Using Security Command Center in the Google Cloud console

This page provides an overview of Security Command Center in the Google Cloud console and what you can do with Security Command Center's top-level pages.

If Security Command Center isn't already set up for your organization or a project in your organization, you need to activate it before you can use Security Command Center in the Google Cloud console. For information about activation, see Overview of activating Security Command Center.

For a general overview of Security Command Center, see Security Command Center overview.

Required IAM permissions

To use Security Command Center, you must have an Identity and Access Management (IAM) role that includes appropriate permissions:

  • Security Center Admin Viewer lets you view Security Command Center.
  • Security Center Admin Editor lets you view Security Command Center and make changes.

If your organization policies are set to restrict identities by domain, you must be signed in to the Google Cloud console on an account that's in an allowed domain.

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Access Security Command Center in the Google Cloud console

To access Security Command Center in the Google Cloud console:

  1. Go to Security Command Center:

    Go to Security Command Center

  2. Select the project or organization that you want to view.

    If Security Command Center is active in the organization or project you select, the Risk overview page displays with an overview of the new threat findings and the active vulnerability finding over the last seven days.

    If Security Command Center is not active, you are invited to activate it. For more information about activating Security Command Center, see Overview of activating Security Command Center.

Security Command Center in the Google Cloud console

Beyond the Risk overview page, you can monitor and manage security issues in your Google Cloud environment through the following Security Command Center pages in the Google Cloud console. Click a page name for an explanation of the page.

Risk overview page

The Risk overview page provides a quick view of both the new threats and the total number of active vulnerabilities in your Google Cloud environment from all built-in and integrated services. You can change the range of time displayed in all areas of this page from 1 hour to 6 months.

The Risk overview page includes various dashboards, including the following:

  • Top vulnerability findings shows the ten findings that have the highest attack exposure scores.
  • New threats over time shows a chart of the new threats detected per day, with hourly totals. Following the chart on the page are views of the threat findings by category, resource, and project. You can sort each view by finding severity.
  • Top CVE findings (Premium and Enterprise tiers only) shows vulnerability findings grouped by the CVE exploitability and impact. Click a block in the heat map to see the corresponding findings listed by CVE ID.
  • Vulnerabilities per resource type is a graphic display that shows the active vulnerabilities for the resources in your project or organization.
  • Active vulnerabilities provides tabbed views of the vulnerability findings by category name, by affected resource, and by project. You can sort each view by finding severity.
  • Identity and access findings shows misconfiguration findings that are related to principal accounts (identities) that are misconfigured or that are granted excessive or sensitive permissions to Google Cloud or AWS resources (access). The management of identity and access controls is sometimes referred to as cloud infrastructure entitlement management.
  • Data security findings shows findings from the Sensitive Data Protection discovery service. This summary includes any vulnerability findings that indicate the presence of secrets in environment variables and observation findings that indicate the sensitivity and data risk levels of your data.

Clicking the category name of any finding on the Risk overview page takes you to the Findings page where you can see the details of the finding.

Threats page

The Threats page helps you review potentially harmful events in your Google Cloud resources over a time period that you specify. The default time period is seven days.

On the threats page, you can view findings in the following sections:

  • Threats by severity shows the number of threats in each severity level.
  • Threats by category shows the number of findings in each category across all projects.
  • Threats by resource shows the number of findings for each resource in your project or organization.

You can specify the time period for which to display threats by using the drop-down list in the Time range field. The drop-down list has several options between 1 hour and "all time," which shows all findings since the service was activated. The time period you select is saved between sessions.

Vulnerabilities page

The Vulnerabilities page lists all of the misconfiguration and software vulnerability detectors that the built-in detection services of Security Command Center run in your cloud environments. For each listed detector, the number of active findings is displayed.

Vulnerability detection services

The Vulnerability page lists detectors for the following built-in detection services of Security Command Center:

Other Google Cloud services that are integrated with Security Command Center also detect software vulnerabilities and misconfigurations. The findings from a selection of these services are also displayed on the Vulnerabilities page. For more information about the services that produce vulnerability findings in Security Command Center, see Detection services.

Information about vulnerability detector categories

For each misconfiguration or software vulnerability detector, the Vulnerabilities page shows the following information:

  • Status: an icon indicates if the detector is active, and if the detector found a finding that needs to be addressed. When you hold the pointer over the status icon, a tooltip displays the date and time the detector found the result or information about how to validate the recommendation.
  • Last scanned: the date and time of the last scan for the detector.
  • Category: the category or type of vulnerability. For a list of the categories that each Security Command Center service detects, see the following:
  • Recommendation: a summary of how to remediate the finding. For more information, see remediating Security Health Analytics findings.
  • Active: the total number of findings in the category.
  • Standards: the compliance benchmark that the finding category applies to, if any. For more information about benchmarks, see Vulnerabilities findings.

Filtering vulnerability findings

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using filters that are available on the Security Command Center Vulnerabilities and Findings pages in the Google Cloud console, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, project, and more.

For more information about filtering vulnerability findings, see Filter vulnerability findings in Security Command Center.

Compliance page

The Compliance page helps you assess and take action your compliance with common security standards or benchmarks. The page shows all of the benchmarks that Security Command Center supports, as well the percentage of passing benchmark controls.

For each benchmark, you can open a Compliance details page that provides additional details about which controls Security Command Center checks for the benchmark, how many violations were detected for each control, and the option to export a compliance report for the benchmark.

Security Command Center vulnerability scanners monitor for violations of common compliance controls based on a best effort mapping provided by Google. Security Command Center compliance reports are not a replacement for a compliance audit, but can help you maintain your compliance status and catch violations early.

For more information about how Security Command Center supports compliance management, see the following pages:

Assets page

The Assets page provides a detailed display of all Google Cloud resources, also called assets, in your project or organization.

For more information about how to work with assets on the Assets page, see Work with resources in the console.

Findings page

On the Findings page, you can query, review, mute, and mark Security Command Center findings, the records that Security Command Center services create when they detect a security issue in your environment.

For more information about how to work with findings on the Findings page, see Review and manage findings.

Sources page

The Sources page contains cards that provide a summary of assets and findings from the security sources you have enabled. The card for each security source shows some of the findings from that source. You can click the finding category name to view all findings in that category.

Findings summary

The Findings Summary card displays a count of each category of finding that your enabled security sources provide.

  • To view details about the findings from a specific source, click the source name.
  • To view details about all findings, click the Findings page, where you can group findings or view details about an individual finding.

Source summaries

Below the Findings Summary card, cards appear for any built-in, integrated, and third-party sources you enabled. Each card provides counts of active findings for that source.

Posture page

On the Posture page, you can view details about the security postures that you created in your organization and apply the postures to an organization, folder, or project. You can also view the available predefined posture templates.

What's next