>

Viewing vulnerabilities and threats in Cloud Security Command Center

This page provides a list of reference guides for viewing and filtering vulnerability and threat data, or more simply security source data, using Cloud Security Command Center (Cloud SCC).

Vulnerabilities

You can filter and view vulnerability findings in many different ways, like filtering on a specific finding type, resource type, or for a specific asset. Each finding provider might also provide additional filters to help you organize your organization's findings.

Viewing findings by asset

Findings for an asset are created in Cloud SCC after they're scanned. It can take up to 24 hours after an asset has changed before updated security findings are displayed in the dashboard.

You can also view findings for a specific asset by viewing the Findings tab in asset details:

  1. Go to the Cloud SCC Assets page in the GCP Console.

    Go to the Assets page

  2. Under resource_properties.name, click the asset you want to view.
  3. On the asset page that appears, click the Findings tab.

Information about specific findings categories for that asset are displayed.

Security Health Analytics vulnerability types

Security Health Analytics managed vulnerability assessment scanning for Google Cloud Platform (GCP) can automatically detect common vulnerabilities and misconfigurations across:

  • Stackdriver Monitoring and Stackdriver Logging
  • Compute Engine
  • Google Kubernetes Engine containers and networks
  • Cloud Storage
  • Cloud SQL
  • Cloud Identity and Access Management (Cloud IAM)
  • Cloud Key Management Service (Cloud KMS)
  • Cloud DNS

To get started with Security Health Analytics, follow the guide to Enable Security Health Analytics. When Security Health Analytics is enabled, scans automatically run twice a day, 12-hours apart.

Security Health Analytics scans for a large number of vulnerability types. To see the complete list, review the list of supported Security Health Analytics findings.

Cloud Security Scanner

Cloud Security Scanner provides managed web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications. Cloud Security Scanner displays granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content. Cloud Security Scanner findings are available in Cloud SCC if you've completed the Cloud Security Scanner quickstart.

Vulnerability Description
Mixed Content A page that was served over HTTPS also resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or monitor users' actions.
Outdated Library The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.
Rosetta Flash This type of vulnerability occurs when the value of a request parameter is reflected at the beginning of the response. For example, the format of JSONP requests can allow this type of exploit. An attacker can supply an alphanumeric-only Flash file in the vulnerable parameter, and then the browser executes it as if the file originated on the vulnerable server.
XSS Callback A cross-site scripting (XSS) bug is found via JavaScript callback. For detailed explanations on XSS, see Cross-site scripting.
XSS Error A potential cross-site scripting (XSS) bug due to JavaScript breakage. In some circumstances, the application under test might modify the test string before the browser parses it. When the browser attempts to run this modified test string, it will likely break and throw a JavaScript execution error, causing an injection issue. However, it may not be exploitable. To determine if the issue is an XSS vulnerability, you must manually verify that the test string modifications can be evaded. For detailed explanations on XSS, see Cross-site scripting.
XSS Angular Callback An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.
Clear Text Password An application returns sensitive content with an invalid content type, or without an X-Content-Type-Options: nosniff header.
Invalid Content Type A cross-site scripting (XSS) vulnerability in AngularJS module that occurs when Angular interpolates a user-provided string.
Invalid Header A malformed or invalid valued header.
Misspelled Security Header Name Misspelled security header name.
Mismatching Security Header Values Mismatching values in a duplicate security header.
Accessible GIT Repository An accessible git repository was found by the scan.
Accessible SVN Repository An accessible SVN repository was found by the scan.

To display Cloud Security Scanner results in Cloud SCC, you need to run the security scan in the project that contains the public-facing candidate App Engine, Compute Engine, or GKE application. Any application vulnerabilities that are detected will be automatically displayed in Cloud SCC.

  • To explore details about a specific finding, click the finding under Finding.
  • To display details about all Cloud Security Scanner findings, click View all security findings.

Threats

Cloud Anomaly Detection

Cloud Anomaly Detection uses behavior signals from outside your system. It displays granular information about security anomalies detected for your projects and Virtual Machine (VM) instances, like potential leaked credentials, unusual activity, and coin mining. Cloud Anomaly Detection findings are automatically available in Cloud SCC and will be displayed when you enable it as a security source. Example detections include the following:

Potential for Compromise Description
Leaked Service Account Credentials GCP service account credentials that are accidentally leaked online or compromised.
Potential Compromised Machine Potential compromise of a resource in your organization.
Abuse Scenarios Description
Resource used for cryptomining Behavioral signals around a VM in your organization indicate that it might have been compromised and could be getting used for cryptomining.
Resource used for outbound intrusion Intrusion attempts and Port scans: One of the resources or GCP services in your organization is being used for intrusion activities, like an attempt to break in or compromise a target system. These include SSH brute force attacks, Port scans, and FTP brute force attacks.
Resource used for phishing One of the resources or GCP services in your organization is being used for phishing.
Anomalies Description
Possible Data Exfiltration A sudden change in behavior, such as large data egress from a VM to a previously unseen IP address range.
Unusual Activity/Connection Unusual activity from a resource in your organization.

Cloud Data Loss Prevention

Cloud DLP Data Discovery enables you to surface the results of Cloud Data Loss Prevention (Cloud DLP) scans directly in the Cloud SCC dashboard and Findings inventory. Each Cloud DLP Data Discovery finding only includes the category type of the identified PII data and the resource it was found in. It doesn't include any of the specific underlying data.

To display these findings, follow the guide to send DLP API results to Cloud SCC. After you complete the guide, Cloud DLP scan results will display in Cloud SCC:

  • To display details about a specific category of findings, click the finding under Finding.
  • To display details about all Cloud DLP scanner findings, click More.

For more information:

Event Threat Detection

Event Threat Detection (ETD) uses log data from inside your systems. It watches your organization's Stackdriver Logging stream for one or more projects, and consumes logs as they become available. When a threat is detected, ETD writes a Finding to Cloud SCC and to a Logging project. ETD findings are available in Cloud SCC after you set up ETD.

Monitoring & Logging Description
Brute force SSH ETD detects brute force of SSH by examining SSH logs for repeated failures followed by success.
Cryptomining ETD detects coin mining malware by examining VPC logs for connections to known bad domains for mining pools and other log data.
Cloud IAM abuse Malicious grants - ETD detects the addition of accounts from outside of your organization’s domain that are given Owner or Editor organization or project permission.
Malware ETD detects Malware by examining VPC logs for connections to known bad domains and other log data.
Phishing ETD detects Phishing by examining VPC logs for connections and other log data.
Outgoing DDoS, port-scanning ETD detects DDoS attacks originating inside your organization by looking at the sizes, types, and numbers of VPC flow logs. Outgoing DDoS is a common use of compromised instances and projects by attackers. ETD detects port scans originating inside your organization by looking at the sizes, types, and numbers of VPC flow logs. Port scanning is a common indication of an attacker getting ready for lateral movement in a project.

Get started with Event Threat Detection.

Forseti Security

Forseti Security gives you tools to understand all the resources you have in Google Cloud Platform (GCP). The core Forseti modules work together to provide complete information so you can secure resources and minimize security risks.

To display Forseti violation notifications in Cloud SCC, follow the Forseti Cloud SCC notification guide.

For more information:

Phishing Protection

Phishing Protection helps prevent users from accessing phishing sites by classifying malicious content that uses your brand and reporting the unsafe URLs to Google Safe Browsing. After a site is propagated to Safe Browsing, users will see warnings across more than three billion devices.

To get started with Phishing Protection, follow the guide to Enable Phishing Protection. After you enable Phishing Protection, results are displayed in Cloud SCC in the Phishing Protection card under Findings.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.