Security Command Center release notes

Stay organized with collections Save and categorize content based on your preferences.
This page documents production updates to Security Command Center and the products and features available in the Security Command Center Premium and Standard tiers. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/scc-release-notes.xml

August 22, 2022

The following attributes were added to the Finding object of the Security Command Center API:

  • Database provides information about access to a database that is related to a finding.
  • serviceAccountKeyName, serviceAccountDelegationInfo, and principalSubject attributes were added to the existing access attribute. These new attributes provide additional context about the principals that are associated with a finding.
  • uris, a new attribute within the indicator attribute, lists any malicious URIs that are associated with a finding.

For more information, see the Security Command Center API documentation for the Finding object.

August 08, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to Preview.

  • Discovery: Can get sensitive Kubernetes object check
  • Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
  • Privilege Escalation: Create Kubernetes CSR for master cert
  • Privilege Escalation: Creation of sensitive Kubernetes bindings
  • Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
  • Privilege Escalation: Launch of privileged Kubernetes container

These rules detect scenarios where a malicious actor attempted to query for or escalate privileges in Google Kubernetes Engine. For more information, see Event Threat Detection rules.

July 21, 2022

The container and kubernetes attributes were added to the Finding object.

The container attribute provides information about both Kubernetes and non-Kubernetes containers that are associated with a given finding. The kubernetes attribute provides information about Kubernetes resources that are associated with a given finding.

For more information, see the Security Command Center API documentation for the Finding object.

July 18, 2022

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, is generally available (GA). VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

June 30, 2022

The contacts and indicator.signatures attributes were added to the Finding object.

  • The contacts attribute is a map containing the contacts for the given finding. The key represents the type of contact, and the value contains a list of all contacts of that type.
  • The indicator.signatures[] attribute lists matched signatures that indicate that a given process is present in the environment.

For more information, see the API documentation for the Finding object.

May 27, 2022

The compliances, exfiltration, and processes attributes were added to the Finding object.

  • The compliances attribute provides details about security standards that are unmet.
  • The exfiltration attribute provides details about the sources and targets of an exfiltration attempt.
  • The processes attribute provides details about operating system processes relevant to a finding.

For more information, see the API documentation for the Finding object.

May 16, 2022

Updates were made to the applications that let you send Security Command Center data to to the following SIEM and SOAR platforms:

In addition, Security Command Center can automatically send findings, assets, audit logs, and security sources to Splunk. For more information, see Sending Security Command Center data to Splunk.

April 28, 2022

Security Command Center error detectors are generally available (GA). Error detectors report configuration errors that prevent Security Command Center and its services from functioning properly. Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

The connections[] and description attributes were added to the Finding object.

  • The connections[] attribute contains information about the IP connection associated with the finding. It includes the destination IP address, the destination port, the source IP address, the source port, and the protocol.
  • The description attribute provides an explanation of the finding.

For more information, see the API documentation for the Finding object.

April 07, 2022

The iamBindings[] and nextSteps attributes were added to the Finding object.

  • The iamBindings[] attribute provides a list of IAM bindings associated with the finding.
  • The nextSteps attribute provides recommended actions you can take to address the finding.

For more information, see the API documentation for the Finding object.

March 29, 2022

A revamp of the Findings workflow is in Preview. This Preview includes improvements in the filtering and querying experience. For a complete summary of improvements, see Summary: Findings Workflow Improvements. To opt in to this Preview, see Upgrade to the Findings Workflow Improvements.

March 07, 2022

To support a rich query experience on complex array elements, the contains() filter function was introduced. You can use this function in your finding queries to do the following:

  • Exact element matching: Match array elements that contain the exact string, "example".
  • Specific number operations: Match array elements that are greater than or equal to 100.
  • Complex filtering against array structures: Match array elements that contain property x with a corresponding value y.

For more information, see Filtering on array-type fields.

March 02, 2022

You can now configure automatic exports of Security Command Center findings to a BigQuery dataset. For more information, see Export findings to BigQuery for analysis.

The vulnerability.cve.upstreamFixAvailable attribute was added to the Finding object. This is a boolean field that specifies whether a Common Vulnerabilities and Exposures (CVE) fix is available. For more information, see the API documentation for the Finding object.

February 24, 2022

Security Command Center can automatically send findings, assets, and security sources to the following SIEM and SOAR platforms:

February 22, 2022

MITRE ATT&CK framework details related to findings are now available as finding attributes for all Security Command Center services. The framework explains tactics and techniques for attacks against cloud resources, and provides remediation guidance. Although these attributes are available across all built-in and integrated services, only Container Threat Detection and Event Threat Detection are populating them at this time. For more information, see the API documentation for the Findings object.

February 10, 2022

Access-related details are now available as finding attributes for all Security Command Center services. These attributes relate to an access event associated with a finding. They contain details such as the caller's IP address, which service and method was called, and what region the access event occurred in. Although access-related attributes are available across all built-in and integrated services, they're only populated by Event Threat Detection at this time. For more information, see the API documentation for the Findings object.

February 07, 2022

Previously, the following Event Threat Detection rules were made temporarily unavailable because they were generating extraneous findings:

  • Persistence: New API Method
  • Persistence: New Geography

The underlying issue has been resolved. These rules are now operational. For more information, see Event Threat Detection rules.

Security Health Analytics, a built-in service of Security Command Center, released the OPEN_GROUP_IAM_MEMBER detector to General Availability.

February 02, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the Exfiltration: BigQuery Data to Google Drive rule to Preview. This rule detects events where the protected organization's BigQuery data is saved, through extraction operations, to a Google Drive folder. For more information, see Event Threat Detection rules.

January 31, 2022

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, is in Preview. During the Preview, VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

For more information, see Virtual Machine Threat Detection conceptual overview.

Web Security Scanner, a built-in service of Security Command Center, released the CACHEABLE_PASSWORD_INPUT and SESSION_ID_LEAK finding types.

For more information, see Web Security Scanner findings.

Web Security Scanner, a built-in service of Security Command Center, provides detectors for the OWASP Top 10 2017 and OWASP Top 10 2021. For more information, see Detectors and Compliance.

January 26, 2022

Security Command Center supports CIS Google Cloud Computing Foundations Benchmark v1.2.0 (CIS Google Cloud Foundation 1.2.0).

The following detectors have been added:

  • BIGQUERY_TABLE_CMEK_DISABLED
  • CONFIDENTIAL_COMPUTING_DISABLED
  • DNS_LOGGING_DISABLED
  • SQL_EXTERNAL_SCRIPTS_ENABLED
  • SQL_LOG_DURATION_DISABLED
  • SQL_LOG_ERROR_VERBOSITY
  • SQL_LOG_EXECUTOR_STATS_ENABLED
  • SQL_LOG_HOSTNAME_ENABLED
  • SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
  • SQL_LOG_MIN_MESSAGES
  • SQL_LOG_PARSER_STATS_ENABLED
  • SQL_LOG_PLANNER_STATS_ENABLED
  • SQL_LOG_STATEMENT
  • SQL_LOG_STATEMENT_STATS_ENABLED
  • SQL_REMOTE_ACCESS_ENABLED
  • SQL_SKIP_SHOW_DATABASE_DISABLED
  • SQL_TRACE_FLAG_3625
  • SQL_USER_CONNECTIONS_CONFIGURED
  • SQL_USER_OPTIONS_CONFIGURED

For more information, see Detectors and compliance.

January 24, 2022

Web Security Scanner, a built-in service of Security Command Center, released the SQL_INJECTION and STRUTS_INSECURE_DESERIALIZATION finding types.

For more information, see Web Security Scanner findings.

January 10, 2022

Web Security Scanner, a built-in service of Security Command Center, released the INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION, INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION, and XXE_REFLECTED_FILE_LEAKAGE finding types.

For more information, see Web Security Scanner findings.

December 30, 2021

Security Health Analytics, a built-in service of Security Command Center, launched the DATAPROC_IMAGE_OUTDATED detector to General Availability. This detector finds clusters created with Dataproc image versions that are affected by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). For more information, see Dataproc vulnerability findings.

December 21, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Active Scan: Log4j Vulnerable to RCE rule to General Availability. This rule detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners. For more information, see Event Threat Detection rules.

December 16, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Log4j Compromise Attempt rule to General Availability. This rule detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. For more information, see Event Threat Detection rules.

December 13, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Persistence: New API Method rule to Preview. This rule detects anomalous API behavior by examining Cloud Audit Logs for requests to Google Cloud services that a principal has not seen before. For more information, see Event Threat Detection rules.

December 10, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Evasion: Access from Anonymizing Proxy rule to General Availability. This rule detects Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses. For more information, see Event Threat Detection rules.

December 07, 2021

To facilitate the flow of information between Security Command Center and third-party systems, a resource called ExternalSystems was added under the Finding object. A finding can contain multiple ExternalSystems fields.

The ExternalSystems resource can contain any of the following:

  • Third-party SIEM/SOAR fields within Security Command Center
  • External system information
  • External system finding fields

A caller with the Security Center External Systems Editor (roles/securitycenter.externalSystemsEditor) IAM role can update an ExternalSystems object using the organizations.sources.findings.externalSystems.patch API.

Event Threat Detection, a built-in service of Security Command Center, released the Exfiltration: BigQuery Data Extraction rule. This rule is available in Preview. It detects events where an organization's BigQuery data is exported to an externally visible Cloud Storage bucket. For more information, see Event Threat Detection rules.

November 19, 2021

Security Command Center has launched Mute Findings in general availability.

Mute Findings is a powerful volume management feature that lets you create filters to automatically hide or suppress current and future findings based on criteria you specify. The feature can save you time from reviewing or responding to security findings for assets that are isolated, fall within acceptable business parameters, or aren't relevant to your organization based on your company's policies.

To learn more, see Mute findings in Security Command Center.

November 17, 2021

Web Security Scanner, a built-in service of Security Command Center, released the SERVER_SIDE_REQUEST_FORGERY finding type in general availability.

For more information, see Remediating Web Security Scanner findings.

October 26, 2021

An issue that resulted in Security Command Center incorrectly reporting findings for some monitoring vulnerability detectors has been fixed.

Due to changes made on September 20, 2020 in the logging source upon which FIREWALL_NOT_MONITORED, NETWORK_NOT_MONITORED, ROUTE_NOT_MONITORED, and SQL_INSTANCE_NOT_MONITORED findings in Security Health Analytics are predicated, the remediation instructions for those findings were inaccurate.

The issue is resolved. Findings are being generated accurately and you are being properly alerted of misconfigurations in your organization.

If you want to enable monitoring in order to remediate these findings, you will need to update the logs-based metrics for these findings. Updated filters are available in the findings themselves and product documentation:

If you have questions or need assistance, contact Google Cloud Support or Google Cloud Billing Support.

October 25, 2021

The following detectors for unsafe Google Groups changes are generally available (GA):

  • Credential Access: Privileged Group Opened To Public
  • Credential Access: Sensitive Role Granted To Hybrid Group
  • Credential Access: External Member Added To Privileged Group

For more information, see Unsafe Google Groups changes.

October 13, 2021

Event Threat Detection, a built-in service of Security Command Center Premium, launched an integration with Chronicle that lets you perform advanced analysis of threat findings.

The integration lets you seamlessly send findings to Chronicle, a Google Cloud service that you can use to investigate threats and pivot through related actions and events in a unified timeline. Chronicle enriches Event Threat Detection findings, helping you identify indicators of interest and simplify investigations.

To learn more about Chronicle, see Chronicle overview. For instructions on sending Event Threat Detection findings to Chronicle, see Investigate findings in Chronicle.

October 05, 2021

Security Health Analytics, a built-in service of Security Command Center, released new detectors in general availability.

The following detectors, available only in Security Command Center's Premium tier, detect vulnerabilities in your Google Kubernetes Engine clusters and expand the number of detectors that support the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0:

For more information, see Container vulnerability findings. To learn how to remediate vulnerabilities, see Remediating Security Health Analytics findings

September 14, 2021

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors in public preview.

The following detectors monitor your Google Workspace and Cloud Audit logs and alert you when external members are added to privileged Google Groups—groups that are granted sensitive IAM roles and permissions:

  • Credential Access: Privileged Group Joinability Risk: Detects when Google Groups are changed to be accessible to the general public
  • Persistence: IAM Anomalous Group Grant: Detects when sensitive roles are granted to privileged Google Groups with external members
  • Credential Access: External Member In Privileged Group: Detects when an external member is added to a privileged Google Group

The following detectors monitor your Admin Activity logs and alert you to suspicious changes in Compute Engine instances:

  • Persistence: Compute Engine Admin Added SSH Key: Detects modification of the Compute Engine instance metadata ssh key value on established instances
  • Persistence: Compute Engine Admin Added Startup Script: Detects modification of the Compute Engine instance metadata startup script value on established instances

The Persistence: IAM Anomalous Grant detector is enhanced and detects when sensitive roles are granted to users and service accounts.

For more information on Event Threat Detection findings, see Rules. To learn how Event Threat Detection monitors changes in Google Groups and defines sensitive roles, see Unsafe Google Group changes.

September 07, 2021

VM Manager vulnerability reports, which are in preview, are now available in Security Command Center Premium. The reports identify vulnerabilities in operating systems installed on Compute Engine virtual machines, including Common Vulnerabilities and Exposures (CVEs).

For more information on integrating VM Manager with Security Command Center, see VM Manager.

August 11, 2021

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors to protect your Google Workspace domains in general availability. The detectors identify suspicious activities in member accounts and your Admin Console, including leaked passwords, attempted account breaches, settings changes, and possible government-backed attacks. For more information, see Event Threat Detection overview.

Container Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Malicious Script Executed, in general availability. The detector uses natural language processing to evaluate bash scripts and determine if they are malicious. For more information, see Container Threat Detection overview

Security Command Center findings now include two new attributes that provide additional information about the type of finding and the activity that triggered it. The attributes include the following:

  • Indicator: displayed as indicator. This is an indicator of compromise (IoC), or artifact, observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
  • Finding Class: displayed as findingClass. Indicates the type of finding. The following list includes finding classes and their descriptions:
    • Threat: unwanted or malicious activity
    • Vulnerability: a potential weakness in software that increases risk to the confidentiality, integrity, and availability of your resources
    • Misconfiguration: a potential weakness in a resource's configuration that increases risk
    • Observation: a security observation provided for informational purposes

To learn more about findings, see the Findings tab in Using the Security Command Center dashboard.

Documentation

  • Security Command Center documentation now includes a page that maps resource type formats between Cloud Asset Inventory and Security Command Center. The services use different naming conventions for resource types. For more information, see Resource type formats in Security Command Center.

July 19, 2021

Security Health Analytics, a built-in service of Security Command Center, has launched a new detector, DATASET_CMEK_DISABLED, in general availability. The detector, available to Security Command Center Premium customers, detects BigQuery datasets that are not encrypted using customer-managed encryption keys (CMEK). For more information, see the DATASET_SCANNER table in Vulnerabilities findings.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched a public preview of new detectors to protect your Google Workspace domains. The detectors identify suspicious activities in member accounts and your Admin Console, including leaked passwords, attempted account breaches, settings changes, and possible government-backed attacks. For more information, see Event Threat Detection overview.

June 07, 2021

Security Command Center Legacy, previously known as Cloud Security Command Center, and Event Threat Detection Legacy have been permanently disabled.

To continue benefiting from Security Command Center, you must migrate your organizations to Security Command Center's free Standard tier or Premium tier. Event Threat Detection, a built-in service of Security Command Center, is available only in the Premium tier.

For information on upgrading to Security Command Center Standard or Premium, see Migrate from legacy Security Command Center products. To inquire about flexible pricing options for the Premium tier, complete our Premium inquiry form. You should receive a response within two US business days.

May 24, 2021

Security Command Center Premium has launched project- and folder-level roles in general availability. The feature lets you grant users Identity and Access Management (IAM) roles for specific folders and projects. You have more granular control over who can access what resources throughout your organization. For more information, see Access control.

You must be a Security Command Center Premium customer to use this feature. Security Command Center Standard continues to support granting roles only at the organization level. To subscribe to Security Command Center Premium, contact your sales representative or fill out our inquiry form.

Security Command Center now supports two versions of CIS Benchmarks for Google Cloud Platform Foundation:

  • CIS Google Cloud Computing Foundations Benchmark v1.1.0 (CIS Google Cloud Foundation 1.1)
  • CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0)

For more information about supported compliance standards, see Detectors and compliance.

Security Health Analytics, a built-in service of Security Command Center, has expanded the number of detectors in the Standard tier. The Standard tier, which is free of charge, now includes the following detectors:

  • LEGACY_AUTHORIZATION_ENABLED: Legacy Authorization is enabled on Google Kubernetes Engine (GKE) clusters.
  • OPEN_CISCOSECURE_WEBSM_PORT: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.
  • OPEN_DIRECTORY_SERVICES_PORT: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.
  • OPEN_TELNET_PORT: A firewall is configured to have an open TELNET port that allows generic access.
  • PUBLIC_COMPUTE_IMAGE: A Compute Engine image is publicly accessible.

For a complete list of detectors in the Standard tier, see Pricing. For detailed information about all Security Health Analytics detectors, see Vulnerabilities findings.

May 05, 2021

Security Command Center Premium has launched Continuous Exports for Pub/Sub in general availability. The feature simplifies the process of creating a NotificationConfig and automates the export of new findings to Pub/Sub.

You must be a Security Command Center Premium customer to use the feature. Security Command Center Standard continues to support one-time exports. To subscribe to Security Command Center Premium, contact your sales representative or fill out our inquiry form.

Security Health Analytics, a built-in service of Security Command Center, has launched a new detector, PUBSUB_CMEK_DISABLED, in general availability. The detector, available to Security Command Center Premium customers, identifies Pub/Sub topics that are not encrypted with customer-managed encryption keys (CMEK). For more information, see the PUBSUB_SCANNER table in Vulnerabilities findings.

Event Threat Detection, a built-in service of Security Command Center, has launched a new detector in general availability. Discovery: Service Account Self-Investigation detects when a service account credential is used to investigate the roles associated with that same service account. For more information on detectors, see Event Threat Detection conceptual overview.

Documentation

April 07, 2021

Security Command Center Legacy, previously known as Cloud Security Command Center, and Event Threat Detection Legacy are being permanently disabled for all customers on June 7, 2021.

If you onboarded to Security Command Center before May 2020, or Event Threat Detection before June 2020, and never upgraded to Security Command Center's Standard tier or Premium tier, you are using a legacy product.

To continue benefiting from Security Command Center and Event Threat Detection without an interruption in service, customers using legacy products must migrate their organizations to Security Command Center Standard or Premium. Event Threat Detection, a built-in service of Security Command Center, is available only in the Premium tier.

For details on upgrading legacy products, see Migrate from legacy Security Command Center products.

March 08, 2021

Security Health Analytics, a built-in service of Security Command Center, launched new detectors in general availability:

Detects resources that are not using customer-managed encryption keys (CMEK)

  • BUCKET_CMEK_DISABLED
  • DISK_CMEK_DISABLED
  • NODEPOOL_BOOK_CMEK_DISABLED
  • SQL_CMEK_DISABLED

Detects vulnerabilities in Compute Engine instances

  • DEFAULT_SERVICE_ACCOUNT_USED
  • SHIELDED_VM_DISABLED

Detects publicly accessible Cloud KMS keys

  • KMS_PUBLIC_KEY

Detects out-of-region Compute Engine resources

  • ORG_POLICY_LOCATION_RESTRICTION

Detects misconfiguration of SQL instances

  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_CONTAINED_DATABASE_AUTHENTICATION
  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_LOCAL_INFILE
  • SQL_LOG_CHECKPOINTS_DISABLED
  • SQL_LOG_CONNECTIONS_DISABLED
  • SQL_LOG_DISCONNECTIONS_DISABLED
  • SQL_LOG_LOCK_WAITS_DISABLED
  • SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
  • SQL_LOG_MIN_ERROR_STATEMENT
  • SQL_LOG_TEMP_FILES

For more information on these and other Security Health Analytics detectors, see Vulnerabilities findings.

Event Threat Detection, a built in service of Security Command Center, launched a preview for a new detector.

Service account self-investigation detects when a service account is used to investigate roles associated with that same service account. For more information on Event Threat Detection detectors, see Event Threat Detection conceptual overview.

Documentation

  • Security Health Analytics documentation now includes more detailed information about detectors, including supported assets and scan configurations. For more information, see Vulnerabilities findings.

  • The Security Health Analytics remediation page now includes suggested instructions to resolve all Security Health Analytics findings. For more information, see Remediating Security Health Analytics findings.

  • Event Threat Detection documentation now includes additional details on cloud logs used by the service. For more information, see Event Threat Detection conceptual overview.

February 05, 2021

Security Command Center's v1 API now includes a Severity field for Findings.

The Severity field indicates the severity of a finding, as determined by the finding provider, and is included with all findings. The field is managed by finding providers and you are cautioned to not modify its values.

Uses for the field include listing findings of a certain severity level or grouping findings by severity level.

Read Using the Security Command Center dashboard to learn more about findings and finding severity.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched previews for two new detectors.

IAM: Anomalous IP geolocation and IAM: Anomalous user agent detect anomalous connections to Google Cloud resources based on location and user agent, respectively.

Read more about available detectors in Event Threat Detection conceptual overview.

Documentation

December 01, 2020

Container Threat Detection, a built-in service of Security Command Center Premium, is now in general availability. Read these notes to learn about updates, usability improvements, and new features. See our blog post, Monitor and secure your containers with new Container Threat Detection, to learn more.

Container Threat Detection now supports Google Kubernetes Engine (GKE) versions on the Stable channel. There are currently no plans to add support for GKE version 1.14.

Activation latency for newly created clusters has been improved.

A bug that blocked some information from appearing in the the process section of Added Library Loaded findings is fixed.

A bug that blocked the proper display of the resource name for regional clusters in Added Library Loaded findings is fixed.

Container Threat Detection documentation includes updated information about compatibility with GKE and Virtual Private Cloud.

Read Using Container Threat Detection for more information.

October 08, 2020

Event Threat Detection, a built-in service of Security Command Center Premium, now includes two new detectors to monitor your organization's BigQuery resources. The detectors identify data exfiltration - resources saved outside of your organization or attempts to access protected data.

Read more about available detectors in Event Threat Detection conceptual overview.

The Security Command Center API now includes a severity field for Findings. This feature is available using Security Command Center's v1p1beta1 API.

September 08, 2020

Security Command Center Premium is now in general availability (Container Threat Detection remains in beta). Read these notes to learn about updates, usability improvements, and new features.

Improved Summary Dashboard

  • A new set of interactive charts and tables provide a high-level overview of all threats and vulnerabilities.
  • An updated time selector lets you choose preset and customizable time ranges for reviewing findings and creating reports.
  • New page headers provide users with more page-specific context.

Learn more about Using the Security Command Center dashboard.

Onboarding and configuration upgrades

  • A streamlined interface lets you manage organization-wide service enablement settings.
  • A dedicated settings page for integrated services has been added to the configuration interface.

Learn more about Setting up Security Command Center.

Security Health Analytics now supports real-time detections, with some exceptions. Read more about Security Health Analytics detectors and findings.

Managed Web Security Scans are now available to all Security Command Center Premium users. Learn more about managed scans in our Overview of Web Security Scanner.

gcloud integration with new, simplified Beta APIs (Alpha)

  • The gcloud command line interface can now access configuration functionality through new Beta APIs. The Beta APIs provide stable, programmatic interaction equivalent in functionality to the Security Command Center interface. Learn to use gcloud to manage Security Command Center settings.

Documentation

August 24, 2020

Audit logs are now available in Security Command Center as part of Cloud Audit Logs. Learn more about Security Command Center audit logging.

July 27, 2020

Security Command Center v1beta1 API will be disabled on Jan. 31, 2021. All users will be required to migrate to Security Command Center v1 API, which is now in general availability.

  • Update to Google-provided v1 API client libraries.
  • Move your client libraries and HTTP/grpc calls to v1 by following instructions in the reference documentation for service endpoints and SDK configuration.
  • If you call this service using your own libraries, follow the guidance in our Security Command Center API Overview when making API requests.
  • To use ListFindings calls in the v1 API, update your response handling to respond to an extra layer of object nesting, as shown below:
    • v1beta1: response.getFindings().forEach( x -> ....)
    • v1: response.getListFindingsResults().forEach(x -> { x.getFinding(); .... })

Additional changes to the v1 API are listed below. Learn more about Using the Security Command Center API.

The SeverityLevel finding source property for all Security Health Analytics findings will be removed and replaced with a field named Severity, which retains the same values.

  • Impact: Finding notification filters, post-processing, and alerting based on the SeverityLevel finding source property will no longer be possible.
  • Recommendation: Replace the SeverityLevel finding source property with the Severity finding attribute property to retain existing functionality.

The nodePools finding source property will be removed from the OVER_PRIVILEGED_SCOPES findings and replaced with a source property named VulnerableNodePools.

  • Impact: Finding notification filters, post-processing and alerting based on this finding source property may fail.
  • Recommendation: Modify workflows as necessary to utilize the new VulnerableNodePools source property.

The finding category of 2SV_NOT_ENFORCED is being renamed MFA_NOT_ENFORCED.

  • Impact: Case-sensitive finding notification filters, post-processing, and alerting based on the previous finding category name may fail.
  • Recommendation: Update any post-processing to use the new category name.

The ExceptionInstructions source property will be removed from all Security Health Analytics findings.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property may fail.
  • In progress: A new property that will indicate the current state of findings is being developed.

The ProjectId source property from all Security Health Analytics findings will be removed.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property may fail.
  • Recommendation: Update workflows to utilize the project id in the resource.project_display_name field of a ListFindingsResult.

The AssetSettings finding source property from PUBLIC_SQL_INSTANCE, SQL_PUBLIC_IP, SSL_NOT_ENFORCED, AUTO_BACKUP_DISABLED, SQL_NO_ROOT_PASSWORD, SQL_WEAK_ROOT_PASSWORD finding types will be removed, as it contains data duplicated from the asset entity.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will fail.
  • Recommendation: Replacing the AssetSettings finding source property with the Settings resource property from the asset underlying the finding will retain existing functionality.

The Allowed finding source property from OPEN_FIREWALL findings will be replaced with changed a new field named ExternallyAccessibleProtocolsAndPorts, which will contain a subset of the values from the Allowed property.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will fail.
  • Recommendation: Modify your workflows as necessary to utilize the new ExternallyAccessibleProtocolsAndPorts source property.

The SourceRanges finding source property from findings in OPEN_FIREWALL findings will be replaced with a new ExternalSourceRanges, which will contain a subset of the values from the SourceRanges property.

  • Impact: Finding notification filters, post-processing and alerting based on the finding source property will fail.
  • Recommendation: Modify your workflows as necessary to utilize the new ExternalSourceRanges source property.

As of Jan. 31, 2021, the UpdateFinding API will no longer support storing string properties that are longer than 7,000 characters.

  • Impact: Calls to UpdateFinding that seek to store string properties longer than 7,000 characters will be rejected with an invalid argument error.
  • Recommendation: Consider storing string properties longer than 7,000 characters as JSON structs or JSON lists. Learn more about writing findings.

As of Sept. 1, 2020, the ListFindings API will no longer support searching on finding properties that are longer than 7,000 characters.

  • Impact: Searches on strings that are longer than 7,000 characters will not return expected results. For example, if a partial string match filter has a match at the 7,005th character on a property in a finding, that finding will not be returned because that match is past the 7,000-character threshold. An exception will not be returned.
  • Recommendation: Customers can remove filter restrictions (e.g. x : "some-value") that are supposed to match very long properties. The results can then be filtered locally to remove findings whose strings do not match designated criteria. Learn more about filtering findings.

The OffendingIamRoles source property in extensions of IAM Scanner Configurations will use structured data instead of a JSON-formatted string.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will need to be updated to take advantage of the new data type on findings of the following categories: ADMIN_SERVICE_ACCOUNT, NON_ORG_IAM_MEMBER, PRIMITIVE_ROLES_USED, OVER_PRIVILEGED_SERVICE_ACCOUNT_USER, REDIS_ROLE_USED_ON_ORG, SERVICE_ACCOUNT_ROLE_SEPARATION, KMS_ROLE_SEPARATION.
  • Recommendation: Update workflows to utilize the new data type.

The QualifiedLogMetricNames source property in specific Monitoring findings from Security Health Analytics will use a list instead of a character-separated string value.

  • Impact: Finding notification filters, post-processing and alerting based on the finding source property will need to be updated to take advantage of the new data type for findings of the following categories: AUDIT_CONFIG_NOT_MONITORED, BUCKET_IAM_NOT_MONITORED, CUSTOM_ROLE_NOT_MONITORED, FIREWALL_NOT_MONITORED, NETWORK_NOT_MONITORED, OWNER_NOT_MONITORED, ROUTE_NOT_MONITORED, SQL_INSTANCE_NOT_MONITORED.
  • Recommendation: Update workflows to utilize the new data type.

The AlertPolicyFailureReasons source property in specific Monitoring findings from Security Health Analytics will use a list instead of a character-separated string value.

  • Impact: Finding notification filters, post-processing and alerting based on the finding source property will need to be updated to take advantage of the new data type for findings of the following categories: AUDIT_CONFIG_NOT_MONITORED, BUCKET_IAM_NOT_MONITORED, CUSTOM_ROLE_NOT_MONITORED, FIREWALL_NOT_MONITORED, NETWORK_NOT_MONITORED, OWNER_NOT_MONITORED, ROUTE_NOT_MONITORED, SQL_INSTANCE_NOT_MONITORED.
  • Recommendation: Update workflows to utilize the new data type.

The CompatibleFeatures source property in WEAK_SSL_POLICY findings will use a list instead of a character-separated string value.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will need to be updated to take advantage of the new data type for findings.
  • Recommendation: Update workflows to utilize the new data type.

May 12, 2020

Security Command Center Premium and Standard tiers are now available.

The Security Command Center Premium tier includes:

  • Security Health Analytics
  • Web Security Scanner managed scans
  • Event Threat Detection
  • Container Threat Detection

Learn more about the Security Command Center Premium tier.

The Event Threat Detection API will be deprecated in the coming months. Similar functionality is available in the Security Command Center API settings feature.

Container Threat Detection currently supports the following Kubernetes Engine versions on the Regular and Rapid channels:

  • >= 1.15.9-gke.12
  • >= 1.16.5-gke.2
  • >= 1.17

In a future update, Container Threat Detection will support version 1.14 and the Stable channel.

April 10, 2020

Security Health Analytics is now in general availability.

March 23, 2020

The Notifications API is now in general availability. Get started with the notifications API.

The eventType field was removed from organizations.notificationConfigs.create in the v1 API. Learn more about creating a NotificationConfig.

February 14, 2020

Security Command Center roles inherit Web Security Scanner roles as follows:

  • The securitycenter.adminViewer role inherits the permissions of the cloudsecurityscanner.viewer role.
  • The securitycenter.adminEditor role inherits the permissions of the cloudsecurityscanner.editor role.

For information about how to view all of the permissions that are associated with a role, see the IAM documentation about Getting the role metadata.

February 13, 2020

The notifications API is now in beta:

  • Send new findings and updated findings notifications to a Pub/Sub topic.
  • Filter notifications by provider source, finding type, category or any other finding fields, properties or security marks.

Get started with the notifications API.

Security Command Center tools will become obsolete in future Security Command Center releases, when their functionalities are added as built-in features. Support is offered on best-effort basis only for all Security Command Center tools.

November 11, 2019

Cloud SCC now supports full JSON with arrays and JSON objects as potential property types. This includes support for sorting on JSON object sub-fields, and filtering on:

  • Array elements
  • Full JSON objects with partial string match
  • JSON object sub-fields

Learn more about Filtering and sorting findings.

October 14, 2019

Security Health Analytics is now in beta and can now be enabled in the Sources Management page of Cloud SCC.

A new Vulnerabilities tab in Cloud SCC displays a dashboard that summarizes Security Health Analytics findings. This dashboard includes information about CIS benchmarks and recommended remediations.

Security Health Analytics no longer requires separate service account setup or permissions. Instead, it uses the Cloud SCC service account that's created for you during signup.

August 20, 2019

The following Security Health Analytics finding type names have changed:

Old Name New Name
LOGGING_DISABLED CLUSTER_LOGGING_DISABLED
MONITORING_DISABLED CLUSTER_MONITORING_DISABLED
NO_ROOT_PASSWORD SQL_NO_ROOT_PASSWORD
WEAK_ROOT_PASSWORD SQL_WEAK_ROOT_PASSWORD

May 10, 2019

Using VPC Service Controls currently blocks Cloud SCC asset discovery inside VPC Service perimeters for the following asset types:

  • Compute Engine
    • Addresses
    • Routes
    • VPN Tunnels
  • Cloud Storage Buckets
  • GKE Clusters

This is expected to be fixed in a future release.

For information about troubleshooting access issues, see VPC Service Controls Troubleshooting. To work around the access to these assets, see Granting access from the internet with access levels.

April 10, 2019

Cloud SCC is now in general availability (GA). These release notes include updated items from beta and new items for GA.

ListAssetResult has changed.

GroupFindingsResponse now includes totalSize.

gcloud command-line tool support for Cloud SCC is now available.

There are now client libraries available for C#, Go, Java, Node.JS, PHP, Python, and Ruby.

Previously only active state findings were shown in the UI. You can now also choose to show inactive state findings.

ListFindings and GroupFindings now supports comparison between two points in time. For more information, see the compareDuration parameter.

Assets now include IAM information for organizations, projects, Compute Engine, Cloud Storage, and others where applicable. IAM Policy information can be searched, filtered, and joined with all other Asset information and Security Marks.

Native integration with Security Health Analytics for native managed vulnerability scanning.

Native integration with Event Threat Detection for log-based threat detection.

Native integrations with Phishing Protection.

The Cloud SCC dashboard now enables you to select whether just active state findings are displayed or both active and inactive.

The Cloud SCC dashboard now enables you to set active or inactive state for each finding.

The Cloud SCC dashboard now enables you to perform a time-diff query for a fixed set of time periods.

You can now export Cloud SCC data as filtered Asset or Findings data to the Cloud Storage bucket and project you select.

Hello World example app is expanded to include Cloud Functions functions for: removing bucket ACLs, deleting firewall rules, and creating a VM snapshot.

New example apps are available for:

  • Integrations with Access Transparency Logs, Audit Logging, and Binary Authorization.
  • Connecting to Splunk.

For more information, see Installing Cloud SCC tools.

Additional security partner integrations through [Marketplace](https://console.cloud.google.com/marketplace/details/google-cloud-platform/cloud-security-command-center.

Sorting on Asset ID column on the asset page doesn't work as expected.

Sorting on the following findings page columns doesn't work as expected:

  • eventTime
  • source property
  • security mark
  • id
  • externalUri

Sorting isn't supported for source properties and security marks on the findings changed page.

After you've created a new asset, the new asset won't appear in Cloud SCC until it's re-scanned. To see current asset state before the daily re-scan, trigger an on-demand re-scan and then wait at least 5 minutes to see the new asset appear in Cloud SCC.

After you've made an IAM policy change on an asset, the updated policy won't appear in Cloud SCC until it's re-scanned. To see current IAM policy before the daily re-scan, trigger an on-demand re-scan and then wait at least 10 minutes to see the updated IAM policies in Cloud SCC.

Code examples are still in progress for C#, Node.js, PHP, and Ruby.