Viewing vulnerabilities and threats in Security Command Center

This page provides information about the Google Cloud native security sources available in Security Command Center. When enabled, a security source provides vulnerability and threat data in the Security Command Center dashboard.

Security Command Center enables you to filter and view vulnerability and threat findings in many different ways, like filtering on a specific finding type, resource type, or for a specific asset. Each security source might provide more filters to help you organize your organization's findings.

For more information about how to use the Security Command Center dashboard, see using the assets display and using findings.


Vulnerability scanners can help you find potential weaknesses.

Security Health Analytics vulnerability types

Security Health Analytics managed vulnerability assessment scanning for Google Cloud can automatically detect common vulnerabilities and misconfigurations across:

  • Stackdriver Monitoring and Stackdriver Logging
  • Compute Engine
  • Google Kubernetes Engine containers and networks
  • Cloud Storage
  • Cloud SQL
  • Cloud Identity and Access Management (Cloud IAM)
  • Cloud Key Management Service (Cloud KMS)
  • Cloud DNS

To get started with Security Health Analytics, follow the guide to Enable Security Health Analytics. When Security Health Analytics is enabled, scans automatically run twice a day, 12-hours apart.

Security Health Analytics scans for many vulnerability types. You can group findings by scanner type. Use Security Health Analytics scanner names to filter findings by the resource type the finding is for.

To view a complete list of Security Health Analytics scanners and findings, see the Security Health Analytics findings page, or expand the following section.

Web Security Scanner

Web Security Scanner provides managed web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications. Web Security Scanner displays granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content. Web Security Scanner findings are available in Security Command Center if you've completed the Web Security Scanner quickstart.

Table A. Web Security Scanner finding types
Vulnerability Description
Mixed Content A page that was served over HTTPS also serves resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or monitor users' actions.
Outdated Library

The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.

Web Security Scanner identifies some vulnerable versions of the following popular libraries:

This list is updated periodically with new libraries and updated vulnerabilities as applicable.

Rosetta Flash This type of vulnerability occurs when the value of a request parameter is reflected at the beginning of the response. For example, the format of JSONP requests can allow this type of exploit. An attacker can supply an alphanumeric-only Flash file in the vulnerable parameter, and then the browser executes it as if the file originated on the vulnerable server.
XSS Callback A cross-site scripting (XSS) bug is found via JavaScript callback. For detailed explanations on XSS, see Cross-site scripting.
XSS Error A potential cross-site scripting (XSS) bug due to JavaScript breakage. In some circumstances, the application under test might modify the test string before the browser parses it. When the browser attempts to run this modified test string, it is likely to break and throw a JavaScript execution error, causing an injection issue. However, it might not be exploitable. To determine if the issue is an XSS vulnerability, you must manually verify that the test string modifications can be evaded. For detailed explanations on XSS, see Cross-site scripting.
XSS Angular Callback An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.
Clear Text Password An application returns sensitive content with an invalid content type, or without an X-Content-Type-Options: nosniff header.
Invalid Content Type A cross-site scripting (XSS) vulnerability in AngularJS module that occurs when Angular interpolates a user-provided string.
Invalid Header A malformed or invalid valued header.
Misspelled Security Header Name Misspelled security header name.
Mismatching Security Header Values Mismatching values in a duplicate security header.
Accessible GIT Repository The scan found an accessible git repository.
Accessible SVN Repository The scan found an accessible SVN repository.

To display Web Security Scanner results in Security Command Center, you need to run the security scan in the project that contains the public-facing candidate App Engine, Compute Engine, or GKE application. Any application vulnerabilities that are detected are automatically displayed in Security Command Center.

  • To explore details about a specific finding, click the finding under Finding.
  • To display details about all Web Security Scanner findings, click View all security findings.


Threat detectors can help you find potentially harmful events.

Anomaly Detection

Anomaly Detection is a built-in service that uses behavior signals from outside your system. It displays granular information about security anomalies detected for your projects and Virtual Machine (VM) instances, like potential leaked credentials, unusual activity, and coin mining. Anomaly Detection findings are automatically available in Security Command Center and are displayed when you enable it as a security source.

The following video shows you how to enable Anomaly Detection and then review and remediate a finding. Example finding types are also described in Table B later on this page.

Example Anomaly Detection findings include the following:

Table B. Anomaly Detection finding types
Potential for Compromise Description
Leaked Service Account Credentials Google Cloud service account credentials that are accidentally leaked online or compromised.
Potential Compromised Machine Potential compromise of a resource in your organization.
Abuse Scenarios Description
Resource used for cryptomining Behavioral signals around a VM in your organization indicate that it might have been compromised and could be getting used for cryptomining.
Resource used for outbound intrusion Intrusion attempts and Port scans: One of the resources or Google Cloud services in your organization is being used for intrusion activities, like an attempt to break in or compromise a target system. These include SSH brute force attacks, Port scans, and FTP brute force attacks.
Resource used for phishing One of the resources or Google Cloud services in your organization is being used for phishing.
Anomalies Description
Unusual Activity/Connection Unusual activity from a resource in your organization.

Cloud Data Loss Prevention

Cloud DLP Data Discovery enables you to surface the results of Cloud Data Loss Prevention (Cloud DLP) scans directly in the Security Command Center dashboard and Findings inventory. Cloud DLP can help you to better understand and manage sensitive data and Personally Identifiable Information (PII) like the following:

  • Credit card numbers
  • Names
  • Social security numbers
  • US and selected international identifying numbers
  • Phone numbers
  • Google Cloud credentials

Each Cloud DLP Data Discovery finding only includes the category type of the identified PII data and the resource it was found in. It doesn't include any of the specific underlying data.

The following video shows you how to set up Cloud DLP to send scan results to Security Command Center. The setup steps are also described in the guide to send DLP API results to Security Command Center.

After you complete the guide, Cloud DLP scan results will display in Security Command Center:

  • To display details about a specific category of findings, click the finding under Finding.
  • To display details about all Cloud DLP scanner findings, click More.

For more information:

Event Threat Detection

Event Threat Detection uses log data from inside your systems. It watches your organization's Stackdriver Logging stream for one or more projects, and consumes logs as they become available. When a threat is detected, Event Threat Detection writes a Finding to Security Command Center and to a Logging project. Event Threat Detection findings are available in Security Command Center after you set up Event Threat Detection.

The following video describes some of the threat types that Event Threat Detection detects, and how to review them in the Security Command Center dashboard. The threat types are also described in Table C later on this page.

Example Event Threat Detection findings include the following:

Table C. Event Threat Detection finding types
Monitoring & Logging Description
Brute force SSH Event Threat Detection detects brute force of SSH by examining SSH logs for repeated failures followed by success.
Cryptomining Event Threat Detection detects coin mining malware by examining VPC logs for connections to known bad domains for mining pools and other log data.
Cloud IAM abuse

Malicious grants - Event Threat Detection detects the addition of accounts from outside of your organization's domain that have the Owner or Editor permission at the organization or project level. The malicious grants finding helps you to identify:

  • Which accounts have which permissions
  • The resource the permission applies to
  • The user inside your organization that granted the permissions
Malware Event Threat Detection detects Malware by examining VPC logs for connections to known bad domains and other log data.
Phishing Event Threat Detection detects Phishing by examining VPC logs for connections and other log data.

Get started with Event Threat Detection.

Forseti Security

Forseti Security gives you tools to understand all the resources you have in Google Cloud. The core Forseti modules work together to provide complete information so you can secure resources and minimize security risks.

To display Forseti violation notifications in Security Command Center, follow the Forseti Security Command Center notification guide.

For more information:

Phishing Protection

Phishing Protection helps prevent users from accessing phishing sites by classifying malicious content that uses your brand and reporting the unsafe URLs to Google Safe Browsing. After a site is propagated to Safe Browsing, users will see warnings across more than three billion devices.

To get started with Phishing Protection, follow the guide to Enable Phishing Protection. After you enable Phishing Protection, results are displayed in Security Command Center in the Phishing Protection card under Findings.

What's next