Using the Security Command Center dashboard

Access Security Command Center, configure the display, and review your Google Cloud resources. If Security Command Center isn't already set up for your organization, complete the guide to set up Security Command Center first.

Before you begin

To use Security Command Center, you must have an Identity and Access Management (IAM) role that includes appropriate permissions:

  • Security Center Admin Viewer lets you view Security Command Center.
  • Security Center Admin Editor lets you view Security Command Center and make changes.

If your organization policies are set to restrict identities by domain, you must be signed in to the Cloud Console on an account that's in an allowed domain.

Learn more about Security Command Center roles.

Accessing the dashboard

The Security Command Center page in the Cloud Console is referred to as a dashboard. To access the Security Command Center dashboard:

  1. Go to the Security Command Center page in the Cloud Console.
    Go to the Security Command Center page
  2. Select the organization you want to review.

The Security Command Center dashboard displays a comprehensive overview of potential security risk findings.

Using the dashboard

When you go to Security Command Center, the Overview tab is displayed. The tab provides you with a summary of the most severely rated findings in your organization so you can prioritize fixes. You can set customizable time ranges for reviewing findings and creating reports and also access other dashboard tabs.

To learn about what a dashboard tab offers, click the name of the tab.

Overview

The Overview dashboard shows you the total number of findings in your organization by severity level. Totals include findings from all built-in services and integrated sources. You can change the range of time displayed in all areas of this tab from 1 hour to 6 months.

  • Findings by Severity shows active vulnerabilities and new threats, segmented by severity. Details on severity levels are available in the Findings tab.
  • Active Vulnerabilities Over Time By Severity is a graphic display that shows changes to vulnerabilities.
  • New Threats Over Time shows count of new threats detected per day. It provides hourly totals for findings.

Additional tables display findings grouped by category, asset type, and project. The tables let you view the number of times each vulnerability was detected and your most impacted resources.

Threats

The Threats dashboard helps you review potentially harmful events in your organization's Google Cloud resources.

  • Threats by Severity shows the number of threats in each severity level.
  • Threats by Category shows the number of findings in each category across all projects.
  • Threats by Resource shows the number of findings for each resource in your organization.

The threats dashboard displays results for the time period you specify in the drop-down list. The drop-down list has several options between 1 hour and "all time," which shows all findings since the service was activated. The time period you select is saved between sessions.

Vulnerabilities

The Vulnerabilities tab displays Security Health Analytics findings and recommendations, including the following columns:

  • Status: an icon indicates if the detector is active, and if the detector found a finding that needs to be addressed. When you hold the pointer over the status icon, a tooltip displays the date and time the detector found the result or information about how to validate the recommendation.
  • Last scanned: the date and time of the last scan for the detector.
  • Category: the type of the finding. For a list of potential Security Health Analytics findings, see Security Health Analytics findings.
  • Recommendation: a summary of how to remediate the finding. For more information, see remediating Security Health Analytics findings.
  • Active: the total number of findings in the category.
  • Severity: the relative risk level of the finding category.
  • Benchmarks: the compliance benchmark that the finding category applies to, if any. For more information about benchmarks, see Vulnerabilities findings.

Filtering findings

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using Security Command Center with the available filters, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, security mark, and more.

Viewing Security Health Analytics findings by project

To view Security Health Analytics findings by project on the Vulnerabilities tab:

  1. Under Projects Filter, click Add a project to the Projects Filter ().
  2. In the search dialog that appears, select the project that you want to display findings for.

The Vulnerabilities tab displays a list of findings for the project that you selected.

Viewing Security Health Analytics findings by category

View Security Health Analytics findings by category on the Vulnerabilities tab by clicking the category name in the Category column .

The Findings tab loads and displays a list of findings that match the category you selected.

Viewing findings by asset type

To view Security Health Analytics findings for a specific asset type, use the Findings tab:

  1. Go to the Security Command Center Findings page in the Cloud Console.
    Go to the Findings page
  2. Next to View by, click Source Type, and then select Security Health Analytics.
  3. In the Filter box, enter resourceName: asset-type. For example, to display Security Health Analytics findings for all projects, enter resourceName: projects.

The list of findings updates to display all findings for the asset type that you specified.

Marking assets and findings with security marks

You can add custom properties to findings and assets in Security Command Center by using security marks. Security marks enable you to identify high-priority areas of interest like production projects, tag findings with bug and incident tracking numbers, and more.

Allowlisting Security Health Analytics findings using security marks

You can add assets to allowlists in Security Health Analytics so that a detector doesn't create a security finding for the asset. When you add an asset to an allowlist, the finding is marked as resolved when the next scan runs. This setting is helpful when you don't want to review security findings for projects that are isolated or fall within acceptable business parameters.

To add an asset to an allowlist, add a security mark allow_finding-type for a specific finding type. For example, for the finding type SSL_NOT_ENFORCED, use the security mark allow_ssl_not_enforced:true.

For a complete list of finding types, see the Security Health Analytics findings page. To learn more about security marks and techniques for using them, see Using Security Command Center security marks.

Viewing active finding count by finding type

To view active finding counts by finding type, use the Cloud Console or gcloud command-line tool commands.

Console

The Security Health Analytics dashboard enables you to view a count of active findings for each finding type.

To view Security Health Analytics findings by finding type:

  1. Go to Security Command Center in the Cloud Console.
    Go to the Security Command Center
  2. To display Security Health Analytics findings, click the Vulnerabilities tab.
  3. To sort findings by the number of active findings for each finding type, click the Active column header .

gcloud

To use the gcloud tool to get a count of all active findings, you query Security Command Center to get the Security Health Analytics source ID. Then you use the source ID to query the active findings count.

Step 1: Get the source ID

To complete this step, get your organization ID, and then get the source ID. If you haven't already enabled the Security Command Center API, you are prompted to enable it.

  1. Get your organization ID by running gcloud organizations list, and then note the number next to the organization name.
  2. Get the Security Health Analytics source ID by running:

    gcloud scc sources describe organizations/your-organization-id
    --source-display-name='Security Health Analytics'

  3. If prompted, enable the Security Command Center API and then run the previous command to get the Security Health Analytics source ID again.

The command to get the source ID should display output like the following:

  description: Scans for deviations from a Google Cloud security baseline.
  displayName: Security Health Analytics
  name: organizations/your-organization-id/sources/source-id

Note the source-id to use in the next step.

Step 2: Get the active findings count

Use the source-id you noted in the previous step to filter findings from Security Health Analytics. The following gcloud tool command returns a count of findings by category:

  gcloud scc findings group organizations/your-organization-id/sources/source-id \
   --group-by=category --page-size=page-size

You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization:

  groupByResults:
  - count: '1'
    properties:
      category: 2SV_NOT_ENFORCED
  - count: '3'
    properties:
      category: ADMIN_SERVICE_ACCOUNT
  - count: '2'
    properties:
      category: API_KEY_APIS_UNRESTRICTED
  - count: '1'
    properties:
      category: API_KEY_APPS_UNRESTRICTED
  - count: '2'
    properties:
      category: API_KEY_EXISTS
  - count: '10'
    properties:
      category: AUDIT_CONFIG_NOT_MONITORED
  - count: '10'
    properties:
      category: AUDIT_LOGGING_DISABLED
  - count: '1'
    properties:
      category: AUTO_UPGRADE_DISABLED
  - count: '10'
    properties:
      category: BUCKET_IAM_NOT_MONITORED
  - count: '10'
    properties:
      category: BUCKET_LOGGING_DISABLED
  nextPageToken: token
        readTime: '2019-08-05T21:56:13.862Z'
        totalSize: 50

Compliance

The Compliance dashboard helps you review your high-level violation status and export reports. This dashboard provides summaries for the number of detectors associated with each compliance regime that Security Health Analytics monitors.

This section describes how to use Security Health Analytics and Web Security Scanner detectors to monitor for violations against common compliance controls like those described in the CIS Google Cloud Computing Foundations Benchmark v1.0.0, Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1, and more. Security Health Analytics can monitor for violations of common compliance controls based on a best effort mapping provided by Google. It is not a replacement for a compliance audit but can be used to help you maintain your continuous compliance and catch violations early.

The compliance dashboard shows the number of checks for each regime that are in a Warning state and a Passing state:

  • Warning state: there are one or more active findings (violations) associated with that check.
  • Passing state: there are no detected violations for the check.

You can filter the compliance dashboard by project, and view or export reports of specific CIS and PCI findings. These reports are based on Security Health Analytics findings and are loaded in the vulnerabilities tab.

Exporting compliance reports

You can export a CSV report that aggregates violations findings for a specific compliance benchmark. To generate a report:

  1. Go to the Security Command Center Compliance tab in the Cloud Console.
    Go to the Compliance tab
  2. Click Export next to the report you want to download.
  3. On the Export window that appears, configure the export:
    1. Select the benchmark report you want to download.
    2. Select the date and time of the report snapshot.
    3. Optionally filter the export by project.
  4. When you're finished configuring the export, click Export, and then select the location where you want to save the CSV report.

Compliance report exports include:

  • Projects in scope
  • Date of the report
  • Findings in scope for the report
  • The number of resources scanned
  • The number of resources that are violating the specific control

To learn more about Security Health Analytics findings and the mapping between supported detectors and compliance regimes, see vulnerabilities findings.

Assets

The Assets tab provides a detailed display of all Google Cloud resources, called assets, in your organization. The assets tab lets you view assets for your entire organization or you can filter assets within a specific project, by asset type, or by change type. To view details about a specific asset, like its attributes, resource properties, and associated findings, click the asset name in the resourceProperties.name column.

Assets are automatically scanned two times each day. You can also start an asset scan manually by clicking Re-scan on the assets tab. The updateTime value might vary for results within a given automatic or manual scan. This variance is typically less than 10 minutes.

Asset inventory freshness depends on discovery and indexing of the asset source:

  • Freshness is usually <1 minute for pre-existing assets.
  • Assets that haven't been discovered and indexed in a daily or manual scan will appear in asset inventory after the asset they're attached to is discovered and indexed.

Using the assets tab

The assets tab provides built-in and customizable filters so you can view a filtered list of assets.

Viewing assets by project

By default, assets are displayed in the organization and project hierarchy. To view assets associated with a specific resource, next to View by select Project. Then select the organization or project you want to review.

Viewing by asset type

To view your assets grouped by resource type in the assets tab, click Asset type. Assets are displayed in categories like application, bucket, project, and service. The following asset types are currently supported:

  • Resource Manager
    • Organization
    • Project
  • App Engine
    • Application
    • Service
    • Version
  • Compute Engine
    • Address
    • Autoscaler
    • BackendBucket
    • BackendService
    • BillingAccount
    • Disk
    • Firewalls
    • GlobalAddress
    • HealthCheck
    • HttpHealthCheck
    • HttpsHealthCheck
    • Image
    • Instance
    • InstanceGroup
    • InstanceTemplate
    • License
    • Network
    • Route
    • SecurityPolicy
    • Snapshot
    • SslCertificate
    • Subnetwork
    • TargetHttpProxy
    • TargetHttpsProxy
    • TargetSslProxy
    • TargetTcpProxy
    • TargetPool
    • TargetVpnGateway
    • UrlMap
    • VpnTunnel
  • Cloud DNS
    • ManagedZone
    • Policy
  • IAM
    • ServiceAccount
  • Cloud Spanner
    • Database
    • Instance
  • Cloud Storage
    • Bucket
  • Google Kubernetes Engine
    • Cluster
  • Container Registry
    • Image
  • Cloud Logging
    • LogMetric

To view individual resources for a specific asset type, in the Asset type list, select the asset type you want to review. To view details of a specific asset, click the asset name. To view all Google Cloud projects in your organization, filter the asset list using securityCenterProperties.resourceType:resourcemanager.Project.

Viewing by asset changed

In the assets tab, Assets changed displays all assets that were active during the time range you select. Any assets that were added during that time are also grouped in the Added category. To change the time range to display results for, click the drop-down list next to Assets changed.

Viewing by IAM policy

The assets tab displays IAM policies for assets in the iamPolicy.policy_blob column. To display the iamPolicy column, click Column display options and then enter iamPolicy.

To view IAM policy details for a specific asset, click Show next to the asset. IAM policies are also displayed on the asset details panel when you click the asset name under the resourceProperties.name column.

Configuring the assets tab

You can control some of the elements that appear on the assets tab.

Columns

By default, the assets tab includes the following columns:

  • Asset name: resourceProperties.name
  • Resource name: name
  • Asset type: securityCenterProperties.resourceType
  • Asset owner: securityCenterProperties.resourceOwners
  • Any marks added to the asset: securityMarks.marks

You can hide any column except for resourceProperties.name, and you can select more asset detail columns to display:

  1. To select the asset columns you want to display, click Column display options.
  2. In the menu that appears, select the columns you want to display.
  3. To hide a column, click the column name to clear the box next to the column name.

To save your column selections, click Remember Columns. Your column selections apply to all views in the Assets tab. When you select columns, the Cloud Console URL updates, so you can share the link for a custom view.

Column selections are preserved the next time you view the dashboard, and if you change organizations. To clear all custom column selections, click Reset Columns.

Panels

To control the screen space for the assets tab, you can change the following options:

  • Hide the Cloud Console Security side panel by clicking the left arrow.
  • Resize the asset display columns by dragging the dividing line left or right.
  • Hide the Select an asset side panel by clicking Hide Info Panel.

To change the date and time of the results that the assets display includes, click the date and time drop-down, then select the date and time you want.

Sorting assets

To sort assets, click the column heading for the value you want to sort by. Columns are sorted by numeric and then alphabetical order.

Findings

The Findings tab displays a detailed findings inventory for all assets in your organization. The findings display lets you view potential security risks for your organization.

Findings inventory freshness depends on finding sources:

  • Finding freshness in the Security Command Center dashboard is usually <1 minute after ingestion from the finding source.
  • Assets that haven't been discovered and indexed in an automatic or manual scan will usually appear in the findings inventory within 1 minute after discovery.

By default, the findings tab only displays active findings. You can enable or disable the display of inactive findings by clicking the toggle next to Show Only Active Findings.

To view details about a specific finding, click the finding. The finding details panel displays attributes like the affected asset and time of the event. Some types of findings include more attributes, for example, a cryptomining event might include:

  • abuse_target_ips: the IP of the mining pool.
  • urls: the URL for the mining pool.
  • vm_host_and_names: the specific VMs that were discovered to be cryptomining.
  • vm_ips: the IP addresses for the affected VMs.

Viewing by finding category

By default, findings are displayed in specific categories like cross-site scripting (XSS) and exposure of credit card number or phone number. If you leave the category field blank when you create a finding, it doesn't have a category in the findings display.

  • To view details about a specific risk type, next to View by, select Category. Then select the type of risk you want to review.
  • To view detailed information about a specific finding, click the finding under category in the table.

To view findings by category on a specific date, use the time drop-down list above the table.

Viewing by source type

A finding source is any provider of findings, like Web Security Scanner or Cloud DLP. These sources include the following:

  • Scanners that provide a sampled snapshot of findings at a specific time.
  • Monitors that provide an event stream of findings.
  • Loggers that provide output of historical events.

You can view findings by source in the following ways:

  • To view counts of findings by source type, under the Findings tab, click Source type. A list populates with grouped findings.
  • To view individual findings for a specific source type, select the source you want to review from the grouped findings list. The table displays findings for the source type selected.
  • To view detailed information about a specific finding, click the finding under category.

To view findings by category on a specific date, use the time drop-down list above the table.

Viewing by findings changed

To view new and active findings, under the Findings tab, click Findings changed. To include inactive findings, you must toggle off Show Only Active Findings.

All findings are displayed in the following subgroups:

  • Active (changed): findings were active and had changed properties during the selected time period.
  • Active (no change): findings that are active and had no changed properties during the selected time period.
  • Inactive (changed): findings that changed to inactive during the selected time period. This value is always 0 if Show Only Active Findings is turned off, even if there are inactive changed findings.
  • Inactive (no change): findings that are inactive and had changed properties during the selected time period. This value is always 0 if Show Only Active Findings is turned off, even if there are inactive unchanged findings.
  • New: findings that are new during the selected time period.

The findings tab displays for a range of time, with several options between 1 hour and "All time". To specify a time range to display findings for, to enter a custom range, use the time drop-down list above the table.

Viewing by finding severity

When you view findings by Severity, findings are grouped in the following categories:

  • Critical:
    • A critical vulnerability is easily discoverable and it can be exploited to result in the direct ability to execute arbitrary code, exfiltrate data, and otherwise gain additional access and privileges in cloud resources and workflows. Examples include publicly accessible user data and public SSH access with weak or no passwords.
    • A critical threat is able to access, modify, or delete data, or execute unauthorized code within your existing resources.
  • High:
    • A high risk vulnerability is easily discoverable and could be exploited with other vulnerabilities to gain direct access to execute arbitrary code or exfiltrate data, and gain additional access and privileges to resources and workloads. For example, a database that has weak or no passwords and is only accessible internally could be compromised by an actor who has access to the internal network.
    • A high risk threat is able to create computational resources in an environment, but is not able to access data or execute code in existing resources.
  • Medium:
    • A medium risk vulnerability could allow an actor to gain access to resources or privileges that enable them to eventually gain access and the ability to exfiltrate data or execute arbitrary code. For example, if a service account has unnecessary access to projects and an actor gains access to the service account, the actor could use that service account to manipulate a project.
    • A medium risk threat could cause organizational impact but may not access data or execute unauthorized code.
  • Low:
    • A low risk vulnerability hampers a security organization's ability to detect vulnerabilities or active threats in their deployment, or prevents the root cause investigation of security issues. For example, a scenario in which monitoring and logs are disabled for resource configurations and access.
    • A low risk threat has obtained minimal access to an environment, but isn't able to access data, execute code, or create resources.
  • Unspecified: finding risk level is unspecified when a finding provider doesn't set severity values for their findings.

You can view findings by severity in the following ways:

  • To view findings grouped by severity, under the Findings tab, click Severity.
  • To view individual findings for a specific severity, under Find Severity, select the severity you want to review.
  • To view detailed information about a specific finding, click the finding under category.

To view findings by category on a specific date, use the time drop-down list above the table.

Managing findings

Manage security marks for findings or change finding state by using the table menu on the Security Command Center dashboard.

Managing security marks

To add security marks to findings:

  1. In the table, select checkboxes next to category names for one or more findings.
  2. Select Set security marks.
  3. In the Security Marks dialog that appears, click Add mark.
  4. Identify the finding categories by adding Key and Value items.

    For example, if you want to mark findings that are part of the same incident, add a key of "incident-number" and a value of "1234". The new security mark is attached to each finding in the form of mark.incident-number: 1234.

  5. To edit an existing mark, update text in the Value field.

  6. To delete marks, click the trash icon next to the mark.

  7. When you're finished adding marks, click Save.

Managing finding state

Change finding state to active or inactive by using the table menu on the Security Command Center dashboard:

  1. In the table, select checkboxes next to the category names for one or more findings.
  2. Select Change active state then select Active or Inactive in the drop-down list. If the findings that you selected are a combination of active and inactive, the State displays as Mixed until you select a new state.

Configuring the findings display

You can control some of the elements that appear on the findings tab.

Columns

By default, the findings tab displays the following columns:

  • Finding type: category
  • Asset ID: resourceName
  • Time the finding was last detected: eventTime
  • Time the finding was first detected: createTime
  • The source of the finding: parent
  • Any marks added to the finding: securityMarks.marks

You can hide any column except for category, and you can select more finding detail columns to display.

  1. To select the finding columns you want to display, above the table, click the Column display options icon.
  2. In the menu that appears, select the columns you want to display.
  3. To hide a column, click the column name.

To save your column selections, click Remember Columns. Your column selections apply to all views in the Findings tab. When you select columns, the Cloud Console URL updates, so you can share the link for a custom view.

Column selections are preserved the next time you view the dashboard, and if you change organizations. To clear all custom column selections, click Reset Columns.

Panels

To control the screen space for findings, you can change the following options:

  • Hide the Cloud Console Security side panel by clicking the left arrow.
  • Resize the findings display columns by dragging the dividing line left or right.

Sources

The Sources tab contains cards that provide a summary of assets and findings from the security sources you have enabled. The card for each security source shows some of the findings from that source. You can click the finding category name to view all findings in that category.

Assets summary

The Assets Summary card displays a count of each type of asset in your organization as of the most recent scan. The display includes new, deleted, and total assets for the time period you specify. You can view the summary as a table or a graphical chart.

  • To view the summary for a recent time range, select a time from the drop-down list on the Assets Summary card.
  • To view your organization's tree hierarchy, click an asset type or View all assets at the bottom of the card to switch to the Assets tab.
  • To view details about an individual asset, select the Assets tab, and then click the asset name.

Findings summary

The Findings Summary card displays a count of each category of finding that your enabled security sources provide.

  • To view details about the findings from a specific source, click the source name.
  • To view details about all findings, click the Findings tab, where you can group findings or view details about an individual finding.

Source summaries

Below the Findings Summary card, cards appear for any built-in, integrated, and third-party sources you enabled. Each card provides counts of active findings for that source.

Explore

The Explore tab gives you a look at additional Security Command Center features and services that are available to integrate in Security Command Center.

Security Command Center queries

This section describes how to run common queries to review your resources using Security Command Center.

You can only select these filters in the Security Command Center dashboard if your organization has the related resource type. If you receive the "Choose one of the suggested keys" error message, your organization might not have that resource type.

To run queries, use the Filter by text box on the Assets tab. Following are some common queries that you might find useful:

Query type Filter by
Find resources that are publicly accessible iamPolicy.policyBlob:allUsers OR iamPolicy.policyBlob:allAuthenticatedUsers
Find firewall rules with SSH port 22 open from any network resourceProperties.allowed:22 OR resourceProperties.sourceRange:0.0.0.0/0
Find VMs with public IP addresses resourceProperties.networkInterface:externalIP
Find resource owners outside your organization -securityCenterProperties.resourceOwners:@your-domain
Find and monitor OS state in VMs resourceProperties.disk:licenses

What's next