Optimize Security Command Center

Stay organized with collections Save and categorize content based on your preferences.

This topic provides recommendations for managing Security Command Center services and features to help you get the most out of the product.

Security Command Center is a powerful platform for monitoring data and security risks across your organization or individual projects. Security Command Center is designed to provide maximum protection with minimal configuration being necessary. But there are steps you can take to tailor the platform to your workflow and ensure your resources are protected.

Enable Security Command Center Premium tier

The Security Command Center Premium tier includes many more features than the Standard tier.

Security Command Center Standard includes Security Health Analytics, Anomaly Detection, and unmanaged scans in Web Security Scanner, which together detect common vulnerabilities and anomalies in your website or application projects. In the Standard tier, Security Health Analytics only includes a basic group of medium and high-severity detectors.

Security Command Center Premium includes Standard tier services and adds compliance reporting, managed Web Security Scanner scans, all Security Health Analytics detectors, and the following premium-only, built-in services:

You can activate the Premium tier for individual projects yourself in the Google Cloud console. Project-level activations of the Premium tier are billed based on resource consumption. For more information, see Pricing.

To activate the Premium tier for your entire organization, request a subscription by contacting your sales representative.

For more information about activating either tier of Security Command Center, see Overview of activating Security Command Center.

For more information about using Security Command Center to improve your security posture, see:

Enable all built-in services

We recommend enabling all built-in services, subject to the best practice recommendations of individual services.

If Security Command Center is already activated, you can confirm which services are enabled on the Settings page.

You can disable any service, but it's best to keep all services in your tier turned on all the time. Keeping all services enabled lets you take advantage of continuous updates and helps ensure that protections are provided for new and changed resources.

Before enabling Rapid Vulnerability Detection or Web Security Scanner in production, review their best practice information:

For example, during scans, Rapid Vulnerability Detection performs actions that can negatively impact your production resources, like accessing administrator interfaces and attempting to log into your VMs. As a best practice, use Rapid Vulnerability Detection to scan resources in non-production environments before you deploy them to production.

Also, consider enabling integrated services (Anomaly Detection, Cloud Data Loss Prevention, and Google Cloud Armor), exploring third-party security services, and turning on Cloud Logging for Event Threat Detection and Container Threat Detection. Depending on the quantity of information, Cloud DLP and Google Cloud Armor costs can be significant. Follow best practices for keeping Cloud DLP costs under control and read the Google Cloud Armor pricing guide.

To learn more about Security Command Center services, watch the following videos:

Enable logs for Event Threat Detection

If you use Event Threat Detection, you might need to turn on certain logs that Event Threat Detection scans. Although some logs are always on, such as Cloud Logging Admin Activity audit logs, other logs, such as most Data Access audit logs, are off by default and need to be enabled before Event Threat Detection can scan them.

Some of the logs that you should consider enabling include:

  • Cloud Logging Data Access audit logs
  • Google Workspace logs (organization-level activations only)

Which logs you need to enable depends on:

  • The Google Cloud services you are using
  • The security needs of your business

Logging might charge for the ingestion and storage of certain logs. Before enabling any logs, review Logging Pricing.

After a log is enabled, Event Threat Detection starts scanning it automatically.

For more detailed information about which detection modules require which logs and which of those logs you need to turn on, see Logs that you need to turn on.

Use the dashboard

The Security Command Center dashboard provides features and visual elements that are not yet available in the Security Command Center API. The features, including an intuitive interface, formatted charts, compliance reports, and visual hierarchies of resources, give you greater insight into your organization. To learn about dashboard features, see Using the Security Command Center dashboard.

Extend functionality with the API and gcloud

If you need programmatic access, try out the Security Command Center API, which lets you access and control your Security Command Center environment. You can use API Explorer, labeled "Try This API" in panels on API reference pages, to interactively explore the Security Command Center API without an API key. You can check out available methods and parameters, execute requests, and see responses in real time.

The Security Command Center API lets analysts and administrators manage your resources and findings. Engineers can use the API to build custom reporting and monitoring solutions. In one example, see how our solutions architects used the Security Command Center API to Report Policy Controller audit violations in Security Command Center.

Review and manage resources

Security Command Center ingests data about supported assets from Cloud Asset Inventory and lets you discover and view your Google Cloud resources in Google Cloud console. You can use the Assets page in the Security Command Center dashboard to review historical discovery scans and identify new, modified, or deleted assets. You can also look for underused resources, like virtual machines or idle IP addresses. Resources that are not maintained can increase your costs and widen your organization's attack surface.

To receive real-time notifications about resource and policy changes, create and subscribe to a feed.

For more advice on managing resources, see Manage your assets.

Rapidly respond to vulnerabilities and threats

Security Command Center provides extensive details on affected resources and step-by-step suggested instructions for investigating and remediating vulnerabilities and threats.

Vulnerabilities findings alert you to violations of security benchmarks. Supported compliance standards include CIS Google Cloud Computing Foundations Benchmark v1.0.0 through v1.2.0 (CIS Google Cloud Foundation 1.0 through 1.2), Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001)

Threat findings include data from the MITRE ATT&CK framework, which explains techniques for attacks against cloud resources and provides remediation guidance, and VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.

The following guides are a starting point to help you fix issues and protect your resources.

Control finding volume

To control the volume of findings in Security Command Center, you can manually or programmatically mute individual findings, or create mute rules that automatically mute current and future findings based on filters you define.

Muted findings are hidden and silenced, but continue to be logged for audit and compliance purposes. You can view muted findings or unmute them at any time. To learn more, see Mute findings in Security Command Center.

Muting findings is the recommended, and most effective, approach for controlling finding volume. Alternatively, you can use security marks to add assets to allowlists.

Each Security Health Analytics detector has a dedicated mark type that enables you to exclude marked resources from the detection policy. This feature is helpful when you don't want findings created for specific resources or projects.

To learn more about security marks, see Using security marks.

Set up notifications

Notifications alert you to new and updated findings in near-real time and, with email and chat notifications, can do so even when you're not logged in to Security Command Center. Learn more in Setting up finding notifications.

Security Command Center Premium lets you create Continuous Exports, which simplify the process of exporting findings to Pub/Sub.

Explore Cloud Functions

Cloud Functions is a Google Cloud service that lets you connect cloud services and run code in response to events. You can use the Notifications API and Cloud Functions to send findings to third-party remediation and ticketing systems or take automated actions, like automatically closing findings.

To get started, visit Security Command Center's open source repository of Cloud Functions code. The repository contains solutions to help you take automated actions on security findings.

Keep communications on

Security Command Center is regularly updated with new detectors and features. Release notes inform you about product changes and updates to documentation. But you can set your communication preferences in the Google Cloud console to receive product updates and special promotions by email or mobile. You can also let us know whether you're interested in participating in user surveys and pilot programs.

If you have comments or questions, you can give feedback by talking with your salesperson, contacting our Cloud Support staff, or filing a bug.

What's next