Security Command Center release notes

The March 20, 2023 release of the Google Cloud SCC content pack for sending Security Command Center data to Cortex XSOAR is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new content pack, see Upgrade the Google Cloud SCC content pack.

The version 3.0 release of the Google SCC App for QRadar, which lets you send Security Command Center data to QRadar v7.4.1FP2+, is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new application, see Upgrade the Google SCC app.

The version 3.0 release of the Google SCC App for ELK, which lets you send Security Command Center data to Elastic Stack, is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new application, see Upgrade the Docker container.

The version 2.0 release of the Google SCC Add-on For Splunk and the Google SCC App For Splunk, which let you send Security Command Center data to Splunk, is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new applications, see Upgrade Google SCC App for Splunk and Google SCC Add-on for Splunk.

Virtual Machine Threat Detection, a built-in service of Security Command Center, launched the following detectors to Preview.

• Defense Evasion: Unexpected kernel code modification
• Defense Evasion: Unexpected kernel read-only data modification
• Defense Evasion: Unexpected ftrace handler
• Defense Evasion: Unexpected interrupt handler
• Defense Evasion: Unexpected kernel modules
• Defense Evasion: Unexpected kprobe handler
• Defense Evasion: Unexpected processes in runqueue
• Defense Evasion: Unexpected system call handler

These modules analyze runtime Linux kernel integrity to detect common evasion techniques used by malware.

The following attributes were added to the Finding object of the Security Command Center API.

• cloudDlpInspection
• cloudDlpDataProfile

The cloudDlpInspection attribute provides details about the results of a Cloud Data Loss Prevention (Cloud DLP) inspection job. The cloudDlpDataProfile attribute provides the name of a Cloud DLP data profile that is associated with a finding.

For more information, see the Security Command Center API documentation for the Finding object.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched the Initial Access: Excessive Permission Denied Actions rule to General Availability. This rule detects events where a principal repeatedly triggers permission denied errors across multiple methods and services.

For more information about Event Threat Detection findings, see Event Threat Detection rules.

The version 1.0 release of the Google SCC ITSM app and the Google SCC SIR app, which let you send data, such as findings, sources, assets, and audit logs, from Security Command Center to ServiceNow, is generally available. For information about downloading and installing the new applications, see Sending Security Command Center data to ServiceNow.

Project-level activation of Security Command Center

The Security Command Center project-level activation feature is generally available. The feature lets you enable Security Command Center for individual Google Cloud projects yourself in the Cloud console. Billing for project-level activations of Security Command Center is based on resource consumption in the project and uses a pay-as-you-go billing model.

For more information, see Overview of project-level activation.

The new and improved Findings page in the Cloud Console is now generally available and the default view for working with Security Command Center findings. With the redesigned Findings page, you can query, filter, and investigate Security Command Center findings faster and more efficiently. For more information, see Work with findings in the Security Command Center dashboard.

The userName attribute was added to the Finding object of the Security Command Center API.

The value of the userName attribute depends on the type of the finding and is likely not an IAM principal. For example, this can be a system username if the finding is related to a virtual machine, or it be an application login username.

For more information, see the Security Command Center API documentation for the Finding object.

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Dormant Service Account Action rule to Preview. This rule detects events where a dormant user-managed service account triggered an action. For more information, see Event Threat Detection rules.

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to Preview.

• Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
• Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
• Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
• Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
• Privilege Escalation: Anomalous Service Account Impersonator for Data Access

These rules detect the unusual impersonation or delegation of a service account, as recorded in either the Admin Activity or Data Access audit logs. For more information, see Event Threat Detection rules.

The Malicious URL Observed detector of Container Threat Detection, a built-in service of Security Command Center Premium, is now generally available.

The detector checks URLs observed in arguments passed by executables against known phishing and malware URLs to determine if they are malicious.

You can see the full details of the detector's findings only if you upgrade to the refreshed findings display in the Security Command Center dashboard.

For more information, see the following pages:

• Container Threat Detection overview
• Findings Workflow Improvements

Sensitive Actions Service, a built-in service of Security Command Center Premium, is now generally available.

Sensitive Actions Service detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they were to be taken by a malicious actor.

For more information, see Sensitive Actions Service overview.

The kernelRootkit attribute was added to the Finding object of the Security Command Center API.

The kernelRootkit attribute contains information about a kernel rootkit that triggered a finding, including the following:

• Name of the rootkit, if available.
• Whether unexpected modifications were made to the kernel's code, read-only data memory, or certain important kernel data structures.

For more information, see the Security Command Center API documentation for the Finding object.

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Database Superuser Writes to User Tables rule to General Availability. This rule detects events where a Cloud SQL superuser (postgres for PostgreSQL servers or root for MySQL users) writes to non-system tables. For more information, see Event Threat Detection rules.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched the Initial Access: Excessive Permission Denied Actions rule to Preview. This rule detects events where a principal repeatedly triggers permission denied errors across multiple methods and services.

For more information about Event Threat Detection findings, see Event Threat Detection rules.

The files attribute was added to the Finding object of the Security Command Center API.

The files attribute contains information about each file that triggered a finding, including the name of the file, the full path to the file, and the size of the file.

For more information, see the Security Command Center API documentation for the Finding object.

Security Command Center added the ability to export findings to a CSV file from the Google Cloud console. For more information, see Export findings to a CSV file.

Security Command Center released two new error detectors:

• KTD blocked by admission controller
• KTD image pull failure

These detectors report configuration errors that prevent the Container Threat Detection service from functioning properly.

Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to general availability (GA).

• Discovery: Can get sensitive Kubernetes object check
• Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
• Privilege Escalation: Create Kubernetes CSR for master cert
• Privilege Escalation: Creation of sensitive Kubernetes bindings
• Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
• Privilege Escalation: Launch of privileged Kubernetes container

These rules detect scenarios where a potentially malicious actor attempted to query or escalate privileges in Google Kubernetes Engine. For more information, see Event Threat Detection rules.

Rapid Vulnerability Detection, a built-in service of Security Command Center Premium, is now available in Preview.

Rapid Vulnerability Detection is a zero-configuration network and web application scanner that detects weak credentials, incomplete software installations, and other critical vulnerabilities that have a high likelihood of being exploited.

For more information, see Rapid Vulnerability Detection conceptual overview.

Error notifications in Security Command Center console

When Security Command Center detects configuration errors that prevent services from detecting threats or vulnerabilities, a pop-up notification appears in the Security Command Center console. The notification includes the number of configuration errors currently detected.

After you fix an error, the error notification is cleared after the next scan for that error type. For information about the scan interval for each error type, see Error detectors.

Sensitive Actions Service, a built-in service of Security Command Center Premium, is now available in Preview.

Sensitive Actions Service detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they were to be taken by a malicious actor.

For more information, see Sensitive Actions Service overview.

Container Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Malicious URL Observed, in Preview.

The detector checks URLs observed in arguments passed by executables against known phishing and malware URLs to determine if they are malicious.

Full details for this findings are available in the Security Command Center dashboard only if you upgrade to the refreshed findings display.

For more information, see:

• Container Threat Detection overview
• Findings Workflow Improvements

The parentDisplayName attribute was added to the Finding object of the Security Command Center API.

The parentDisplayName attribute provides the display name of the Security Command Center service or source that produced a finding.

For more information, see the Security Command Center API documentation for the Finding object.

Event Threat Detection, a built-in service of Security Command Center, launched the Exfiltration: Cloud SQL Over-Privileged Grant rule to General Availability. This rule detects events where a Cloud SQL for PostgreSQL user or role was granted all privileges to a database, or to all tables, procedures, or functions in a schema. For more information, see Event Threat Detection rules.

The following attributes were added to the Finding object of the Security Command Center API:

• Database provides information about access to a database that is related to a finding.
• serviceAccountKeyName, serviceAccountDelegationInfo, and principalSubject attributes were added to the existing access attribute. These new attributes provide additional context about the principals that are associated with a finding.
• uris, a new attribute within the indicator attribute, lists any malicious URIs that are associated with a finding.

For more information, see the Security Command Center API documentation for the Finding object.

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to Preview.

• Discovery: Can get sensitive Kubernetes object check
• Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
• Privilege Escalation: Create Kubernetes CSR for master cert
• Privilege Escalation: Creation of sensitive Kubernetes bindings
• Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
• Privilege Escalation: Launch of privileged Kubernetes container

These rules detect scenarios where a malicious actor attempted to query for or escalate privileges in Google Kubernetes Engine. For more information, see Event Threat Detection rules.

The container and kubernetes attributes were added to the Finding object.

The container attribute provides information about both Kubernetes and non-Kubernetes containers that are associated with a given finding. The kubernetes attribute provides information about Kubernetes resources that are associated with a given finding.

For more information, see the Security Command Center API documentation for the Finding object.

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, is generally available (GA). VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

The contacts and indicator.signatures attributes were added to the Finding object.

• The contacts attribute is a map containing the contacts for the given finding. The key represents the type of contact, and the value contains a list of all contacts of that type.
• The indicator.signatures[] attribute lists matched signatures that indicate that a given process is present in the environment.

For more information, see the API documentation for the Finding object.

The compliances, exfiltration, and processes attributes were added to the Finding object.

• The compliances attribute provides details about security standards that are unmet.
• The exfiltration attribute provides details about the sources and targets of an exfiltration attempt.
• The processes attribute provides details about operating system processes relevant to a finding.

For more information, see the API documentation for the Finding object.

Updates were made to the applications that let you send Security Command Center data to to the following SIEM and SOAR platforms:

• Cortex XSOAR—see Sending Security Command Center data to Cortex XSOAR.
• Elastic Stack—see Sending Security Command Center data to Elastic Stack and Sending Security Command Center data to Elastic Stack using Docker.
• IBM QRadar—see Sending Security Command Center data to IBM QRadar.

In addition, Security Command Center can automatically send findings, assets, audit logs, and security sources to Splunk. For more information, see Sending Security Command Center data to Splunk.

Security Command Center error detectors are generally available (GA). Error detectors report configuration errors that prevent Security Command Center and its services from functioning properly. Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

The connections[] and description attributes were added to the Finding object.

• The connections[] attribute contains information about the IP connection associated with the finding. It includes the destination IP address, the destination port, the source IP address, the source port, and the protocol.
• The description attribute provides an explanation of the finding.

For more information, see the API documentation for the Finding object.

The iamBindings[] and nextSteps attributes were added to the Finding object.

• The iamBindings[] attribute provides a list of IAM bindings associated with the finding.
• The nextSteps attribute provides recommended actions you can take to address the finding.

For more information, see the API documentation for the Finding object.

A revamp of the Findings workflow is in Preview. This Preview includes improvements in the filtering and querying experience. For a complete summary of improvements, see Summary: Findings Workflow Improvements. To opt in to this Preview, see Upgrade to the Findings Workflow Improvements.

To support a rich query experience on complex array elements, the contains() filter function was introduced. You can use this function in your finding queries to do the following:

• Exact element matching: Match array elements that contain the exact string, "example".
• Specific number operations: Match array elements that are greater than or equal to 100.
• Complex filtering against array structures: Match array elements that contain property x with a corresponding value y.

For more information, see Filtering on array-type fields.

You can now configure automatic exports of Security Command Center findings to a BigQuery dataset. For more information, see Export findings to BigQuery for analysis.

The vulnerability.cve.upstreamFixAvailable attribute was added to the Finding object. This is a boolean field that specifies whether a Common Vulnerabilities and Exposures (CVE) fix is available. For more information, see the API documentation for the Finding object.

Security Command Center can automatically send findings, assets, and security sources to the following SIEM and SOAR platforms:

• Cortex XSOAR—see Sending Security Command Center data to Cortex XSOAR.
• Elastic Stack—see Sending assets and findings to Elastic Stack and Exporting assets and findings with Docker and Elastic Stack.
• IBM QRadar—see Sending Security Command Center data to IBM QRadar.

MITRE ATT&CK framework details related to findings are now available as finding attributes for all Security Command Center services. The framework explains tactics and techniques for attacks against cloud resources, and provides remediation guidance. Although these attributes are available across all built-in and integrated services, only Container Threat Detection and Event Threat Detection are populating them at this time. For more information, see the API documentation for the Findings object.

Access-related details are now available as finding attributes for all Security Command Center services. These attributes relate to an access event associated with a finding. They contain details such as the caller's IP address, which service and method was called, and what region the access event occurred in. Although access-related attributes are available across all built-in and integrated services, they're only populated by Event Threat Detection at this time. For more information, see the API documentation for the Findings object.

Security Health Analytics, a built-in service of Security Command Center, released the OPEN_GROUP_IAM_MEMBER detector to General Availability.

Event Threat Detection, a built-in service of Security Command Center, launched the Exfiltration: BigQuery Data to Google Drive rule to Preview. This rule detects events where the protected organization's BigQuery data is saved, through extraction operations, to a Google Drive folder. For more information, see Event Threat Detection rules.

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, is in Preview. During the Preview, VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

For more information, see Virtual Machine Threat Detection conceptual overview.

Web Security Scanner, a built-in service of Security Command Center, released the CACHEABLE_PASSWORD_INPUT and SESSION_ID_LEAK finding types.

For more information, see Web Security Scanner findings.

Web Security Scanner, a built-in service of Security Command Center, provides detectors for the OWASP Top 10 2017 and OWASP Top 10 2021. For more information, see Detectors and Compliance.

Security Command Center supports CIS Google Cloud Computing Foundations Benchmark v1.2.0 (CIS Google Cloud Foundation 1.2.0).

The following detectors have been added:

• BIGQUERY_TABLE_CMEK_DISABLED
• CONFIDENTIAL_COMPUTING_DISABLED
• DNS_LOGGING_DISABLED
• SQL_EXTERNAL_SCRIPTS_ENABLED
• SQL_LOG_DURATION_DISABLED
• SQL_LOG_ERROR_VERBOSITY
• SQL_LOG_EXECUTOR_STATS_ENABLED
• SQL_LOG_HOSTNAME_ENABLED
• SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
• SQL_LOG_MIN_MESSAGES
• SQL_LOG_PARSER_STATS_ENABLED
• SQL_LOG_PLANNER_STATS_ENABLED
• SQL_LOG_STATEMENT
• SQL_LOG_STATEMENT_STATS_ENABLED
• SQL_REMOTE_ACCESS_ENABLED
• SQL_SKIP_SHOW_DATABASE_DISABLED
• SQL_TRACE_FLAG_3625
• SQL_USER_CONNECTIONS_CONFIGURED
• SQL_USER_OPTIONS_CONFIGURED

For more information, see Detectors and compliance.

Web Security Scanner, a built-in service of Security Command Center, released the SQL_INJECTION and STRUTS_INSECURE_DESERIALIZATION finding types.

For more information, see Web Security Scanner findings.

Web Security Scanner, a built-in service of Security Command Center, released the INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION, INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION, and XXE_REFLECTED_FILE_LEAKAGE finding types.

For more information, see Web Security Scanner findings.

Security Health Analytics, a built-in service of Security Command Center, launched the DATAPROC_IMAGE_OUTDATED detector to General Availability. This detector finds clusters created with Dataproc image versions that are affected by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). For more information, see Dataproc vulnerability findings.

Event Threat Detection, a built-in service of Security Command Center, launched the Active Scan: Log4j Vulnerable to RCE rule to General Availability. This rule detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners. For more information, see Event Threat Detection rules.

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Log4j Compromise Attempt rule to General Availability. This rule detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. For more information, see Event Threat Detection rules.

Event Threat Detection, a built-in service of Security Command Center, launched the Persistence: New API Method rule to Preview. This rule detects anomalous API behavior by examining Cloud Audit Logs for requests to Google Cloud services that a principal has not seen before. For more information, see Event Threat Detection rules.

Event Threat Detection, a built-in service of Security Command Center, launched the Evasion: Access from Anonymizing Proxy rule to General Availability. This rule detects Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses. For more information, see Event Threat Detection rules.

To facilitate the flow of information between Security Command Center and third-party systems, a resource called ExternalSystems was added under the Finding object. A finding can contain multiple ExternalSystems fields.

The ExternalSystems resource can contain any of the following:

• Third-party SIEM/SOAR fields within Security Command Center
• External system information
• External system finding fields

A caller with the Security Center External Systems Editor (roles/securitycenter.externalSystemsEditor) IAM role can update an ExternalSystems object using the organizations.sources.findings.externalSystems.patch API.

Event Threat Detection, a built-in service of Security Command Center, released the Exfiltration: BigQuery Data Extraction rule. This rule is available in Preview. It detects events where an organization's BigQuery data is exported to an externally visible Cloud Storage bucket. For more information, see Event Threat Detection rules.

Security Command Center has launched Mute Findings in general availability.

Mute Findings is a powerful volume management feature that lets you create filters to automatically hide or suppress current and future findings based on criteria you specify. The feature can save you time from reviewing or responding to security findings for assets that are isolated, fall within acceptable business parameters, or aren't relevant to your organization based on your company's policies.

To learn more, see Mute findings in Security Command Center.

Web Security Scanner, a built-in service of Security Command Center, released the SERVER_SIDE_REQUEST_FORGERY finding type in general availability.

For more information, see Remediating Web Security Scanner findings.

The following detectors for unsafe Google Groups changes are generally available (GA):

• Credential Access: Privileged Group Opened To Public
• Credential Access: Sensitive Role Granted To Hybrid Group
• Credential Access: External Member Added To Privileged Group

For more information, see Unsafe Google Groups changes.

Event Threat Detection, a built-in service of Security Command Center Premium, launched an integration with Chronicle that lets you perform advanced analysis of threat findings.

The integration lets you seamlessly send findings to Chronicle, a Google Cloud service that you can use to investigate threats and pivot through related actions and events in a unified timeline. Chronicle enriches Event Threat Detection findings, helping you identify indicators of interest and simplify investigations.

To learn more about Chronicle, see Chronicle overview. For instructions on sending Event Threat Detection findings to Chronicle, see Investigate findings in Chronicle.

Security Health Analytics, a built-in service of Security Command Center, released new detectors in general availability.

The following detectors, available only in Security Command Center's Premium tier, detect vulnerabilities in your Google Kubernetes Engine clusters and expand the number of detectors that support the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0:

• ALPHA_CLUSTER_ENABLED: Alpha cluster features are enabled for a GKE cluster.
• BINARY_AUTHORIZATION_DISABLED: Binary Authorization is disabled on a GKE cluster.
• CLUSTER_SECRETS_ENCRYPTION_DISABLED: Application-layer secrets encryption is disabled on a GKE cluster.
• CLUSTER_SHIELDED_NODES_DISABLED: Shielded GKE nodes are not enabled for a cluster.
• INTEGRITY_MONITORING_DISABLED: Integrity monitoring is disabled for a GKE cluster.
• INTRANODE_VISIBILITY_DISABLED: Intranode visibility is disabled for a GKE cluster.
• NODEPOOL_SECURE_BOOT_DISABLED: Secure Boot is disabled for a GKE cluster.
• RELEASE_CHANNEL_DISABLED: A GKE cluster is not subscribed to a release channel.

For more information, see Container vulnerability findings. To learn how to remediate vulnerabilities, see Remediating Security Health Analytics findings

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors in public preview.

The following detectors monitor your Google Workspace and Cloud Audit logs and alert you when external members are added to privileged Google Groups—groups that are granted sensitive IAM roles and permissions:

• Credential Access: Privileged Group Joinability Risk: Detects when Google Groups are changed to be accessible to the general public
• Persistence: IAM Anomalous Group Grant: Detects when sensitive roles are granted to privileged Google Groups with external members
• Credential Access: External Member In Privileged Group: Detects when an external member is added to a privileged Google Group

The following detectors monitor your Admin Activity logs and alert you to suspicious changes in Compute Engine instances:

• Persistence: Compute Engine Admin Added SSH Key: Detects modification of the Compute Engine instance metadata ssh key value on established instances
• Persistence: Compute Engine Admin Added Startup Script: Detects modification of the Compute Engine instance metadata startup script value on established instances

The Persistence: IAM Anomalous Grant detector is enhanced and detects when sensitive roles are granted to users and service accounts.

For more information on Event Threat Detection findings, see Rules. To learn how Event Threat Detection monitors changes in Google Groups and defines sensitive roles, see Unsafe Google Group changes.

VM Manager vulnerability reports, which are in preview, are now available in Security Command Center Premium. The reports identify vulnerabilities in operating systems installed on Compute Engine virtual machines, including Common Vulnerabilities and Exposures (CVEs).

For more information on integrating VM Manager with Security Command Center, see VM Manager.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors to protect your Google Workspace domains in general availability. The detectors identify suspicious activities in member accounts and your Admin Console, including leaked passwords, attempted account breaches, settings changes, and possible government-backed attacks. For more information, see Event Threat Detection overview.

Container Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Malicious Script Executed, in general availability. The detector uses natural language processing to evaluate bash scripts and determine if they are malicious. For more information, see Container Threat Detection overview

Security Command Center findings now include two new attributes that provide additional information about the type of finding and the activity that triggered it. The attributes include the following:

• Indicator: displayed as indicator. This is an indicator of compromise (IoC), or artifact, observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
• Finding Class: displayed as findingClass. Indicates the type of finding. The following list includes finding classes and their descriptions:
  • Threat: unwanted or malicious activity
  • Vulnerability: a potential weakness in software that increases risk to the confidentiality, integrity, and availability of your resources
  • Misconfiguration: a potential weakness in a resource's configuration that increases risk
  • Observation: a security observation provided for informational purposes

To learn more about findings, see the Findings tab in Using the Security Command Center dashboard.

Security Health Analytics, a built-in service of Security Command Center, has launched a new detector, DATASET_CMEK_DISABLED, in general availability. The detector, available to Security Command Center Premium customers, detects BigQuery datasets that are not encrypted using customer-managed encryption keys (CMEK). For more information, see the DATASET_SCANNER table in Vulnerabilities findings.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched a public preview of new detectors to protect your Google Workspace domains. The detectors identify suspicious activities in member accounts and your Admin Console, including leaked passwords, attempted account breaches, settings changes, and possible government-backed attacks. For more information, see Event Threat Detection overview.

Security Command Center Premium has launched project- and folder-level roles in general availability. The feature lets you grant users Identity and Access Management (IAM) roles for specific folders and projects. You have more granular control over who can access what resources throughout your organization. For more information, see Access control.

You must be a Security Command Center Premium customer to use this feature. Security Command Center Standard continues to support granting roles only at the organization level. To subscribe to Security Command Center Premium, contact your sales representative or fill out our inquiry form.

Security Command Center Premium has launched Continuous Exports for Pub/Sub in general availability. The feature simplifies the process of creating a NotificationConfig and automates the export of new findings to Pub/Sub.

You must be a Security Command Center Premium customer to use the feature. Security Command Center Standard continues to support one-time exports. To subscribe to Security Command Center Premium, contact your sales representative or fill out our inquiry form.

Event Threat Detection, a built-in service of Security Command Center Premium, now includes two new detectors to monitor your organization's BigQuery resources. The detectors identify data exfiltration - resources saved outside of your organization or attempts to access protected data.

Read more about available detectors in Event Threat Detection conceptual overview.

The Security Command Center API now includes a severity field for Findings. This feature is available using Security Command Center's v1p1beta1 API.

Security Command Center Premium is now in general availability (Container Threat Detection remains in beta). Read these notes to learn about updates, usability improvements, and new features.

Improved Summary Dashboard

• A new set of interactive charts and tables provide a high-level overview of all threats and vulnerabilities.
• An updated time selector lets you choose preset and customizable time ranges for reviewing findings and creating reports.
• New page headers provide users with more page-specific context.

Learn more about Using the Security Command Center dashboard.

Onboarding and configuration upgrades

• A streamlined interface lets you manage organization-wide service enablement settings.
• A dedicated settings page for integrated services has been added to the configuration interface.

Learn more about Setting up Security Command Center.

Managed Web Security Scans are now available to all Security Command Center Premium users. Learn more about managed scans in our Overview of Web Security Scanner.

gcloud integration with new, simplified Beta APIs (Alpha)

• The gcloud command line interface can now access configuration functionality through new Beta APIs. The Beta APIs provide stable, programmatic interaction equivalent in functionality to the Security Command Center interface. Learn to use gcloud to manage Security Command Center settings.

Documentation

• New documentation includes details on onboarding and enablement in the Security Command Center latency overview and updates on billing tiers. For more information, read our Pricing guide and visit product pages.

Audit logs are now available in Security Command Center as part of Cloud Audit Logs. Learn more about Security Command Center audit logging.

Security Command Center Premium and Standard tiers are now available.

The Security Command Center Premium tier includes:

• Security Health Analytics
• Web Security Scanner managed scans
• Event Threat Detection
• Container Threat Detection

Learn more about the Security Command Center Premium tier.

Container Threat Detection currently supports the following Kubernetes Engine versions on the Regular and Rapid channels:

• >= 1.15.9-gke.12
• >= 1.16.5-gke.2
• >= 1.17

In a future update, Container Threat Detection will support version 1.14 and the Stable channel.

Security Health Analytics is now in general availability.

• Learn about the vulnerability findings provided by Security Health Analytics.
• Get started with Security Health Analytics.

The Notifications API is now in general availability. Get started with the notifications API.

The notifications API is now in beta:

• Send new findings and updated findings notifications to a Pub/Sub topic.
• Filter notifications by provider source, finding type, category or any other finding fields, properties or security marks.

Get started with the notifications API.

Security Health Analytics is now in beta and can now be enabled in the Sources Management page of Cloud SCC.

A new Vulnerabilities tab in Cloud SCC displays a dashboard that summarizes Security Health Analytics findings. This dashboard includes information about CIS benchmarks and recommended remediations.

API updated to v1.

Cloud SCC is now in general availability (GA). These release notes include updated items from beta and new items for GA.

ListFindings and GroupFindings now supports comparison between two points in time. For more information, see the compareDuration parameter.

Assets now include IAM information for organizations, projects, Compute Engine, Cloud Storage, and others where applicable. IAM Policy information can be searched, filtered, and joined with all other Asset information and Security Marks.

Native integration with Security Health Analytics for native managed vulnerability scanning.

Native integration with Event Threat Detection for log-based threat detection.

Native integrations with Phishing Protection.

The Cloud SCC dashboard now enables you to select whether just active state findings are displayed or both active and inactive.

The Cloud SCC dashboard now enables you to set active or inactive state for each finding.

The Cloud SCC dashboard now enables you to perform a time-diff query for a fixed set of time periods.

You can now export Cloud SCC data as filtered Asset or Findings data to the Cloud Storage bucket and project you select.

Hello World example app is expanded to include Cloud Functions functions for: removing bucket ACLs, deleting firewall rules, and creating a VM snapshot.

New example apps are available for:

• Integrations with Access Transparency Logs, Audit Logging, and Binary Authorization.
• Connecting to Splunk.

For more information, see Installing Cloud SCC tools.

Additional security partner integrations through [Marketplace](https://console.cloud.google.com/marketplace/details/google-cloud-platform/cloud-security-command-center.

API updated to v1beta.