Using Security Command Center in the Google Cloud console

This page provides an overview of Security Command Center in the Google Cloud console and what you can do with Security Command Center's top-level pages.

If Security Command Center isn't already set up for your organization or a project in your organization, you need to activate it before you can use Security Command Center in the Google Cloud console. For information about activation, see Overview of activating Security Command Center.

For a general overview of Security Command Center, see Security Command Center overview.

Required IAM permissions

To use Security Command Center, you must have an Identity and Access Management (IAM) role that includes appropriate permissions:

  • Security Center Admin Viewer lets you view Security Command Center.
  • Security Center Admin Editor lets you view Security Command Center and make changes.

If your organization policies are set to restrict identities by domain, you must be signed in to the Google Cloud console on an account that's in an allowed domain.

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Accessing Security Command Center in the Google Cloud console

To access Security Command Center in the Google Cloud console:

  1. Go to Security Command Center:

    Go to Security Command Center

  2. Select the project or organization that you want to view.

    If Security Command Center is active in the organization or project you select, the Overview page displays with an overview of the new threat findings and the active vulnerability finding over the last seven days.

    If Security Command Center is not active, you are invited to activate it. For more information about activating Security Command Center, see Overview of activating Security Command Center

Security Command Center in the Google Cloud console

Beyond the Overview page, you can monitor and manage security issues in your Google Cloud environment through the following Security Command Center pages in the Google Cloud console. Click a page name for an explanation of the page.

In the console, you open a page by selecting it from the slide-out menu on the left side of the console. To show the menu, hold your pointer over the icons on the left side of the console.

Overview page

The Overview page provides a quick view of both the new threats and the total number of active vulnerabilities in your Google Cloud environment from all built-in and integrated services. You can change the range of time displayed in all areas of this page from 1 hour to 6 months.

The Overview page includes the following sections:

  • Top vulnerability findings shows the ten findings that have the highest attack exposure scores.
  • New threats over time shows a chart of the new threats detected per day, with hourly totals. Following the chart on the page are views of the threat findings by category, resource, and project. You can sort each view by finding severity.
  • Top CVE findings (Premium tier only) shows vulnerability findings grouped by the CVE exploitability and impact. Click a block in the heat map to see the corresponding findings listed by CVE ID.
  • Vulnerabilities per resource type is a graphic display that shows the active vulnerabilities for the resources in your project or organization.
  • Active vulnerabilities provides tabbed views of the vulnerability findings by category name, by affected resource, and by project. You can sort each view by finding severity.
  • Identity and access findings shows misconfiguration findings that are related to principal accounts (identities) that are misconfigured or that are granted excessive or sensitive permissions to Google Cloud resources (access). The management of identity and access controls is sometimes referred to as cloud infrastructure entitlement management.

Clicking the category name of any finding on the Overview page takes you to the Findings page where you can see the details of the finding.

Threats page

The Threats page helps you review potentially harmful events in your Google Cloud resources over a time period that you specify. The default time period is seven days.

On the threats page, you can view findings in the following sections:

  • Threats by severity shows the number of threats in each severity level.
  • Threats by category shows the number of findings in each category across all projects.
  • Threats by resource shows the number of findings for each resource in your project or organization.

You can specify the time period for which to display threats by using the drop-down list in the Time range field. The drop-down list has several options between 1 hour and "all time," which shows all findings since the service was activated. The time period you select is saved between sessions.

Vulnerabilities page

The Vulnerabilities page lists all of the categories of vulnerabilities that the various Security Command Center threat prevention services can detect in your environment.

Vulnerability detection services

The built-in Security Command Center threat prevention services include the following:

Other Google Cloud services that are integrated with Security Command Center also detect vulnerabilities and misconfigurations. The findings from a selection of these services are also displayed on the Vulnerabilities page. For more information about the services that produce vulnerability findings in Security Command Center, see Security sources.

Information about vulnerability categories

For each vulnerability category, the Vulnerabilities page shows the following information:

  • Status: an icon indicates if the detector is active, and if the detector found a finding that needs to be addressed. When you hold the pointer over the status icon, a tooltip displays the date and time the detector found the result or information about how to validate the recommendation.
  • Last scanned: the date and time of the last scan for the detector.
  • Category: the category or type of vulnerability. To all of the categories that each Security Command Center service detects, see the following:
  • Recommendation: a summary of how to remediate the finding. For more information, see remediating Security Health Analytics findings.
  • Active: the total number of findings in the category.
  • Severity: the relative risk level of the finding category.
  • Standards: the compliance benchmark that the finding category applies to, if any. For more information about benchmarks, see Vulnerabilities findings.

Filtering vulnerability findings

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using filters that are available on the Security Command Center Vulnerabilities and Findings pages in the Google Cloud console, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, project, and more.

For more information about filtering vulnerability findings, see Filter vulnerability findings in Security Command Center.

Compliance page

The Compliance page helps you assess and take action your compliance with common security standards or benchmarks. The page shows all of the benchmarks that Security Command Center supports, as well the percentage of passing benchmark controls.

For each benchmark, you can open a Compliance details page that provides additional details about which controls Security Command Center checks for the benchmark, how many violations were detected for each control, and the option to export a compliance report for the benchmark.

Security Command Center vulnerability scanners monitor for violations of common compliance controls based on a best effort mapping provided by Google. Security Command Center compliance reports are not a replacement for a compliance audit, but can help you maintain your compliance status and catch violations early.

For more information about how Security Command Center supports compliance management, see the following pages:

Assets page

The Assets page provides a detailed display of all Google Cloud resources, called assets, in your project or organization.

If Security Command Center is activated at the organization level, you can view assets for your entire organization or you can filter assets by specific projects, asset type, and location.

If Security Command Center is activated at the project level, you can filter assets by asset type and location.

To view details about a specific asset—like its attributes, resource properties, and associated findings—click the asset name in the Display name column.

The list of assets is provided by Cloud Asset Inventory, which in most cases updates the list within minutes after assets are created, modified, or removed in your Google Cloud environment.

For more information about Cloud Asset Inventory, see Introduction to Cloud Asset Inventory.

Sorting assets

To sort assets, click the column heading for the value you want to sort by. Columns are sorted by numeric and then alphabetical order.

Filtering assets

This section describes how to run common queries to review your assets by using Security Command Center in the Google Cloud console.

By default, all assets in the selected project, folder, or organization are displayed in the results panel on the Assets page.

You can filter the results to specific assets in two ways. You can use the filter options in the Quick filters panel or you can use the Filter field to specify more customized filters.

In the Quick filters panel, you can filter the results by resource type, project, or location.

In the Filter field, you can type in custom filters or select filter options from the menu that appears when you place your cursor in the field.

The drop-down menu of the Filter field includes the following options:

  • Name
  • Display name
  • Description
  • Location
  • Labels
  • Labels by key
  • Network tags
  • KMS keys
  • Create time, which shows assets that were created on, before, or after a date that you specify
  • Update time, which shows assets that were last updated on, before, or after a date that you specify
  • State
  • Folder
  • Parent asset type
  • Parent full resource name
  • Security marks
Viewing assets by project

By default, all assets in your selected scope are displayed on the Assets page in descending order by the time at which they were created.

If your selected scope is a project, only the assets in that project are displayed.

To view assets when your console view is scoped to a folder or your organization, do the following:

  1. Go to the Assets page:

    Go to Assets

  2. In the Resource type section of the Quick filters panel, select one or more projects. The results panel updates to display assets from only the selected projects.

Viewing by asset type

By default, all assets in your selected scope are displayed on the Assets page in descending order by their create time.

To view assets by their type, do the following:

  1. Go to the Assets page:

    Go to Assets

  2. Optional: At the top of the results panel, sort the assets by resource type click Resource type column in the results header. Assets are displayed grouped by their resource type.

  3. In the Resource type section of the Quick filters panel, select the resource type you need to view. The results panel updates to display only the selected resource types.

View the changes to an asset

You can compare snapshots of the metadata of an asset to see what has changed.

To see the changes to an asset over time:

  1. Go to the Assets page:

    Go to Assets

  2. Locate the asset that you need to review by scrolling or by applying the appropriate filters to the listed assets.

  3. In the list of assets in the results panel, click the name of the asset. The details panel for the asset opens.

  4. In the details panel for the asset, select the Change history tab.

  5. On the Change history tab, select both a Start time and an End time.

  6. In the Select a record to compare field on the left, click the down arrow to select a snapshot from the displayed list.

  7. In the Select a record to compare field on the right, click the down arrow to select a snapshot to compare with the first snapshot you selected. The changes between the two snapshots are highlighted.

View assets by Created or Last updated timestamp

You can filter or sort the assets in the results panel of the Assets page, by their Created and Last updated timestamps.

To a filter based on the Created timestamp, Last updated timestamp, or both, complete the following steps:

  1. Go to the Assets page:

    Go to Assets

  2. At the top of the results panel on the Assets page, place your cursor in the Filter field. A popup menu of filters opens.

  3. Scroll down to Create time or Update time section and select one of the time-based filter options. For example, Update time after. A filter is added to the Filter field. You just need to add the date.

  4. In the filter field, complete the filter specification by typing a date in the format MM/DD/YYYY and pressing Enter on your keyboard.

    The assets in the results panel are updated to show only the assets that match your filter.

Configuring the Assets page

You can control some of the elements that appear on the Assets page.

Columns

By default, the results panel on the Assets page includes the following columns:

  • Display name: the display name of the asset
  • Project ID: the project that contains the asset
  • Resource type: the resource type of the asset
  • Location: the region the asset is located in or global
  • State: the state of the asset, such as READ, SUCCESSFUL, or SERVING
  • Created: the time at which the asset was created
  • Last updated: the time at which the asset was last updated
  • Security marks: the security marks that are applied to the asset from Security Command Center, if any
  • Labels: the labels applied to the asset, if any
  • KMS keys: the KMS keys associated with the asset, if any
  • Network tags: the network tags applied to the asset, if any

You can hide any column except for Display name. To hide column, follow these steps:

  1. Go to the Assets page:

    Go to Assets

  2. At the top of the results panel on the right side, click the Column display options icon, .

  3. In the menu that appears, you can display or hide a column by selecting or deselecting the checkbox next to the column name.

Panels

To control the screen space for the Assets page, you can change the following options:

  • Hide the Quick filters side panel by clicking the left arrow, .
  • Resize the asset display columns by dragging the dividing line left or right.

Findings page

On the Findings page, you can query, review, mute, and mark Security Command Center findings, the records that Security Command Center services create when they detect a security issue in your environment.

For more information about how to work with findings on the Findings page, see Work with findings in the Google Cloud console.

Sources page

The Sources page contains cards that provide a summary of assets and findings from the security sources you have enabled. The card for each security source shows some of the findings from that source. You can click the finding category name to view all findings in that category.

Findings summary

The Findings Summary card displays a count of each category of finding that your enabled security sources provide.

  • To view details about the findings from a specific source, click the source name.
  • To view details about all findings, click the Findings page, where you can group findings or view details about an individual finding.

Source summaries

Below the Findings Summary card, cards appear for any built-in, integrated, and third-party sources you enabled. Each card provides counts of active findings for that source.

Posture page

On the Posture page, you can view details about the security postures that you created in your organization and apply the postures to an organization, folder, or project. You can also view the available predefined posture templates.

What's next