Using the Security Command Center dashboard
This page explains how to access Security Command Center in the Google Cloud console, configure the display, and review your findings and Google Cloud resources. If Security Command Center isn't already set up for your organization, complete the guide to set up Security Command Center first.
Before you begin
To use Security Command Center, you must have an Identity and Access Management (IAM) role that includes appropriate permissions:
- Security Center Admin Viewer lets you view Security Command Center.
- Security Center Admin Editor lets you view Security Command Center and make changes.
If your organization policies are set to restrict identities by domain, you must be signed in to the Google Cloud console on an account that's in an allowed domain.
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Accessing the dashboard
The Security Command Center page in the Google Cloud console is referred to as a dashboard. To access the Security Command Center dashboard:
- Go to the Security Command Center page in the Google Cloud console.
Go to the Security Command Center page
- Select the project or organization that you want to review.
The Security Command Center dashboard displays a comprehensive overview of potential security risk findings.
Using the dashboard
When you go to Security Command Center, the Overview tab is displayed, as shown below. The Overview tab provides you with a summary of the most severely rated findings in your project or organization so you can prioritize fixes.
You can set customizable time ranges for reviewing findings and creating reports and also access other dashboard tabs.
The following subsections provide more information about what each dashboard tab offers.
- Overview tab
- Threats tab
- Vulnerabilities tab
- Compliance tab
- Assets tab
- Findings tab
- Sources tab
- Explore tab
The Overview dashboard shows you the total number of findings in your project or organization by severity level. Totals include findings from all built-in services and integrated sources. You can change the range of time displayed in all areas of this tab from 1 hour to 6 months.
- Findings by Severity shows active vulnerabilities and new threats, segmented by severity. Details on severity levels are available in the Findings tab.
- Active Vulnerabilities Over Time By Severity is a graphic display that shows changes to vulnerabilities.
- New Threats Over Time shows count of new threats detected per day. It provides hourly totals for findings.
Additional tables display findings grouped by category, asset type, and project. The tables let you view the number of times each vulnerability was detected and your most impacted resources.
The Threats dashboard helps you review potentially harmful events in your Google Cloud resources.
- Threats by severity shows the number of threats in each severity level.
- Threats by category shows the number of findings in each category across all projects.
- Threats by resource shows the number of findings for each resource in your project or organization.
The threats dashboard displays results for the time period you specify in the drop-down list. The drop-down list has several options between 1 hour and "all time," which shows all findings since the service was activated. The time period you select is saved between sessions.
The Vulnerabilities tab lists all of the categories of vulnerabilities that the various Security Command Center threat prevention services can detect in your environment.
The Security Command Center threat prevention services include the following:
For each vulnerability category, the Vulnerabilities tab shows the following information:
- Status: an icon indicates if the detector is active, and if the detector found a finding that needs to be addressed. When you hold the pointer over the status icon, a tooltip displays the date and time the detector found the result or information about how to validate the recommendation.
- Last scanned: the date and time of the last scan for the detector.
- Category: the category or type of vulnerability. To all of the categories that each Security Command Center service detects, see the following:
- Recommendation: a summary of how to remediate the finding. For more information, see remediating Security Health Analytics findings.
- Active: the total number of findings in the category.
- Severity: the relative risk level of the finding category.
- Standards: the compliance benchmark that the finding category applies to, if any. For more information about benchmarks, see Vulnerabilities findings.
Filter finding categories
A large project or organization might have many vulnerability findings across its deployment to review, triage, and track. By using Security Command Center with the available filters, you can focus on the highest severity vulnerabilities and review vulnerabilities by asset type, security mark, and more.
View findings on the Vulnerabilities tab by project
To view findings by project on the Vulnerabilities tab:
- Under Projects Filter, click Add a project to the Projects Filter ( ).
- In the search dialog that appears, select the project that you want to display findings for.
The Vulnerabilities tab displays a list of findings for the project that you selected.
View the findings in a vulnerability category
View the findings in a vulnerability category on the Vulnerabilities tab by clicking the category name in the Category column.
The Findings tab loads and displays a list of findings that match the category you selected.
View findings by asset type
To view vulnerability findings for a specific asset type, use the Findings tab:
- Go to the Security Command Center Findings page in the
Google Cloud console.
Go to the Findings page
- Next to View by, click Source Type, and then select Security Health Analytics.
- In the Filter box, enter
resourceName: asset-type. For example, to display Security Health Analytics findings for all projects, enter
The list of findings updates to display all findings for the asset type that you specified.
Marking assets and findings with security marks
You can add custom properties to findings and assets in Security Command Center by using security marks. Security marks enable you to identify high-priority areas of interest like production projects, tag findings with bug and incident tracking numbers, and more.
Allowlisting vulnerability findings using security marks
To hide or silence findings, you can manually or programmatically mute individual findings or create mute rules that automatically mute current and future findings based on filters you define. For more information, see Mute findings in Security Command Center.
Muting findings is the recommended when you don't want to review findings for projects that are isolated or fall within acceptable business parameters. Alternatively, you can add assets to allowlists so that a detection module doesn't create a security finding for the asset.
When you add an asset to an allowlist, the finding is marked as resolved when the next scan runs.
To add an asset to an allowlist, add a security mark
allow_finding-type for a specific finding type. For
example, for the finding type
SSL_NOT_ENFORCED, use the security mark
For a complete list of finding types, see the Vulnerabilities findings page. To learn more about security marks and techniques for using them, see Using Security Command Center security marks.
Viewing active finding count by finding type
To view active finding counts by finding type, use the Google Cloud console or Google Cloud CLI commands.
You can view a count of active findings for each finding type on the Vulnerabilities tab.
To view vulnerability findings by finding type:
Open Security Command Center in the Google Cloud console:
Display the vulnerability categories by clicking the Vulnerabilities tab.
Sort modules by the number of active findings for each finding type by clicking the Active column header.
To use the gcloud CLI to get a count of all active findings, you first query Security Command Center to get the source ID of a vulnerability service, and then use the source ID to query the active findings count.
Step 1: Get the source ID
To complete this step, get your organization ID, and then get the source ID of one of the vulnerability detection services, which are also referred to as finding sources. If you haven't already enabled the Security Command Center API, you are prompted to enable it.
- Get your organization ID by running
gcloud organizations list, and then note the number next to the organization name.
Get the Security Health Analytics source ID by running:
gcloud scc sources describe organizations/ORGANIZATION_ID \ --source-display-name='SOURCE_DISPLAY_NAME'
Replace the following:
ORGANIZATION_ID: the ID of your organization. An organization ID is required, regardless of the activation level of Security Command Center.
SOURCE_DISPLAY_NAME: the display name of the vulnerability detection service that you need to display findings for. For example,
Security Health Analytics.
If prompted, enable the Security Command Center API and then run the previous command to get the source ID again.
The command to get the source ID should display output like the following:
description: Scans for deviations from a Google Cloud security baseline. displayName: Security Health Analytics name: organizations/ORGANIZATION_ID/sources/SOURCE_ID
SOURCE_ID to use in the next step.
Step 2: Get the active findings count
SOURCE_ID you noted in the previous
step to filter findings. The following gcloud CLI
command returns a count of findings by category:
gcloud scc findings group organizations/ORGANIZATION_ID/sources/SOURCE_ID \ --group-by=category --page-size=PAGE_SIZE
You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization or project:
groupByResults: - count: '1' properties: category: MFA_NOT_ENFORCED - count: '3' properties: category: ADMIN_SERVICE_ACCOUNT - count: '2' properties: category: API_KEY_APIS_UNRESTRICTED - count: '1' properties: category: API_KEY_APPS_UNRESTRICTED - count: '2' properties: category: API_KEY_EXISTS - count: '10' properties: category: AUDIT_CONFIG_NOT_MONITORED - count: '10' properties: category: AUDIT_LOGGING_DISABLED - count: '1' properties: category: AUTO_UPGRADE_DISABLED - count: '10' properties: category: BUCKET_IAM_NOT_MONITORED - count: '10' properties: category: BUCKET_LOGGING_DISABLED nextPageToken: token readTime: '2019-08-05T21:56:13.862Z' totalSize: 50
The Compliance dashboard helps you review your high-level violation status and export reports. This dashboard provides summaries for the number of detectors associated with each compliance standard that Security Health Analytics and Web Security Scanner monitor.
This section describes how to use Security Health Analytics and Web Security Scanner detectors to monitor for violations against common compliance controls like those described in the CIS Google Cloud Computing Foundations Benchmark v1.0.0 through v1.2.0, Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1, and more. Security Health Analytics and Web Security Scanner monitor for violations of common compliance controls based on a best effort mapping provided by Google. It is not a replacement for a compliance audit but can be used to help you maintain your continuous compliance and catch violations early.
The compliance dashboard shows the number of checks for each standard that are in a Warning state and a Passing state:
- Warning state: there are one or more active findings (violations) associated with that check.
- Passing state: there are no detected violations for the check.
Scope of compliance reports
You can view and export compliance reports that are specific to a project, folder, or organization and a particular standard.
Security Command Center automatically scopes compliance reports to the project, folder, or organization that you select at the top of the page in the Google Cloud console. For example, if your Google Cloud console view is set to a project, the compliance report includes only the findings for that project.
If Security Command Center is active at the organization level and your view is set to an organization, the compliance report includes the findings for the entire organization, including all of the projects it contains. If Security Command Center is active at a project level and you select an organization or folder, the Compliance page does not display.
On the Compliance tab, you can then choose to view or export a report for a specific standard that is scoped to the organization or project that you are viewing.
The reports are based on Security Health Analytics and Web Security Scanner findings. When you view a particular report, the Vulnerabilities tab opens with the findings filtered by the standard that you selected on the Compliance tab.
Exporting compliance reports
You can export a CSV report that aggregates violations findings for a specific compliance benchmark. To generate a report:
Go to the Security Command Center page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to see a compliance report:
Click the Compliance tab in the Google Cloud console.
Click Export next to the report you want to download.
On the Export window that appears, configure the export:
- Select the benchmark report you want to download.
- Select the date and time of the report snapshot.
When you're finished configuring the export, click Export, and then select the location where you want to save the CSV report.
Compliance report exports include:
- Projects in scope
- Date of the report
- Findings in scope for the report
- The number of resources scanned
- The number of resources that are violating the specific control
To learn more about Security Health Analytics and Web Security Scanner findings and the mapping between supported detectors and compliance standards, see vulnerabilities findings.
The Assets tab provides a detailed display of all Google Cloud resources, called assets, in your project or organization.
If Security Command Center is activated at the organization level, you can view assets for your entire organization or you can filter assets within a specific project, by asset type, or by change type.
To view details about a specific asset, like its attributes, resource properties, and associated findings, click the asset name in the resourceProperties.name column.
Assets are automatically scanned two times each day. You can also start an
asset scan manually by clicking Re-scan on the assets tab. The
updateTime value might vary for results within a given automatic or manual
scan. This variance is typically less than 10 minutes.
Asset inventory freshness depends on discovery and indexing of the asset source:
- Freshness is usually <1 minute for pre-existing assets.
- Assets that haven't been discovered and indexed in a daily or manual scan will appear in asset inventory after the asset they're attached to is discovered and indexed.
Using the assets tab
The assets tab provides built-in and customizable filters so you can view a filtered list of assets.
Viewing assets by project
By default, assets are displayed in the organization and project hierarchy. To view assets associated with a specific resource, next to View by select Project. Then select the organization or project you want to review.
Viewing by asset type
To view your assets grouped by resource type in the assets tab, click Asset type. Assets are displayed in categories like application, bucket, project, and service. The following asset types are currently supported:
- App Engine
- Artifact Registry
- Cloud Composer
- Cloud DNS
- Cloud Functions
- Cloud Key Management Service
- Cloud Logging
- Cloud Spanner
- Cloud Storage
- Cloud SQL
- Compute Engine
- Container Registry
- Google Kubernetes Engine
- Resource Manager
- Serverless VPC Access
- Service Usage
- Vertex AI
To view individual resources for a specific asset type, in the Asset type list, select the asset type you want to review. To view details of a specific asset, click the asset name.
If Security Command Center is active at the organization level,
you can view all Google Cloud projects in your organization,
filter the asset list using
Viewing by asset changed
In the assets tab, Assets changed displays all assets that were active during the time range you select. Any assets that were added during that time are also grouped in the Added category. To change the time range to display results for, click the drop-down list next to Assets changed.
Viewing by IAM policy
The assets tab displays IAM policies for assets in the
iamPolicy.policy_blob column. To display the
click Column display options
and then enter iamPolicy.
To view IAM policy details for a specific asset, click Show next to the asset. IAM policies are also displayed on the asset details panel when you click the asset name under the resourceProperties.name column.
Configuring the assets tab
You can control some of the elements that appear on the assets tab.
By default, the assets tab includes the following columns:
- Asset name:
- Resource name:
- Asset type:
- Asset owner:
- Any marks added to the asset:
You can hide any column except for
resourceProperties.name, and you can
select more asset detail columns to display:
- To select the asset columns you want to display, click Column display options. view_column
- In the menu that appears, select the columns you want to display.
- To hide a column, click the column name to clear the box next to the column name.
To save your column selections, click Remember Columns. Your column selections apply to all views in the Assets tab. When you select columns, the Google Cloud console URL updates, so you can share the link for a custom view.
Column selections are preserved the next time you view the dashboard, even if you change projects or organizations. To clear all custom column selections, click Reset Columns.
To control the screen space for the assets tab, you can change the following options:
- Hide the Google Cloud console Security side panel by clicking the left arrow.
- Resize the asset display columns by dragging the dividing line left or right.
- Hide the Select an asset side panel by clicking Hide Info Panel.
To change the date and time of the results that the assets display includes, click the date and time drop-down, then select the date and time you want.
To sort assets, click the column heading for the value you want to sort by. Columns are sorted by numeric and then alphabetical order.
This section describes how to run common queries to review your resources using Security Command Center.
You can only select these filters in the Security Command Center dashboard if your project or organization has the related resource type. If you receive the "Choose one of the suggested keys" error message, your project or organization might not have that resource type.
To run queries, use the Filter by text box on the Assets tab. Following are some common queries that you might find useful:
|Query type||Filter by|
|Find resources that are publicly accessible||
|Find firewall rules with SSH port 22 open from any network||
|Find VMs with public IP addresses||
|Find resource owners outside your organization||
|Find and monitor OS state in VMs||
|Find buckets with
Learn more about filtering assets.
On the Findings tab, you can query, review, mute, and mark Security Command Center findings, the records that Security Command Center services create when they detect a security issue in your environment.
Two versions of the Findings tab are available: the current version and a legacy version.
The current version of the Findings tab is the default and recommended view.
The legacy version is no longer being enhanced, so there are things you can do and information that you can see in the current version that are not available in the legacy version.
For information about how to work with findings in the current version of the Findings tab, see Work with findings in the Security Command Center dashboard.
For information about how to work with findings in the legacy version of the Findings tab, see How to use the legacy Security Command Center findings view.
The Sources tab contains cards that provide a summary of assets and findings from the security sources you have enabled. The card for each security source shows some of the findings from that source. You can click the finding category name to view all findings in that category.
The Assets Summary card displays a count of each type of asset in your project or organization as of the most recent scan. The display includes new, deleted, and total assets for the time period you specify. You can view the summary as a table or a graphical chart.
- To view the summary for a recent time range, select a time from the drop-down list on the Assets Summary card.
- To see more information about each asset type, including the number of assets in your project or organization of that type, click an asset type or View all assets at the bottom of the card to switch to the Assets tab.
- To view details about an individual asset, select the Assets tab, and then click the asset name.
The Findings Summary card displays a count of each category of finding that your enabled security sources provide.
- To view details about the findings from a specific source, click the source name.
- To view details about all findings, click the Findings tab, where you can group findings or view details about an individual finding.
Below the Findings Summary card, cards appear for any built-in, integrated, and third-party sources you enabled. Each card provides counts of active findings for that source.
The Explore tab gives you a look at additional Security Command Center features and services that are available to integrate in Security Command Center.
- Learn about security sources.
- Learn how to use security marks.
- Learn how to configure Security Command Center.