You can sign in to both consoles using the same username and credentials.
Google Cloud console
The Google Cloud console lets you perform tasks such as the following:
- Activate Security Command Center.
- Set up Identity and Access Management (IAM) permissions for all Security Command Center users.
- Configure AWS connectivity for vulnerability management.
- Work with and export findings.
- Manage security postures.
- Assess risks with attack exposure scores.
- Identify high-sensitivity data with Sensitive Data Protection.
- Detect and remediate individual findings directly.
- Configure Security Health Analytics, Web Security Scanner, and other Google Cloud integrated services.
- Assess and report on your compliance with common security standards or benchmarks.
- View and search your Google Cloud assets.
You can access the Security Command Center content in the Google Cloud console from the Risk Overview page.
The following image shows the Security Command Center content in the Google Cloud console.
Security Operations console
The Security Operations console lets you perform tasks such as the following:
- Configure AWS connectivity for threat detection.
- Configure users and groups for incident management.
- Configure security orchestration, automation, and response (SOAR) settings.
- Configure data ingestion into the security information and event management (SIEM).
- Investigate and remediate individual findings for your Google Cloud organization and AWS environment.
- Work with cases, which includes grouping findings, assigning tickets, and working with alerts.
- Use an automated sequence of steps known as playbooks to remediate issues.
- Use Workdesk to manage actions and tasks waiting for you from open cases and playbooks.
You can access the Security Operations console from
https://customer_subdomain.backstory.chronicle.security
,
where customer_subdomain
is your customer-specific
identifier. You can determine your URL using one of the following methods:
In the setup guide in the Google Cloud console, step 4 to step 6 redirect to the Security Operations console. To access the setup guide, complete the following:
Go to the Security Command Center Setup guide.
Select the organization where Security Command Center is activated.
Click the link in any of the following steps:
- Step 4: Set up users and groups
- Step 5: Configure integrations
- Step 6: Configure log ingestion
In the Google Cloud console, click one of the case links. To access a case link, complete the following:
Go to the Vulnerabilities by case page.
Select the organization where Security Command Center is activated.
Click any link under the Case Id column in the Vulnerability findings table.
In the Google Cloud console, access the link on the Google Security Operations administration settings page. This method requires you to know the management project that was used to activate Security Command Center Enterprise for your organization.
Go to the Google SecOps page.
Select your organization's management project.
Click Go to Google Security Operations.
The following image shows the Security Operations console.
Vulnerability management dashboard
Dashboards in the Security Operations console give you a quick view into posture cases and vulnerabilities across your cloud environments.
Using the Vulnerability management dashboard in the Security Operations console, you can investigate CVE vulnerabilities identified in your Google Cloud and AWS environments.
To view the dashboard, go to the Findings page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/security-command-center/overview/cve-vulnerabilities
Replace CUSTOMER_SUBDOMAIN
with your customer-specific
identifier.
If the page does not appear, select Risk > Overview from the navigation, and then select Vulnerabilities from the menu.
Within each report, you can use filters to show data for all cloud providers or a subset of cloud providers. The dashboard includes the following reports:
Top common vulnerabilities and exploits shows vulnerability findings grouped by exploitability and impact.
Possible Exploitability values are the following:
WIDE
: an exploit for the vulnerability has been reported or confirmed to widely occur.CONFIRMED
: there have been limited reported or confirmed exploitation activities for the vulnerability.AVAILABLE
: an exploit is publicly available for this vulnerability.ANTICIPATED
: the vulnerability has no known exploitation activity, but has a high potential for exploitation.NO_KNOWN
: the vulnerability has no known exploitation activity.
These are the ExploitationActivity values returned for a CVE by the
organizations.sources.findings
API.Possible Impact values are a measure of availability of a potential exploit:
LOW
: an exploit would have little to no security impact.MEDIUM
: an exploit would enable attackers to perform activities, or could allow attackers to have a direct impact, but would require additional steps.HIGH
: an exploit would enable attackers to have a notable direct impact without needing to overcome any major mitigating factors.CRITICAL
: an exploit would fundamentally undermine the security of affected systems, enable actors to perform significant attacks with minimal effort and with little to no mitigating factors that must be overcome.
These are the RiskRating values returned for a CVE by the
organizations.sources.findings
API.Click a cell in the heat map to see the related vulnerabilities filtered by the criteria you selected.
The Resources column displays the number of unique resource IDs that are identified. The Findings column displays the total number of findings identified across all resources. Each resource could have multiple findings. Click the value in the Findings column to view detailed information about these findings.
Most common critical exploitable vulnerabilities shows CVE vulnerabilities and the number of unique resource IDs where the vulnerability was identified.
Expand the row for a single CVE ID to see the list of related findings and the number of resources where the finding was identified. Multiple findings could be identified on a single resource. The sum of all resource counts for the related findings may be greater than the count of unique resource IDs for the CVE ID.
Latest compute vulnerabilities with known exploits shows CVE vulnerabilities related to software on compute instances with known exploits. Findings in this report have the category
OS_VULNERABILITY
andSOFTWARE_VULNERABILITY
. The table includes the following information:Exploit release date and First available date: when the exploit was released, and when it was first available, or confirmed.
Exposed Resources: the number of resources identified that are also configured in the Risk Engine resource value configuration. The count includes those with any resource value configuration: high, medium, or low.
Attack exposure score: this is populated if Risk Engine calculated a value. Click the value to view details about the score.
Virtual Machine: the virtual machine instance identifier. Click the value to view details about the resource in the specific cloud environment.
Observed in the wild and Exploitability: whether an exploit has been observed in the wild and a measure of the exploitation activity.
Containers with exploitable vulnerabilities shows containers that have exploitable CVE vulnerabilities where the vulnerability exploitation activity is
available
,confirmed
, orwide
and the risk rating iscritical
, based on the assessment of Google Threat Intelligence.The report includes details about each container and is sorted based on the attack exposure score. Containers with the largest number of impacted resources appear at the top.
Container: displays the container name and the cloud environment where the container is running.
Container image: displays the name of the image used to deploy the container.
Finding: displays the CVE ID and provides a link to the finding detail.
Resource link: for a container running in Google Cloud, provides a link to display more details about the resource. For a container running in another cloud environment, provides a link to the other cloud environment for more details when it is possible to create a direct link.
AES score: displays the attack exposure score. Click the score to view the attack path.