Security Command Center Enterprise consoles

The Security Command Center Enterprise tier includes two consoles: the Google Cloud console and the Security Operations console.

You can sign in to both consoles using the same username and credentials.

Google Cloud console

The Google Cloud console lets you perform tasks such as the following:

  • Activate Security Command Center.
  • Set up Identity and Access Management (IAM) permissions for all Security Command Center users.
  • Configure AWS connectivity for vulnerability management.
  • Work with and export findings.
  • Manage security postures.
  • Assess risks with attack exposure scores.
  • Identify high-sensitivity data with Sensitive Data Protection.
  • Detect and remediate individual findings directly.
  • Configure Security Health Analytics, Web Security Scanner, and other Google Cloud integrated services.
  • Assess and report on your compliance with common security standards or benchmarks.
  • View and search your Google Cloud assets.

You can access the Security Command Center content in the Google Cloud console from the Risk Overview page.

Go to Security Command Center

The following image shows the Security Command Center content in the Google Cloud console.

The Google Cloud console.

Security Operations console

The Security Operations console lets you perform tasks such as the following:

  • Configure AWS connectivity for threat detection.
  • Configure users and groups for incident management.
  • Configure security orchestration, automation, and response (SOAR) settings.
  • Configure data ingestion into the security information and event management (SIEM).
  • Investigate and remediate individual findings for your Google Cloud organization and AWS environment.
  • Work with cases, which includes grouping findings, assigning tickets, and working with alerts.
  • Use an automated sequence of steps known as playbooks to remediate issues.
  • Use Workdesk to manage actions and tasks waiting for you from open cases and playbooks.

You can access the Security Operations console from https://customer_subdomain.backstory.chronicle.security, where customer_subdomain is your customer-specific identifier. You can determine your URL using one of the following methods:

  • In the setup guide in the Google Cloud console, step 4 to step 6 redirect to the Security Operations console. To access the setup guide, complete the following:

    1. Go to the Security Command Center Setup guide.

      Go to Setup guide

    2. Select the organization where Security Command Center is activated.

    3. Click the link in any of the following steps:

      • Step 4: Set up users and groups
      • Step 5: Configure integrations
      • Step 6: Configure log ingestion

  • In the Google Cloud console, click one of the case links. To access a case link, complete the following:

    1. Go to the Vulnerabilities by case page.

      Go to Vulnerabilities by case

    2. Select the organization where Security Command Center is activated.

    3. Click any link under the Case Id column in the Vulnerability findings table.

  • In the Google Cloud console, access the link on the Google Security Operations administration settings page. This method requires you to know the management project that was used to activate Security Command Center Enterprise for your organization.

    1. Go to the Google SecOps page.

      Go to Google SecOps

    2. Select your organization's management project.

    3. Click Go to Google Security Operations.

The following image shows the Security Operations console.

The Security Operations console.

Vulnerability management dashboard

Dashboards in the Security Operations console give you a quick view into posture cases and vulnerabilities across your cloud environments.

Using the Vulnerability management dashboard in the Security Operations console, you can investigate CVE vulnerabilities identified in your Google Cloud and AWS environments.

To view the dashboard, go to the Findings page. 

  https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/overview/cve-vulnerabilities

Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

If the page does not appear, select Posture > Overview from the navigation, then select Vulnerability Management Dashboard from the menu.

Within each report, you can use filters to show data for all cloud providers or a subset of cloud providers. The dashboard includes the following reports:

  • Top common vulnerabilities and exploits shows vulnerability findings grouped by exploitability and impact.

    Possible Exploitability values are the following:

    • WIDE: an exploit for the vulnerability has been reported or confirmed to widely occur.
    • CONFIRMED: there have been limited reported or confirmed exploitation activities for the vulnerability.
    • AVAILABLE: an exploit is publicly available for this vulnerability.
    • ANTICIPATED: the vulnerability has no known exploitation activity, but has a high potential for exploitation.
    • NO_KNOWN: the vulnerability has no known exploitation activity.

    These are the ExploitationActivity values returned for a CVE by the organizations.sources.findings API.

    Possible Impact values are a measure of availability of a potential exploit:

    • LOW: an exploit would have little to no security impact.
    • MEDIUM: an exploit would enable attackers to perform activities, or could allow attackers to have a direct impact, but would require additional steps.
    • HIGH: an exploit would enable attackers to have a notable direct impact without needing to overcome any major mitigating factors.
    • CRITICAL: an exploit would fundamentally undermine the security of affected systems, enable actors to perform significant attacks with minimal effort and with little to no mitigating factors that must be overcome.

    These are the RiskRating values returned for a CVE by the organizations.sources.findings API.

    Click a cell in the heat map to see the related vulnerabilities filtered by the criteria you selected.

    The Resources column displays the number of unique resource IDs that are identified. The Findings column displays the total number of findings identified across all resources. Each resource could have multiple findings. Click the value in the Findings column to view detailed information about these findings.

  • Most common critical exploitable vulnerabilities shows CVE vulnerabilities and the number of unique resource IDs where the vulnerability was identified.

    Expand the row for a single CVE ID to see the list of related findings and the number of resources where the finding was identified. Multiple findings could be identified on a single resource. The sum of all resource counts for the related findings may be greater than the count of unique resource IDs for the CVE ID.

  • Latest compute vulnerabilities with known exploits shows CVE vulnerabilities related to software on compute instances with known exploits. Findings in this report have the category OS_VULNERABILITY and SOFTWARE_VULNERABILITY. The table includes the following information:

    • Exploit release date and First available date: when the exploit was released, and when it was first available, or confirmed.

    • Exposed Resources: the number of resources identified that are also configured in the Risk Engine resource value configuration. The count includes those with any resource value configuration: high, medium, or low.

    • Attack exposure score: this is populated if Risk Engine calculated a value. Click the value to view details about the score.

    • Virtual Machine: the virtual machine instance identifier. Click the value to view details about the resource in the specific cloud environment.

    • Observed in the wild and Exploitability: whether an exploit has been observed in the wild and a measure of the exploitation activity.

  • Containers with exploitable vulnerabilities shows containers that have exploitable CVE vulnerabilities where the vulnerability exploitation activity is available, confirmed, or wide and the risk rating is critical, based on the assessment of Google Threat Intelligence.

    The report includes details about each container and is sorted based on the attack exposure score. Containers with the largest number of impacted resources appear at the top.

    • Container: displays the container name and the cloud environment where the container is running.

    • Container image: displays the name of the image used to deploy the container.

    • Finding: displays the CVE ID and provides a link to the finding detail.

    • Resource link: for a container running in Google Cloud, provides a link to display more details about the resource. For a container running in another cloud environment, provides a link to the other cloud environment for more details when it is possible to create a direct link.

    • AES score: displays the attack exposure score. Click the score to view the attack path.

What's next