Center:

    Go to Security Command Center

  2. Select the project or organization that you want to view.

    If Security Command Center is active in the organization or project you select, the Overview page displays with an overview of the new threat findings and the active vulnerability finding over the last seven days.

    If Security Command Center is not active, you are invited to activate it. For more information about activating Security Command Center, see Overview of activating Security Command Center

Security Command Center in the Google Cloud console

Beyond the Overview page, you can monitor and manage security issues in your Google Cloud environment through the following Security Command Center pages in the Google Cloud console. Click a page name for an explanation of the page.

In the console, you open a page by selecting it from the slide-out menu on the left side of the console. To show the menu, hold your pointer over the icons on the left side of the console.

Overview page

The Overview page provides a quick view of both the new threats and the total number of active vulnerabilities in your Google Cloud environment from all built-in and integrated services. You can change the range of time displayed in all areas of this page from 1 hour to 6 months.

The Overview page includes the following sections:

  • New threats over time shows a chart of the new threats detected per day, with hourly totals. Following the chart on the page are views of the threat findings by category, resource, and project. You can sort each view by finding severity.
  • Active vulnerabilities over time by severity is a graphic display that shows changes in the total number of vulnerabilities over time.
  • Active vulnerabilities provides tabbed views of the vulnerability findings by category name, by affected resource, and by project. You can sort each view by finding severity.

Clicking the category name of any finding on the Overview page takes you to the Findings page where you can see the details of the finding.

Threats page

The Threats page helps you review potentially harmful events in your Google Cloud resources over a time period that you specify. The default time period is seven days.

On the threats page, you can view findings in the following sections:

  • Threats by severity shows the number of threats in each severity level.
  • Threats by category shows the number of findings in each category across all projects.
  • Threats by resource shows the number of findings for each resource in your project or organization.

You can specify the time period for which to display threats by using the drop-down list in the Time range field. The drop-down list has several options between 1 hour and "all time," which shows all findings since the service was activated. The time period you select is saved between sessions.

Vulnerabilities page

The Vulnerabilities page lists all of the categories of vulnerabilities that the various Security Command Center threat prevention services can detect in your environment.

The Security Command Center threat prevention services include the following:

For each vulnerability category, the Vulnerabilities page shows the following information:

  • Status: an icon indicates if the detector is active, and if the detector found a finding that needs to be addressed. When you hold the pointer over the status icon, a tooltip displays the date and time the detector found the result or information about how to validate the recommendation.
  • Last scanned: the date and time of the last scan for the detector.
  • Category: the category or type of vulnerability. To all of the categories that each Security Command Center service detects, see the following:
  • Recommendation: a summary of how to remediate the finding. For more information, see remediating Security Health Analytics findings.
  • Active: the total number of findings in the category.
  • Severity: the relative risk level of the finding category.
  • Standards: the compliance benchmark that the finding category applies to, if any. For more information about benchmarks, see Vulnerabilities findings.

Filter finding categories

A large project or organization might have many vulnerability findings across its deployment to review, triage, and track. By using Security Command Center with the available filters, you can focus on the highest severity vulnerabilities and review vulnerabilities by asset type, security mark, and more.

View findings on the Vulnerabilities page by project

To view findings by project on the Vulnerabilities page:

  1. Under Projects Filter, click Add a project to the Projects Filter ().
  2. In the search dialog that appears, select the project that you want to display findings for.

The Vulnerabilities page displays a list of findings for the project that you selected.

View the findings in a vulnerability category

View the findings in a vulnerability category on the Vulnerabilities page by clicking the category name in the Category column.

The Findings page loads and displays a list of findings that match the category you selected.

View findings by asset type

To view vulnerability findings for a specific asset type, use the Findings page:

  1. Go to the Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. In the Quick filters panel, scroll down to the Finding class section.

  3. In the Finding class section, select both Vulnerability and Misconfiguration. The Findings query results panel updates to show only Vulnerability and Misconfiguration class findings.

  4. In the Quick filters panel, scroll down to the Resource type section and select the resource type of the assets you need to see.

The list of findings updates to display all findings for the asset type that you specified.

Viewing active finding count by finding type

To view active finding counts by finding type, use the Google Cloud console or Google Cloud CLI commands.

Console

You can view a count of active findings for each finding type on the Vulnerabilities page.

To view vulnerability findings by finding type:

  1. Open Security Command Center in the Google Cloud console:

    Go to Security Command Center

  2. Display the vulnerability categories by clicking the Vulnerabilities page.

  3. Sort modules by the number of active findings for each finding type by clicking the Active column header.

gcloud

To use the gcloud CLI to get a count of all active findings, you first query Security Command Center to get the source ID of a vulnerability service, and then use the source ID to query the active findings count.

Step 1: Get the source ID

To complete this step, get your organization ID, and then get the source ID of one of the vulnerability detection services, which are also referred to as finding sources. If you haven't already enabled the Security Command Center API, you are prompted to enable it.

  1. Get your organization ID by running gcloud organizations list, and then note the number next to the organization name.

  2. Get the Security Health Analytics source ID by running:

    gcloud scc sources describe organizations/ORGANIZATION_ID \
  --source-display-name='SOURCE_DISPLAY_NAME'

    Replace the following:

    • ORGANIZATION_ID: the ID of your organization. An organization ID is required, regardless of the activation level of Security Command Center.
    • SOURCE_DISPLAY_NAME: the display name of the vulnerability detection service that you need to display findings for. For example, Security Health Analytics.

  3. If prompted, enable the Security Command Center API and then run the previous command to get the source ID again.

The command to get the source ID should display output like the following:

description: Scans for deviations from a Google Cloud
security baseline.
displayName: Security Health Analytics
name: organizations/ORGANIZATION_ID/sources/SOURCE_ID

Note the SOURCE_ID to use in the next step.

Step 2: Get the active findings count

Use the SOURCE_ID you noted in the previous step to filter findings. The following gcloud CLI command returns a count of findings by category:

gcloud scc findings group organizations/ORGANIZATION_ID/sources/SOURCE_ID \
  --group-by=category --page-size=PAGE_SIZE

You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization or project:

  groupByResults:
  - count: '1'
    properties:
      category: MFA_NOT_ENFORCED
  - count: '3'
    properties:
      category: ADMIN_SERVICE_ACCOUNT
  - count: '2'
    properties:
      category: API_KEY_APIS_UNRESTRICTED
  - count: '1'
    properties:
      category: API_KEY_APPS_UNRESTRICTED
  - count: '2'
    properties:
      category: API_KEY_EXISTS
  - count: '10'
    properties:
      category: AUDIT_CONFIG_NOT_MONITORED
  - count: '10'
    properties:
      category: AUDIT_LOGGING_DISABLED
  - count: '1'
    properties:
      category: AUTO_UPGRADE_DISABLED
  - count: '10'
    properties:
      category: BUCKET_IAM_NOT_MONITORED
  - count: '10'
    properties:
      category: BUCKET_LOGGING_DISABLED
  nextPageToken: token
        readTime: '2019-08-05T21:56:13.862Z'
        totalSize: 50

Compliance page

The Compliance page helps you review your high-level violation status and export reports by providing summaries for the number of detectors that are associated with each compliance standard that Security Health Analytics and Web Security Scanner monitor.

This section describes how to use Security Health Analytics and Web Security Scanner detectors to monitor for violations against common compliance controls like those described in Managing and monitoring for compliance. Security Health Analytics and Web Security Scanner monitor for violations of common compliance controls based on a best effort mapping provided by Google. It is not a replacement for a compliance audit but can be used to help you maintain your continuous compliance and catch violations early.

The compliance page shows the number of checks for each standard that are in a Warning state and a Passing state:

  • Warning state: there are one or more active findings (violations) associated with that check.
  • Passing state: there are no detected violations for the check.

Scope of compliance reports

You can view and export compliance reports that are specific to a project, folder, or organization and a particular standard.

Security Command Center automatically scopes compliance reports to the project, folder, or organization that you select at the top of the page in the Google Cloud console. For example, if your Google Cloud console view is set to a project, the compliance report includes only the findings for that project.

If Security Command Center is active at the organization level and your view is set to an organization, the compliance report includes the findings for the entire organization, including all of the projects it contains. If Security Command Center is active at a project level and you select an organization or folder, the Compliance page does not display.

On the Compliance page, you can then choose to view or export a report for a specific standard that is scoped to the organization or project that you are viewing.

The reports are based on Security Health Analytics and Web Security Scanner findings. When you view a particular report, the Vulnerabilities page opens with the findings filtered by the standard that you selected on the Compliance page.

Exporting compliance reports

You can export a CSV report that aggregates violations findings for a specific compliance benchmark. To generate a report:

  1. Go to the Compliance page in the Google Cloud console:

    Go to Compliance

  2. Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to see a compliance report:

    Project selector

  3. Click Export report next to the report you want to download.

  4. On the Export compliance report window, configure the export:

    1. Select the benchmark report you want to download.
    2. Select the date and time of the report snapshot.

  5. When you're finished configuring the export, click Export, and then select the location where you want to save the CSV report.

Compliance report exports include:

  • Projects in scope
  • Date of the report
  • Findings in scope for the report
  • The number of resources scanned
  • The number of resources that are violating the specific control

To learn more about Security Health Analytics and Web Security Scanner findings and the mapping between supported detectors and compliance standards, see vulnerabilities findings.

Assets page

The Assets page provides a detailed display of all Google Cloud resources, called assets, in your project or organization.

If Security Command Center is activated at the organization level, you can view assets for your entire organization or you can filter assets by specific projects, asset type, and location.

If Security Command Center is activated at the project level, you can filter assets by asset type and location.

To view details about a specific asset—like its attributes, resource properties, and associated findings—click the asset name in the Display name column.

The list of assets is provided by Cloud Asset Inventory, which in most cases updates the list within minutes after assets are created, modified, or removed in your Google Cloud environment.

For more information about Cloud Asset Inventory, see Introduction to Cloud Asset Inventory.

Sorting assets

To sort assets, click the column heading for the value you want to sort by. Columns are sorted by numeric and then alphabetical order.

Filtering assets

This section describes how to run common queries to review your assets by using Security Command Center in the Google Cloud console.

By default, all assets in the selected project, folder, or organization are displayed in the results panel on the Assets page.

You can filter the results to specific assets in two ways. You can use the filter options in the Quick filters panel or you can use the Filter field to specify more customized filters.

In the Quick filters panel, you can filter the results by resource type, project, or location.

In the Filter field, you can type in custom filters or select filter options from the menu that appears when you place your cursor in the field.

The drop-down menu of the Filter field includes the following options:

  • Name
  • Display name
  • Description
  • Location
  • Labels
  • Labels by key
  • Network tags
  • KMS keys
  • Create time, which shows assets that were created on, before, or after a date that you specify
  • Update time, which shows assets that were last updated on, before, or after a date that you specify
  • State
  • Folder
  • Parent asset type
  • Parent full resource name
  • Security marks
Viewing assets by project

By default, all assets in your selected scope are displayed on the Assets page in descending order by the time at which they were created.

If your selected scope is a project, only the assets in that project are displayed.

To view assets when your console view is scoped to a folder or your organization, do the following:

  1. Go to the Assets page:

    Go to Assets

  2. In the Resource type section of the Quick filters panel, select one or more projects. The results panel updates to display assets from only the selected projects.

Viewing by asset type

By default, all assets in your selected scope are displayed on the Assets page in descending order by their create time.

To view assets by their type, do the following:

  1. Go to the Assets page:

    Go to Assets

  2. Optional: At the top of the results panel, sort the assets by resource type click Resource type column in the results header. Assets are displayed grouped by their resource type.

  3. In the Resource type section of the Quick filters panel, select the resource type you need to view. The results panel updates to display only the selected resource types.

View the changes to an asset

You can compare snapshots of the metadata of an asset to see what has changed.

To see the changes to an asset over time:

  1. Go to the Assets page:

    Go to Assets

  2. Locate the asset that you need to review by scrolling or by applying the appropriate filters to the listed assets.

  3. In the list of assets in the results panel, click the name of the asset. The details panel for the asset opens.

  4. In the details panel for the asset, select the Change history tab.

  5. On the Change history tab, select both a Start time and an End time.

  6. In the Select a record to compare field on the left, click the down arrow to select a snapshot from the displayed list.

  7. In the Select a record to compare field on the right, click the down arrow to select a snapshot to compare with the first snapshot you selected. The changes between the two snapshots are highlighted.

View assets by Created or Last updated timestamp

You can filter or sort the assets in the results panel of the Assets page, by their Created and Last updated timestamps.

To a filter based on the Created timestamp, Last updated timestamp, or both, complete the following steps:

  1. Go to the Assets page:

    Go to Assets

  2. At the top of the results panel on the Assets page, place your cursor in the Filter field. A popup menu of filters opens.

  3. Scroll down to Create time or Update time section and select one of the time-based filter options. For example, Update time after. A filter is added to the Filter field. You just need to add the date.

  4. In the filter field, complete the filter specification by typing a date in the format MM/DD/YYYY and pressing Enter on your keyboard.

    The assets in the results panel are updated to show only the assets that match your filter.

Configuring the Assets page

You can control some of the elements that appear on the Assets page.

Columns

By default, the results panel on the Assets page includes the following columns:

  • Display name: the display name of the asset
  • Project ID: the project that contains the asset
  • Resource type: the resource type of the asset
  • Location: the region the asset is located in or global
  • State: the state of the asset, such as READ, SUCCESSFUL, or SERVING
  • Created: the time at which the asset was created
  • Last updated: the time at which the asset was last updated
  • Security marks: the security marks that are applied to the asset from Security Command Center, if any
  • Labels: the labels applied to the asset, if any
  • KMS keys: the KMS keys associated with the asset, if any
  • Network tags: the network tags applied to the asset, if any

You can hide any column except for Display name. To hide column, follow these steps:

  1. Go to the Assets page:

    Go to Assets

  2. At the top of the results panel on the right side, click the Column display options icon, .

  3. In the menu that appears, you can display or hide a column by selecting or deselecting the checkbox next to the column name.

Panels

To control the screen space for the Assets page, you can change the following options:

  • Hide the Quick filters side panel by clicking the left arrow, .
  • Resize the asset display columns by dragging the dividing line left or right.

Findings page

On the Findings page, you can query, review, mute, and mark Security Command Center findings, the records that Security Command Center services create when they detect a security issue in your environment.

For more information about how to work with findings on the Findings page, see Work with findings in the Google Cloud console.

Sources page

The Sources page contains cards that provide a summary of assets and findings from the security sources you have enabled. The card for each security source shows some of the findings from that source. You can click the finding category name to view all findings in that category.

Findings summary

The Findings Summary card displays a count of each category of finding that your enabled security sources provide.

  • To view details about the findings from a specific source, click the source name.
  • To view details about all findings, click the Findings page, where you can group findings or view details about an individual finding.

Source summaries

Below the Findings Summary card, cards appear for any built-in, integrated, and third-party sources you enabled. Each card provides counts of active findings for that source.