Using the Security Command Center dashboard

Access Security Command Center, configure the display, and review your Google Cloud resources. If Security Command Center isn't already set up for your organization, complete the guide to set up Security Command Center first.

Before you begin

To use Security Command Center, you must have a Cloud Identity and Access Management (Cloud IAM) role that includes appropriate permissions:

  • To view Security Command Center, you must have the Security Center Admin Viewer Cloud IAM role.
  • To make changes to Security Command Center, you must have an appropriate editor role, like Security Center Admin Editor.

If your organization policies are set to restrict identities by domain, you must be signed in to the Cloud Console on an account that's in an allowed domain.

Learn more about Security Command Center roles.

Accessing the dashboard

The Security Command Center page in the Cloud Console is generally referred to as a dashboard. To access the Security Command Center dashboard:

  1. Go to the Security Command Center page in the Cloud Console.
    Go to the Security Command Center page
  2. Select the organization you want to review.

The Security Command Center dashboard displays a basic overview of potential security risk findings.

Using the dashboard

When you go to Security Command Center, the Explore tab is displayed. It provides you with an overview of dashboard tabs, additional Security Command Center features, and services that are available to integrate in Security Command Center.

To learn about what a dashboard tab offers, click the name of the tab.

Threats

The Threats dashboard helps you review potentially harmful events in your organization's Google Cloud resources.

  • Threats by Severity shows the number of threats in each severity level.
  • Threats by Category shows the number of findings in each category across all projects.
  • Threats by Project shows the number of findings for each project in your organization.

The threats dashboard displays results for the time period you specify in the drop-down list, with several options between 1 hour and 12 months. The time period you select is saved between sessions.

Vulnerabilities

The Vulnerabilities tab displays Security Health Analytics findings and recommendations, including the following columns:

  • Status: an icon indicates if the detector is active, and if the detector found a finding that needs to be addressed. When you hold the pointer over the status icon, a tooltip displays the date and time the detector found the result or information about how to validate the recommendation.
  • Category: the type of the finding. For a list of potential Security Health Analytics findings, see Security Health Analytics findings.
  • Recommendation: a summary of how to remediate the finding. For more information, see remediating Security Health Analytics findings.
  • Active: the total number of findings in the category.
  • Severity: the relative risk level of the finding category.
  • Benchmarks: the compliance benchmark that the finding category applies to, if any. For more information about benchmarks, see Vulnerabilities findings.

Filtering findings

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using Security Command Center with the available filters, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, security mark, and more.

Viewing Security Health Analytics findings by project

To view Security Health Analytics findings by project on the Vulnerabilities tab:

  1. In the Projects Filter box, click Add a Project to the projects filter.
  2. Select the project that you want to display findings for.

The Vulnerabilities tab displays a list of findings for the project that you selected.

Viewing Security Health Analytics findings by category

View Security Health Analytics findings by category on the Vulnerabilities tab by clicking the category name in the Category column .

The Findings tab loads and displays a list of findings that match the category you selected.

Viewing findings by asset type

To view Security Health Analytics findings for a specific asset type, use the Assets tab:

  1. Go to the Security Command Center Findings page in the Cloud Console.
    Go to the Findings page
  2. Next to View by, click Source Type, and then select Security Health Analytics.
  3. In the Filter box, enter resourceName: asset-type. For example, to display Security Health Analytics findings for all projects, enter resourceName: projects.

The list of findings updates to display all findings for the asset type that you specified.

Marking assets and findings with security marks

You can add custom properties to findings and assets in Security Command Center by using security marks. Security marks enable you to identify high-priority areas of interest like production projects, tag findings with bug and incident tracking numbers, and more.

Whitelisting Security Health Analytics findings using security marks

You can whitelist assets in Security Health Analytics so that a detector doesn't create a security finding for the asset. When you whitelist an asset, the finding is marked as resolved when the next scan runs. This can be helpful when you don't want to review security findings for projects that are isolated or fall within acceptable business parameters.

To whitelist an asset, add a security mark allow_finding-type for a specific finding type. For example, for the finding type SSL_NOT_ENFORCED, use the security mark allow_ssl_not_enforced:true.

For a complete list of finding types, see the Security Health Analytics findings page. To learn more about security marks and techniques for using them, see Using Security Command Center security marks.

Viewing active finding count by finding type

You can use the Cloud Console or gcloud command-line tool commands to view active finding counts by finding type.

Console

The Security Health Analytics dashboard enables you to view a count of active findings for each finding type.

To view Security Health Analytics findings by by finding type:

  1. Go to the Security Command Center in the Cloud Console.
    Go to the Security Command Center
  2. To display Security Health Analytics findings, click the Vulnerabilities tab.
  3. Click the Active column header to sort findings by the number of active findings for each finding type.

gcloud

To use the gcloud tool to get a count of all active findings, you query Security Command Center to get the Security Health Analytics source ID. Then you use the source ID to query the active findings count.

Step 1: Get the source ID

To complete this step, get your organization ID, and then get the source ID. If you haven't already enabled the Security Command Center API, you'll be prompted to enable it.

  1. Get your organization ID by running gcloud organizations list, and then note the number next to the organization name.
  2. Get the Security Health Analytics source ID by running:

    gcloud alpha scc sources describe organizations/your-organization-id
    --source-display-name='Security Health Analytics'

  3. If prompted, enable the Security Command Center API and then run the previous command to get the Security Health Analytics source ID again.

The command to get the source ID should display output like the following:

  description: Scans for deviations from a GCP security baseline.
  displayName: Security Health Analytics
  name: organizations/your-organization-id/sources/source-id

Note the source-id to use in the next step.

Step 2: Get the active findings count

Use the source-id you noted in the previous step to filter findings from Security Health Analytics. The following gcloud tool command returns a count of findings by category:

  gcloud alpha scc findings group organizations/your-organization-id/sources/source-id \
   --group-by=category --page-size=page-size

You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization:

  groupByResults:
  - count: '1'
    properties:
      category: 2SV_NOT_ENFORCED
  - count: '3'
    properties:
      category: ADMIN_SERVICE_ACCOUNT
  - count: '2'
    properties:
      category: API_KEY_APIS_UNRESTRICTED
  - count: '1'
    properties:
      category: API_KEY_APPS_UNRESTRICTED
  - count: '2'
    properties:
      category: API_KEY_EXISTS
  - count: '10'
    properties:
      category: AUDIT_CONFIG_NOT_MONITORED
  - count: '10'
    properties:
      category: AUDIT_LOGGING_DISABLED
  - count: '1'
    properties:
      category: AUTO_UPGRADE_DISABLED
  - count: '10'
    properties:
      category: BUCKET_IAM_NOT_MONITORED
  - count: '10'
    properties:
      category: BUCKET_LOGGING_DISABLED
  nextPageToken: token
        readTime: '2019-08-05T21:56:13.862Z'
        totalSize: 50

Compliance

The Compliance dashboard helps you review your high level violation status and export reports. This dashboard provides summaries for the number of detectors associated with each compliance regime that are monitored by Security Health Analytics.

This section describes how to use Security Health Analytics and Web Security Scanner detectors to monitor for violations against common compliance controls like those described in the CIS Google Cloud Computing Foundations Benchmark v1.0.0, Payment Card Industry Data Security Standard (PCI-DSS) v3.2, and more. Security Health Analytics can monitor for violations of common compliance controls based on a best effort mapping provided by Google. It is not a replacement for a compliance audit but can be used to help you maintain your continuous compliance and catch violations early.

The compliance dashboard shows the number of checks for each regime that are in a Warning state and a Passing state:

  • Warning state: there are one or more active findings (violations) associated with that check.
  • Passing state: there are no detected violations for the check.

You can filter the compliance dashboard by project, and view or export reports of specific CIS and PCI findings. These reports are based on Security Health Analytics findings and are loaded in the vulnerabilities tab.

Exporting compliance reports

You can export a CSV report that aggregates violations findings for a specific compliance benchmark. To generate a report:

  1. Go to the Security Command Center Compliance tab in the Cloud Console.
    Go to the Compliance tab
  2. Click Export next to the report you want to download.
  3. On the Export window that appears, configure the export:
    1. Select the benchmark report you want to download.
    2. Select the date and time of the report snapshot.
    3. Optionally filter the export by project.
  4. When you're finished configuring the export, click Export, and then select the location where you want to save the CSV report.

Compliance report exports include:

  • Projects in scope
  • Date of the report
  • Findings in scope for the report
  • The number of resources scanned
  • The number of resources that are violating the specific control

To learn more about Security Health Analytics findings and the mapping between supported detectors and compliance regimes, see vulnerabilities findings.

Assets

The Assets tab provides a detailed display of all Google Cloud resources, called assets, in your organization. The assets tab lets you view assets for your entire organization or you can filter assets within a specific project, by asset type, or by change type. To view details about a specific asset, like its attributes, resource properties, and associated findings, click the asset name in the resourceProperties.name column.

Assets are automatically scanned two times each day. You can also start an asset scan manually by clicking Re-scan on the assets tab. The updateTime value might vary for results within a given automatic or manual scan. This variance is typically less than 10 minutes.

Asset inventory freshness depends on discovery and indexing of the asset source:

  • Freshness is usually <1 minute for pre-existing assets.
  • Assets that haven't been discovered and indexed in a daily or manual scan will appear in asset inventory after the asset they're attached to is discovered and indexed.

Using the assets tab

The assets tab provides built-in and customizable filters so you can view a filtered list of assets.

Viewing assets by project

By default, assets are displayed in the organization and project hierarchy. To view assets associated with a specific resource, under View by Project, select the organization or project you want to review.

Viewing by asset type

To view your assets grouped by resource type in the assets tab, click Asset type. Assets are displayed in categories like application, bucket, project, and service. The following asset types are currently supported:

  • Resource Manager
    • Organization
    • Project
  • App Engine
    • Application
    • Service
    • Version
  • Compute Engine
    • Address
    • Autoscaler
    • BackendBucket
    • BackendService
    • BillingAccount
    • Disk
    • Firewalls
    • GlobalAddress
    • HealthCheck
    • HttpHealthCheck
    • HttpsHealthCheck
    • Image
    • Instance
    • InstanceGroup
    • InstanceTemplate
    • License
    • Network
    • Route
    • SecurityPolicy
    • Snapshot
    • SslCertificate
    • Subnetwork
    • TargetHttpProxy
    • TargetHttpsProxy
    • TargetSslProxy
    • TargetTcpProxy
    • TargetPool
    • TargetVpnGateway
    • UrlMap
    • VpnTunnel
  • Cloud DNS
    • ManagedZone
    • Policy
  • Cloud IAM
    • ServiceAccount
  • Cloud Spanner
    • Database
    • Instance
  • Cloud Storage
    • Bucket
  • Google Kubernetes Engine
    • Cluster
  • Container Registry
    • Image
  • Cloud Logging
    • LogMetric

To view individual resources for a specific asset type, in the Asset type list, select the asset type you want to review. To view details of a specific asset, click the asset name. To view all of the Google Cloud projects in your organization, filter the asset list using securityCenterProperties.resourceType:resourcemanager.Project.

Viewing by asset changed

In the assets tab, Assets changed displays all assets that were active during the time range you select. Any assets that were added during that time are also grouped in the Added category. To change the time range to display results for, click the drop-down list next to Assets changed.

Viewing by Cloud IAM policy

The assets tab displays Cloud IAM policies for assets in the iamPolicy.policy_blob column. To display the iamPolicy column, click Column display options and then enter iamPolicy.

To view Cloud IAM policy details for a specific asset, click Show next to the asset. Cloud IAM policies are also displayed on the asset details panel when you click the asset name under the resourceProperties.name column.

Configuring the assets tab

You can control some of the elements that appear on the assets tab.

Columns

By default, the assets tab includes the following columns:

  • Asset name: resourceProperties.name
  • Asset type: securityCenterProperties.resourceType
  • Asset owner: securityCenterProperties.resourceOwners
  • Resource name: name
  • Any marks added to the asset: securityMarks.marks

You can hide any column except for resourceProperties.name, and you can select more asset detail columns to display:

  1. To select the asset columns you want to display, click Column display options.
  2. In the menu that appears, select the columns you want to display.
  3. To hide a column, click the column name to clear the box next to the column name.

To save your column selections, click Remember Columns. Your column selections apply to all of the views in the Assets tab. When you select columns, the Cloud Console URL updates, so you can share the link for a custom view.

Column selections are preserved the next time you view the dashboard, and if you change organizations. To clear all custom column selections, click Reset Columns.

Panels

To control the screen space for the assets tab, you can change the following options:

  • Hide the Cloud Console Security side panel by clicking the left arrow.
  • Resize the asset display columns by dragging the dividing line left or right.
  • Hide the Select an asset side panel by clicking Hide Info Panel.

To change the date and time of the results that the assets display includes, click the date and time drop-down, then select the date and time you want.

Sorting assets

To sort assets, click the column heading for the value you want to sort by. Columns are sorted by numeric and then alphabetical order.

Findings

The Findings tab displays a detailed findings inventory for all assets in your organization. The findings display lets you view potential security risks for your organization.

Findings inventory freshness depends on finding sources:

  • Finding freshness in the Security Command Center dashboard is usually <1 minute after ingestion from the finding source.
  • Assets that haven't been discovered and indexed in an automatic or manual scan will usually appear in the findings inventory within 1 minute after discovery.

By default, the findings tab only displays active findings. You can enable or disable the display of inactive findings by clicking the toggle next to Show Only Active Findings.

To view details about a specific finding, click the finding. The finding details panel displays attributes like the affected asset and time of the event. Some types of findings include more attributes, for example, a cryptomining event might include:

  • abuse_target_ips: the IP of the mining pool.
  • urls: the URL for the mining pool.
  • vm_host_and_names: the specific VMs that were discovered to be crytpomining.
  • vm_ips: the IP addresses for the affected VMs.

Viewing by finding category

By default, findings are displayed in specific categories like cross-site scripting (XSS) and exposure of credit card number or phone number. If you leave the category field blank when you create a finding, it doesn't have a category in the findings display.

  • To view details about a specific risk type, under View by Finding type, select the type of risk you want to review.
  • To view detailed information about a specific finding, click the finding under category.

To view findings by category on a specific date, use the Time drop-down next to Show Only Active Findings.

Viewing by source type

A finding source is any provider of findings, like Web Security Scanner or Cloud DLP. These sources include the following:

  • Scanners that provide a sampled snapshot of findings at a specific time.
  • Monitors that provide an event stream of findings.
  • Loggers that provide output of historical events.

You can view findings by source in the following ways:

  • To view findings grouped by source type, under the Findings tab, click Source type.
  • To view individual findings for a specific source type, under View by Source type, select the source type you want to review.
  • To view detailed information about a specific finding, click the finding under category.

To view findings by category on a specific date, use the Time drop-down next to Show Only Active Findings.

Viewing by findings changed

To view new and active findings, under the Findings tab, click Findings changed. To include inactive findings, you must toggle off Show Only Active Findings.

All findings are displayed in the following subgroups:

  • Active (changed): findings were active and had changed properties during the selected time period.
  • Active (no change): findings that are active and had no changed properties during the selected time period.
  • Inactive (changed): findings that changed to inactive during the selected time period. This value is always 0 if Show Only Active Findings is turned off, even if there are inactive changed findings.
  • Inactive (no change): findings that are inactive and had changed properties during the selected time period. This value is always 0 if Show Only Active Findings is turned off, even if there are inactive unchanged findings.
  • New: findings that are new during the selected time period.

The findings tab displays for a range of time, with several options between 1 hour and 12 months. To specify a time range to display findings for, use the drop-down list next to Show Only Active Findings.

Viewing by finding severity

When you view findings by Severity, findings are grouped by severity in the following categories:

  • Critical:
    • A critical vulnerability is easily discoverable and it can be exploited to result in the direct ability to execute arbitrary code, exfiltrate data, and otherwise gain additional access and privileges in cloud resources and workflows. Examples include publicly accessible user data and public SSH access with weak or no passwords.
    • A critical threat is able to access, modify, or delete data, or execute unauthorized code within your existing resources.
  • High:
    • A high risk vulnerability is easily discoverable and could be exploited in combination with other vulnerabilities to gain direct access to execute arbitrary code or exfiltrate data, and gain additional access and privileges to resources and workloads. For example, a database that has weak or no passwords and is only accessible internally could be compromised by an actor who has access to the internal network.
    • A high risk threat is able to create computational resources in an environment, but is not able to access data or execute code in existing resources.
  • Medium:
    • A medium risk vulnerability could be used by an actor to gain access to resources or privileges that enables them to eventually gain access and the ability to exfiltrate data or execute arbitrary code. For example, if a service account has unnecessary access to projects and an actor gains access to the service account, the actor could use that service account to manipulate a project.
    • A medium risk threat could cause organizational impact but may not access data or execute unauthorized code.
  • Low:
    • A low risk vulnerability hampers a security organization's ability to detect vulnerabilities or active threats in their deployment, or prevents the root cause investigation of security issues. For example, a scenario in which monitoring and logs are disabled for resource configurations and access.
    • A low risk threat has obtained minimal access to an environment, but isn't able to access data, execute code, or create resources.
  • Unspecified: finding risk level is unspecified when a finding provider doesn't set severity values for their findings.

You can view findings by severity in the following ways:

  • To view findings grouped by severity, under the Findings tab, click Severity.
  • To view individual findings for a specific severity, under Find Severity, select the severity you want to review.
  • To view detailed information about a specific finding, click the finding under category.

To view findings by category on a specific date, use the Time drop-down next to Show Only Active Findings.

Managing findings

Manage security marks for findings or change finding state by using the Info Panel on the Security Command Center dashboard.

Managing security marks

To add security marks to findings:

  1. Under category, select one or more findings.
  2. On the Info Panel, under Security Marks, click Add mark.
  3. Add Key and Value items to identify the finding categories.

    For example, if you want to mark findings that are part of the same incident, add a key of "incident-number" and a value of "1234". The new security mark is attached to each finding in the form of mark.incident-number: 1234.

  4. When you're finished adding marks, click Save.

To remove security marks from findings:

  1. Under category, select one or more findings.
  2. On the Info Panel, under SecurityMarks, click remove.

Managing finding state

Change finding state to active or inactive by using the Info Panel on the Security Command Center dashboard:

  1. Under category, select one or more findings.
  2. On the Info Panel, under Actions, select Active or Inactive on the State drop-down list. If the findings that you selected are a combination of active and inactive, the State displays as Mixed until you select a new state.
  3. When you're finished changing finding state, click Save.

Configuring the findings display

You can control some of the elements that appear on the findings tab.

Columns

By default, the findings tab displays the following columns:

  • Finding type: category
  • Asset ID: resourceName
  • Time the finding was last detected: eventTime
  • Time the finding was first detected: createTime
  • The source of the finding: parent
  • Any marks added to the finding: securityMarks.marks

You can hide any column except for category, and you can select more finding detail columns to display.

  1. To select the finding columns you want to display, click Column display options.
  2. In the menu that appears, select the columns you want to display.
  3. To hide a column, click the column name.

To save your column selections, click Remember Columns. Your column selections apply to all of the views in the Findings tab. When you select columns, the Cloud Console URL updates, so you can share the link for a custom view.

Column selections are preserved the next time you view the dashboard, and if you change organizations. To clear all custom column selections, click Reset Columns.

Panels

To control the screen space for findings, you can change the following options:

  • Hide the Cloud Console Security side panel by clicking the left arrow.
  • Resize the findings display columns by dragging the dividing line left or right.
  • Hide the Select a finding side panel by clicking Hide Info Panel.

Sources

The Sources tab contains cards that provide a summary of assets and findings from the security sources you have enabled. The cards for each security source show some of the findings from that source. You can click the finding category name to view all of the findings in that category.

Assets summary

The Assets Summary card displays a count of each type of asset in your organization as of the most recent scan. The display includes new, deleted, and total assets for the time period you specify. You can view the summary as a table or a graphical chart.

  • To view the summary for a recent time range, select a time from the drop-down list on the Assets card.
  • To view the summary for a specific date and time, click View all assets, and then select the date and time on the time drop-down list.
  • To view your organization's tree hierarchy, click an asset type or View all assets.
  • To view details about an individual asset, select the Assets tab, and then click the asset name.

Findings summary

The Findings Summary card displays a count of each category of finding that your enabled security sources provide.

  • To view details about the findings from a specific source, click the source name.
  • To view details about all findings, click the Findings tab, where you can group findings or view details about an individual finding.

Security Command Center queries

This section describes how to run common queries to review your resources using Security Command Center.

You can only select these filters in the Security Command Center dashboard if your organization has the related resource type. If you receive the "Choose one of the suggested keys" error message, your organization might not have that resource type.

To run queries, use the Filter by text box on the Assets tab. Following are some common queries that you might find useful:

Query type Filter by
Find buckets with public legacy ACLs resourceProperties.acl:allUsers OR resourceProperties.acl:allAuthenticatedUsers
Find firewall rules with SSH port 22 open from any network resourceProperties.allowed:22 OR resourceProperties.sourceRange:0.0.0.0/0
Find VMs with public IP addresses resourceProperties.networkInterface:externalIP
Find resource owners outside your organization -securityCenterProperties.resourceOwners:@your-domain
Find and monitor OS state in VMs resourceProperties.disk:licenses

What's next