Security Command Center overview | Google Cloud (2024)

This page provides an overview of Security Command Center, a risk management solutionthat, with the Enterprise tier, combinescloud security and enterprise security operations, and provides insightsfrom Mandiant expertise and Gemini artificial intelligence.

Security Command Center enables security operationscenter (SOC) analysts, vulnerability and posture analysts, compliancemanagers, and other security professionals to quickly assess, investigate,and respond to security issues across multiplecloud environments.

Every cloud deployment has unique risks. Security Command Center can helpyou understand and evaluate the attack surface of your projects ororganization on Google Cloud, as well as the attack surface ofyour other cloud environments. Properly configured to protect your resources,Security Command Center can help you make sense of the vulnerabilitiesand threats detected in your cloud environments and prioritize their fixes.

Security Command Center integrates with many Google Cloud servicesto detect security issues in multiple cloud environments. These servicesdetect issues in a variety of ways, such as scanning resource metadata,scanning cloud logs, scanning containers, and scanning virtual machines.

Some of these integrated services, such as Google Security Operationsand Mandiant, also provide capabilities and information that arecritical to prioritizing and managing your investigations and responseto detected issues.

Manage threats

In the Premium and Enterprise tiers, Security Command Center uses bothbuilt-in and integrated Google Cloud services to detect threats.These services scan your Google Cloud logs,containers, and virtual machines looking for threat indicators.

When these services, such as Event Threat Detection or Container Threat Detection, detecta threat indicator, they issue a finding. A finding is a report or recordof an individual threat or other issue thata service has found in your cloud environment. The services that issuefindings are also referred to as finding sources.

In Security Command Center Enterprise, findings trigger alerts, which,depending on the severity of the finding,can generate a case. You can use a case with a ticketing system toassign owners to the investigation of and response to one or more alertsin the case.

Security Command Center Enterprise can also detect threats in your deploymentson other cloud platforms.To detect threats in deployments on other cloud platforms,Security Command Center ingests the logs from the other cloud platform, after youestablish a connection.

For more information, see the following pages:

Threat security sources
Google SecOps documentation
Manage findings and alerts with cases

Threat detection and response features

With Security Command Center, SOC analysts can achieve the following securitygoals:

Detect events in your cloud environments that indicate a potential threat andtriage the associated findings or alerts.
Assign owners and track progress of investigations and responses with anintegrated case workflow. Optionally, you can integrate your preferredticketing systems, like Jira or ServiceNow.
Investigate the threat alerts with powerful search and cross-referencingcapabilities.
Define response workflows and automate actions to address potentialattacks on your cloud environments. For more information about definingresponse workflows and automated actions with playbooks, seeWork with playbooks.
Mute or exclude findings or alerts that are false positives.
Focus on threats related to compromised identities and access permissions.
Use Security Command Center to detect, investigate, and respond to potentialthreats in your other cloud environments, like AWS.

Manage vulnerabilities

Security Command Center provides comprehensive vulnerability detection,automatically scanning the resources in your environment forsoftware vulnerabilities, misconfigurations, and other types of securityissues that might expose you to attack. Together, these type of issues arereferred to collectively as vulnerabilities.

Security Command Center uses both built-in andintegrated Google Cloud services to detect security issues.The services that issue findings are also referred to as finding sources.When a service detects an issue, it issues a finding to record the issue.

By default, cases are opened automatically for high-severity andcritical-severity vulnerability findings to help you prioritize theirremediation. You can assign owners and track the progress of remediationefforts with a case.

For more information, see the following:

Manage findings and alerts with cases
Vulnerability and misconfiguration detection services

Toxic combinations

Security Command Center Risk Engine, a feature of the Enterprisetier, detects groups of security issues that, when they occur togetherin a particular pattern, create a path to one or more of yourhigh-value resources that a determined attacker could potentially useto reach and compromise those resources.

This type of patterned group of security issues is referred to as atoxic combination. When Risk Engine detects a toxic combination,it issues a finding. For each toxic combination finding,Security Command Center creates a case in the Security Operations console,so that you can manage and track the resolution of the toxic combination.

For more information, seeOverview of toxic combinations.

Software vulnerabilities

To help you identify, understand, and prioritize software vulnerabilities,Security Command Center can assess the virtual machines (VMs) and containersin your cloud environments for vulnerabilities. For each detectedvulnerability, Security Command Center provides in-depth information ina finding record or finding. The information provided with a finding caninclude:

Details of the affected resource
Information about any associated CVE record, including an assessmentfrom Mandiant of the impact and exploitability of the CVE item
An attack exposure score to help you prioritize remediation
A visual representation of the path an attacker might take to thehigh-value resources that are exposed by the vulnerability

Software vulnerabilities are detected by the following services:

VM Managerfor operating systems on Compute Engine virtual machines
Google Kubernetes Engine security posture dashboardfor operating systems in containers
Vulnerability Assessment for Amazon Web Services (AWS)for EC2 instances on AWS
Web Security Scannerfor web applications that are running on App Engine,Google Kubernetes Engine (GKE), and Compute Engine

Misconfigurations

Security Command Center maps the detectors of the services that scan formisconfigurations to the controls of the common industry compliance standards.In addition to showing you the compliance standards that a misconfigurationviolates, the mapping enables you to see a measure of your compliance with thevarious standards, which you can then export as a report.

For more information, seeAssess and report compliance.

Posture violations

The Premium and Enterprise tiers of Security Command Center include thesecurity posture service, which issues findings when yourcloud resources violate the policies that are defined in the securitypostures that you deployed in your cloud environment.

For more information, see Security posture service.

Validate infrastructure as code

You can verify that your infrastructure-as-code (IaC) files align with theorganization policies and the Security Health Analytics detectors that you define inyour Google Cloud organization. This feature helps ensure that you don't deployresources that will violate your organization's standards. After you define yourorganizational policies and, if necessary, enable the Security Health Analyticsservice, you can use Google Cloud CLI to validate your Terraform plan file, oryou can integrate the validation process into your Cloud Build, Jenkins, orGitHub Actions developer workflow. For more information, seeValidate your IaC against your organization's policies.

Detect vulnerabilities and misconfigurations on other cloud platforms

Security Command Center Enterprise can detect vulnerabilities in multiplecloud environments. To detect vulnerabilities in other cloud serviceproviders, you first need to establish a connection to the provider toingest resource metadata.

For more information, seeConnect to AWS for vulnerability detection and risk assessment.

Vulnerability and posture management features

With Security Command Center, vulnerability analysts, posture administrators,and similar security professionals can achieve the following security goals:

Detect different types of vulnerabilities, including software vulnerabilities,misconfigurations, and posture violations, that can expose your cloudenvironments to potential attacks.
Focus your response and remediation efforts on the highest risk issuesby using the attack exposure scores on the findings and alerts forvulnerabilities.
Assign owners and track progress of vulnerability remediations byusing cases and integrating your preferred ticketing systems, like Jiraor ServiceNow.
Proactively secure the high-value resources in your cloud environmentsby lowering their attack exposure scores
Define custom security postures for your cloud environments thatSecurity Command Center uses to assess your posture and alert you to violations.
Mute or exclude findings or alerts that are false positives.
Focus on vulnerabilities that are related to identities and excessivepermissions.
Detect and manage in Security Command Center vulnerabilities and riskassessments for your other cloud environments, like AWS.

Assess risk with attack exposure scores and attack paths

With organization-level activations of the Premium and Enterprise tiers,Security Command Center provides attackexposure scores for high-value resources and the vulnerability andmisconfiguration findings that affect the high-value resources.

You can use these scores to prioritize the remediation of vulnerabilitiesand misconfigurations, to prioritize the security of yourmost exposed high-value resources, and generally assess how exposed yourcloud environments are to attack.

In the Active vulnerabilities pane of the Risk overview page in the Google Cloud console, theFindings by attack exposure score tab, shows you the findings that have highest attack exposure scores in your environment, as well as the distribution of finding scores.

Manage findings and alerts with cases

Security Command Center Enterprise creates cases to help you manage findings andalerts, assign owners, and manage the investigations and responses todetected security issues. Cases are opened automatically for high-severityand critical-severity issues.

You can integrate cases with your preferred ticketing system, like Jiraor ServiceNow. When cases are updated, any open tickets for the casecan be updated automatically. Similarly, if a ticket is updated, thecorresponding case can be updated as well.

For more information, see Cases overview inthe Google SecOps documentation.

Define response workflows and automated actions

Define response workflows and automate actions to investigate and respondto the security issues that are detected in your cloud environments.

For more information about defining response workflows and automatedactions with playbooks, seeWork with playbooks.

Multicloud support: Secure your deployments on other cloud platforms

You can extend Security Command Center services and capabilities to cover yourdeployments on other cloud platforms, so that you canmanage in a single location all of the threats and vulnerabilities thatare detected in all of your cloud environments.

For more information about connecting Security Command Center to anothercloud service provider, see the following pages:

For threat detection, seeConnect to AWS for threat detection.
For vulnerability detection and attack exposure scores, seeConnect to AWS for vulnerability detection and risk assessment.

Supported cloud service providers

Security Command Center can connect to Amazon Web Services (AWS).

Define and manage security postures

With organization-level activations of the Premium and Enterprise tiersof Security Command Center, you can create and manage security posturesthat define the required state of your cloud assets, including your cloudnetwork and cloud services, for optimal security in your cloud environment.You can customize security postures to match your business's security andregulatory needs.By defining a security posture, you can minimize cybersecurity risks to yourorganization and help prevent attacks from occurring.

You use the Security Command Center security posture service to define anddeploy a security posture and detect any drift or unauthorized changefrom your defined posture.

The security posture service is automatically enabled when youactivate Security Command Center at the organization level.

For more information, seeSecurity posture overview.

Identify your assets

Security Command Center includes asset information from Cloud Asset Inventory,which continuously monitors assets in your cloudenvironment. For most assets, configuration changes, includingIAM and organization policies, are detected in near-real time.

On the Assets page in the Google Cloud console, you can quicklyapply, edit, and run sample asset queries, add a preset time constraint, or youcan write your own asset queries.

If you have the Premium or Enterprise tier of Security Command Center, youcan see which of your assets are designated ashigh-value resources for risk assessments byattack path simulations.

You can quickly identify changes in your organization or project and answerquestions like:

How many projects do you have and when were they created?
What Google Cloud resources are deployed or in use, likeCompute Engine virtual machines (VMs), Cloud Storage buckets,or App Engine instances?
What's your deployment history?
How to organize, annotate, search, select, filter, and sort across thefollowing categories:
- Assets and asset properties
- Security marks, which enable you to annotate assets or findings inSecurity Command Center
- Time period

Cloud Asset Inventory always knows the current state of supported assets and, inthe Google Cloud console, lets you review historical discovery scansto compare assets between points in time. You can also look for underusedassets, like virtual machines or idle IP addresses.

Gemini features in Security Command Center

Security Command Center incorporates Gemini to providesummaries of findings and attack paths, and to assist your searches andinvestigations of detected threats and vulnerabilities.

For information about Gemini, seeGemini overview.

Gemini summaries of findings and attack paths

If you are using Security Command Center Enterprise or Premium,Gemini providesdynamically generated explanations of each finding and of each simulatedattack path that Security Command Center generates for Vulnerability andMisconfiguration class findings.

The summaries are written in naturallanguage to help you quickly understand andact on findings and any attack paths that might accompany them.

The summaries appear in the following places in the Google Cloud console:

When you click the name of an individual finding, the summary at thetop of the details page of the finding.
With the Premium and Enterprise tiers of Security Command Center, if afinding has an attack exposure score,you can display the summary to the right of the attack path by clickingthe attack exposure score and then AI summary.

Required IAM permissions for AI-generated summaries

To view the AI summaries, you need the required IAMpermissions.

For findings, you need the securitycenter.findingexplanations.getIAM permission. The least-permissive predefinedIAM role that contains this permission is theSecurity Center Findings Viewer (roles/securitycenter.findingsViewer)role.

For attack paths, you need the securitycenter.exposurepathexplan.getIAM permission. The least-permissive predefinedIAM role that contains this permission is theSecurity Center Exposure Paths Reader(roles/securitycenter.exposurePathsViewer) role.

During the preview, these permissions are not available in theGoogle Cloud console to add to custom IAM roles.

To add the permission to a custom role, you can use the Google Cloud CLI.

For information about using the Google Cloud CLI to add permissions to acustom role, see Create and manage custom roles.

Natural language search for threat investigations

You can generate searches for threat findings, alerts, and otherinformation by using natural language queries and Gemini. Formore information, seeUse natural language to generate UDM Search queriesin the Google SecOps documentation.

AI Investigation widget for cases

To help you understand and investigate cases for findings and alerts,Gemini provides a summary of each case and suggests thenext steps you can take to investigate the case. The summary and next stepsappear in the AI investigation widget when you are viewing a case.

Actionable security insights

Security Command Center's built-in and integrated Google Cloud servicescontinuously monitor yourassets and logs for indicators of compromise and configuration changes thatmatch known threats, vulnerabilities, and misconfigurations. To provide contextfor incidents, findings are enriched with information from the followingsources:

With the Enterprise and Premium tiers:
- AI-generated summaries that help you understand and act on Security Command Centerfindings and any attack paths included with them. For more information,see AI-generated summaries.
- Vulnerability findings include informationfrom their corresponding CVE entries, including the CVE score, andassessments from Mandiant of the vulnerability'spotential impact, and potential for being exploited.
- Powerful SIEMand SOARsearch capabilities, which let you investigate threats and vulnerabilitiesand pivot through related entities in a unified timeline.
VirusTotal, anAlphabet-owned service that provides context on potentially malicious files,URLs, domains, and IP addresses.
MITRE ATT&CK framework, which explainstechniques for attacks against cloud resources and provides remediationguidance.
Cloud Audit Logs (Admin Activity logsand Data Access logs).

You get notifications for new findings in near real-time, helping your securityteams gather data, identify threats, and act on recommendations before theyresult in business damage or loss.

With a centralized view of your security postureand a robust API, you can quickly do the following:

Answer questions like:
- What static IP addresses are open to the public?
- What images are running on your VMs?
- Is there evidence that your VMs are being used for cryptocurrencymining or other abusive operations?
- Which service accounts have been added or removed?
- How are firewalls configured?
- Which storage buckets contain personally-identifiable information (PII) orsensitive data? This feature requires integration with Sensitive Data Protection.
- Which cloud applications are vulnerable to cross-site-scripting (XSS)vulnerabilities?
- Are any of my Cloud Storage buckets open to the internet?
Take actions to protect your assets:
- Implement verified remediation steps for asset misconfigurations andcompliance violations.
- Combine threat intelligence from Google Cloud and third partyproviders, such as Palo Alto Networks, to better protect your enterprise fromcostly compute layer threats.
- Ensure the appropriate IAM policies are in place and getalerts when policies are misconfigured or unexpectedly changed.
- Integrate findings from your own or third-party sources forGoogle Cloud resources, or other hybrid or multicloud resources.For more information, see Adding a third-party security service.
- Respond to threats in your Google Workspace environment and unsafe changesin Google Groups.

Identity and access misconfigurations

Security Command Center makes it easier for you to identify and resolvefindings of identity and access misconfigurations on Google Cloud.Misconfiguration findings identify principals (identities) that aremisconfigured or that have excessive or sensitive IAMpermissions (access) to Google Cloud resources.

Cloud Infrastructure Entitlement Management

The management of identity and access-related security issues is sometimes referred toas cloud infrastructure entitlement management (CIEM). Security Command Center offersCIEM capabilities that help provide a comprehensive view of thesecurity of your organization's identity and access configuration.Security Command Center offers these capabilities for multiple cloud platforms includingGoogle Cloud and Amazon Web Services (AWS). WithCIEM, you can see which principals have excessive permissions in yourcloud environments. In addition to Google Cloud IAM,CIEM supports the ability to investigate the permissions thatprincipals from other identity providers (such as Entra ID (Azure AD) and Okta)have on your Google Cloud resources. You can see the most severe identity andaccess findings from multiple cloud providers in the Identity and accessfindings pane on the Security Command Center Overview page in the Google Cloud console.

For more information regarding Security Command Center's CIEM capabilities,see Overview of Cloud Infrastructure EntitlementManagement.

Identity and access query presets

On the Vulnerability page in the Google Cloud console, you canselect query presets (predefined queries) that showthe vulnerability detectors or categories that are related to identityand access. For each category, the number of active findings is displayed.

For more information about the query presets, seeApply query presets.

Manage compliance with industry standards

Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

For more information about managing compliance, seeAssess and report compliance with security standards.

Security standards supported on Google Cloud

Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:

Center for Information Security (CIS) Controls 8.0
CIS Google Cloud Computing Foundations Benchmark v2.0.0, v1.3.0, v1.2.0, v1.1.0, and v1.0.0
CIS Kubernetes Benchmark v1.5.1
Cloud Controls Matrix (CCM) 4
Health Insurance Portability and Accountability Act (HIPAA)
International Organization for Standardization (ISO) 27001, 2022 and 2013
National Institute of Standards and Technology (NIST) 800-53 R5 and R4
NIST CSF 1.0
Open Web Application Security Project (OWASP) Top Ten, 2021 and 2017
Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
System and Organization Controls (SOC) 2 2017 Trusted Services Criteria (TSC)

Security standards supported on AWS

Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:

CIS Amazon Web Services Foundations 2.0.0
CIS Controls 8.0
CCM 4
HIPAA
ISO 27001 2022
NIST 800-53 R5
NIST CSF 1.0
PCI DSS 4.0 and 3.2.1
SOC 2 2017 TSC

Flexible platform to meet your security needs

Security Command Center includes customization and integration options that letyou enhance the service's utility to meet your evolving security needs.

Customization options

Customization options include the following:

Create custom modules forSecurity Health Analytics to defineyour own detection rules for vulnerabilities, misconfigurations, or complianceviolations.
Create custom modules for Event Threat Detectionto monitor your Logging stream for threats based on parametersthat you specify.
Create security postures thathelp you monitor for any environment changes that might impact your compliancewith various regulatory standards.

Integration options

Integration options include the following:

Use Pub/Sub to export findings to Splunk or other SIEMs foranalysis.
Use Pub/Sub and Cloud Run functions to quickly andautomatically remediate findings.
Access open-source tools to expand functionality and automate responses.
Integrate with Google Cloud security services, including the following:
- Google SecOps
- Anomaly Detection
- Binary Authorization
- Sensitive Data Protection
- Google Cloud Armor
- Risk Manager
- VM Manager
- Policy Controller
Integrate with third-party partner security solutions:
- Google Cloud security insights from partner products are aggregated inSecurity Command Center, and you can feed them into existing systems and workflows.

When to use Security Command Center

The following table includes high-level product features, use cases, andlinks to relevant documentation to help you quickly find the content you need.

Feature	Use cases	Related docs
Asset identification and review	View in one place all of the assets, services, and data from across your organization or project, and from across your cloud platforms. Assess vulnerabilities for supported assets, and take action to prioritize fixes for the most severe issues.	Security Command Center best practices Access control Using Security Command Center in the Google Cloud console
Sensitive data identification	Find out where sensitive and regulated data is stored using Sensitive Data Protection. Help prevent unintended exposure and ensure access is on a need-to-know basis. Designate resources that contain medium-sensitivity data or high-sensitivity data as _high-value resources automatically.	Sending Sensitive Data Protection results to Security Command Center
Third-party SIEM and SOAR product integration	Easily export Security Command Center data to external SIEM and SOAR systems.	Exporting Security Command Center data Continuous exports
Misconfiguration detection	Detect misconfigurations that can leave your cloud infrastructure vulnerable. Detect misconfigurations in your deployments on other cloud service providers. Improve your compliance with security standards by viewing misconfiguration findings by the security standard controls that they violate. Prioritize the remediation of misconfiguration findings by their attack exposure scores.	Security Health Analytics overview Web Security Scanner overview Vulnerabilities findings
Software vulnerability detection	Detect software vulnerabilities in workloads on virtual machines and containers across cloud service providers. Be proactively alerted to new vulnerabilities and changes in your attack surface. Uncover common vulnerabilities like cross-site-scripting (XSS) and Flash injection that put your applications at risk. With Security Command Center Premium, prioritize vulnerability findings by using CVE information, including assessments of exploitability and impact provided by Mandiant.	GKE security posture dashboard VM Manager Web Security Scanner overview Vulnerabilities findings
Identity and access control monitoring	Help ensure the appropriate access control policies are in place across your Google Cloud resources and get alerted when policies are misconfigured or unexpectedly change. Use query presets to quickly view findings for identity and access misconfigurations and roles that are granted excessive permissions.	IAM Recommender Access control Identity and access misconfigurations
Threat detection	Detect malicious activities and actors in your infrastructure, and get alerts for active threats. Detect threats on other cloud platforms	Manage threats Event Threat Detection overview Container Threat Detection overview
Error detection	Be alerted to errors and misconfigurations that prevent Security Command Center and its services from working as intended.	Security Command Center errors overview
Prioritize remediations	Use attack exposure scores to prioritize the remediation of vulnerability and misconfiguration findings. Use attack exposure scores on resources to proactively secure the resources that are the most valuable to your business.	Overview of attack exposure scores and attack paths
Remediate risks	Implement verified and recommended remediation instructions to quickly safeguard assets. Focus on the most important fields in findings to help security analysts quickly make informed triage decisions. Enrich and connect related vulnerabilities and threats to identify and capture TTPs. Resolve errors and misconfigurations that prevent Security Command Center and its services from working as intended.	Investigating and responding to threats Remediating Security Health Analytics findings Remediating Web Security Scanner findings Security response automation Remediating Security Command Center errors
Posture management	Ensure that your workloads conform to security standards, compliance regulations, and your organization's custom security requirements. Apply your security controls to Google Cloud projects, folders, or organizations before you deploy any workloads. Continuously monitor for and resolve any drift from your defined security controls.	Security posture overview Manage a security posture
Third-party security tool inputs	Integrate output from your existing security tools like Cloudflare, CrowdStrike, Prisma Cloud by Palo Alto Networks, and Qualys, into Security Command Center. Integrating output can help you to detect the following: DDoS attacks Compromised endpoints Compliance policy violations Network attacks Instance vulnerabilities and threats	Configuring Security Command Center Creating and managing security sources
Real-time notifications	Get Security Command Center alerts through email, SMS, Slack, WebEx, and other services with Pub/Sub notifications. Adjust finding filters to exclude findings on allowlists.	Setting up finding notifications Enabling real-time email and chat notifications Using security marks Exporting Security Command Center data Filtering notifications Add assets to allowlists
REST API and Client SDKs	Use the Security Command Center REST API or client SDKs for easy integration with your existing security systems and workflows.	Configuring Security Command Center Security Command Center client libraries Security Command Center API

Data residency controls

To meet data residency requirements, when you activate Security Command CenterStandard or Premium for the first time, you can enable data residency controls.

Enabling data residency controls restricts the storage andprocessing of Security Command Center findings, mute rules, continuous exports,and BigQuery exports to one of the data residencymulti-regions that Security Command Center supports.

For more information, seePlanning for data residency.

Security Command Center service tiers

Security Command Center offers three service tiers: Standard, Premium, andEnterprise.

The tier you select determines the features and services that areavailable with Security Command Center.

If you have questions about the Security Command Center service tiers,contact your account representative or Google Cloud sales.

For information about costs associated with using a Security Command Center tier,see Pricing.

Standard tier

The Standard tier includes the following services and features:

Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:
- Dataproc image outdated
- Legacy authorization enabled
- MFA not enforced
- Non org IAM member
- Open ciscosecure websm port
- Open directory services port
- Open firewall
- Open group IAM member
- Open RDP port
- Open SSH port
- Open Telnet port
- Public bucket ACL
- Public Compute image
- Public dataset
- Public IP address
- Public log bucket
- Public SQL instance
- SSL not enforced
- Web UI enabled
Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren't behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten.
Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly.
Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub.
Access to integrated Google Cloud services, including the following:
- Sensitive Data Protection discovers, classifies, and protects sensitive data.
- Google Cloud Armor protects Google Cloud deployments against threats.
- Anomaly Detection identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining.
- Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters.
GKE security posture dashboard findings: view findings about Kubernetes workload security misconfigurations, actionable security bulletins, and vulnerabilities in the container operating system or in language packages. The integration of GKE security posture dashboard findings with Security Command Center is available in Preview.
Integration with BigQuery, which exports findings to BigQuery for analysis.
Sensitive Actions Service, which detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor.
When Security Command Center is activated at the organization level, you can grant users IAM roles at the organization, folder, and project levels.
Data residency controls that restrict the storage and processing of Security Command Center findings, mute rules, continuous exports, and BigQuery exports to one of the data residency multi-regions that Security Command Center supports.
For more information, see Planning for data residency.

Premium tier

The Premium tier includes all of the Standard tier services and featuresand the following additional services and features:

Attack path simulations help you identify and prioritize vulnerability and misconfiguration findings by identifying the paths that a potential attacker could take to reach your high-value resources. The simulations calculate and assign attack exposure scores to any findings that expose those resources. Interactive attack paths help you visualize the possible attack paths and provide information about the paths, related findings, and the affected resources.
Vulnerability findings include CVE assessments provided by Mandiant to help you prioritize their remediation.

On the Overview page in the console, the Top CVE findings section shows you vulnerability findings grouped by their exploitability and potential impact, as assessed by Mandiant. On the Findings page, you can query findings by CVE ID.

For more information, see Prioritize by CVE impact and exploitability.
Event Threat Detection monitors Cloud Logging and Google Workspace, using threat intelligence, machine learning, and other advanced methods to detect threats, such as malware, cryptocurrency mining, and data exfiltration. For a full list of built-in Event Threat Detection detectors, see Event Threat Detection rules. You can also create custom Event Threat Detection detectors. For information about module templates that you can use to create custom detection rules, see Overview of custom modules for Event Threat Detection.
Container Threat Detection detects the following container runtime attacks:
- Added Binary Executed
- Added Library Loaded
- Execution: Added Malicious Binary Executed
- Execution: Added Malicious Library Loaded
- Execution: Built in Malicious Binary Executed
- Execution: Modified Malicious Binary Executed
- Execution: Modified Malicious Library Loaded
- Malicious Script Executed
- Reverse Shell
- Unexpected Child Shell
The following Policy Intelligence features are available:
- Advanced IAM recommender features, including the following:
  - Recommendations for non-basic roles
  - Recommendations for roles granted on resources other than organizations, folders, and projects—for example, recommendations for roles granted on Cloud Storage buckets
  - Recommendations that suggest custom roles
  - Policy insights
  - Lateral movement insights
- Policy Analyzer at scale (above 20 queries per organization per day). This limit is shared among all Policy Analyzer tools.
- Visualizations for Organization Policy analysis.
You can query assets in Cloud Asset Inventory.
Virtual Machine Threat Detection detects potentially malicious applications running in VM instances.
Security Health Analytics at the Premium tier includes the following features:
- Managed vulnerability scans for all Security Health Analytics detectors
- Monitoring for many industry best practices
- Compliance monitoring. Security Health Analytics detectors map to the controls of the common security benchmarks.
- Custom module support, which you can use to create your own custom Security Health Analytics detectors.
In the Premium tier, Security Health Analytics supports the standards described in Manage compliance with industry standards.
Web Security Scanner in the Premium tier includes all Standard tier features and additional detectors that support categories in the OWASP Top Ten. Web Security Scanner also adds managed scans that are automatically configured.
Compliance monitoring across your Google Cloud assets.

To measure your compliance with common security benchmarks and standards, detectors of the Security Command Center vulnerability scanners are mapped to common security standard controls.

You can view your compliance with the standards, identify non-compliant controls, export reports, and more. For more information, see Assess and report compliance with security standards.
You can request for additional Cloud Asset Inventory quota if the need for extended asset monitoring arises.
The security posture service lets you define, assess, and monitor the overallstatus of your security in Google Cloud. The Security postureservice is only available in the Security Command Center Premium tier for customers who purchase a fixed-price subscription and activate Security Command Center Premium tier at the organization level. The Security posture service doesn't support pay-as-you-go billing or project-level activations.
The IaC validation feature lets you validate your infrastructure as code (IaC) against the organization policies and Security Health Analytics detectors that you have defined in your Google Cloud organization. This feature is only available in the Security Command Center Premium tier for customers who purchase a fixed-price subscription and activate Security Command Center Premium tier at the organization level. This feature doesn't support pay-as-you-go billing or project-level activations.
VM Manager vulnerability reports
- If you enable VM Manager, the service automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in the operating systems installed on Compute Engine virtual machines. For more information, see VM Manager.

Enterprise tier

The Enterprise tier is a full cloud-native application protection platform(CNAPP) that enables SOC analysts, vulnerability analysts, and other cloudsecurity professionals to manage security across multiple cloud serviceproviders in one centralized place.

The Enterprise tier offers detection and investigation capabilities,case management support, and posture management, including the abilityto define and deploycustom posture rules and quantify and visualize the risk that vulnerabilitiesand misconfigurations pose to your cloud environment.

The Enterprise tier includes all of the Standard and Premium tier servicesand features, as well as the following additional services and features:

Enterprise tier functions and services summary

The Enterprise tier includes all of the Standard tier and Premium tierservices and features that are released to General Availability.

The Enterprise tier adds the following services and features toSecurity Command Center:

Toxic combination detection, powered by the Security Command Center Risk Engine. For more information, see Overview of toxic combinations.
Multicloud support. You can connect Security Command Center to other cloud providers, such as AWS, to detect threats, vulnerabilities, and misconfigurations. Also, after specifying your high-value resources on the other provider, you can also assess their exposure to attack with attack exposure scores and attack paths.
SIEM (security information and event management) capabilities for cloud environments. Scan logs and other data for threats for multiple cloud environments, define threat detection rules, and search the accumulated data. For more information, see Google SecOps SIEM documentation.
SOAR (security orchestration, automation, and response) capabilities for cloud environments. Manage cases, define response workflows, and search the response data. For more information, see Google SecOps SOAR documentation.
CIEM (Cloud Infrastructure Entitlement Management) capabilities for cloud environments. Identify principal accounts (identities) that are misconfigured or that are granted excessive or sensitive IAM permissions (access) to your cloud resources. For more information, see Overview of Cloud Infrastructure Entitlement Management.
Expanded detection of software vulnerabilities in VMs and containers across your cloud environments with the following built-in and integrated Google Cloud services:
- Google Kubernetes Engine (GKE) Enterprise edition
- Vulnerability Assessment for AWS
- VM Manager

Enterprise tier functions powered by Google Security Operations

The case management function, playbook features, and other SIEM and SOARfunctionalities of the Enterprise tier of Security Command Centerare powered by Google Security Operations. When you use some of thesefeatures and functions, you might see the Google SecOpsname in the web interface and might be directed to theGoogle SecOps documentation for guidance.

Certain Google SecOps features are unsupported orlimited with Security Command Center, but their use might not be disabled orlimited in early subscriptions to the Enterprise tier. Use the followingfeatures and functions only in accordance with their stated limitations:

Ingestion of cloud logs is limited to logs that are relevant forcloud threat detection, such as the following;
- Google Cloud
  - Cloud Audit Logs Admin Activity Logs
  - Cloud Audit Logs Data Access Logs
  - Compute Engine syslog
  - GKE Audit Log
- Google Workspace
  - Google Workspace events
  - Google Workspace alerts
- AWS
  - CloudTrail audit logs
  - Syslog
  - Auth logs
  - GuardDuty events
Curated detections are limited to those that detect threats incloud environments.
Google Cloud Marketplace integrations are limited to the following:
- Siemplify
- Tools
- VirusTotal V3
- Google Cloud Asset Inventory
- Google Security Command Center
- Jira
- Functions
- Google Cloud IAM
- Email V2
- Google Cloud Compute
- Google Chronicle
- Mitre Att&ck
- Mandiant Threat Intelligence
- Google Cloud Policy Intelligence
- Google Cloud Recommender
- Siemplify Utilities
- Service Now
- CSV
- SCC Enterprise
- AWS IAM
- AWS EC2
The number of custom single-event rules is limited to 20 rules.
Risk Analytics for UEBA (user and entity behavior analytics) is unavailable.
Applied Threat Intelligence is unavailable.
Gemini support for Google SecOps islimited to natural-language search and case investigation summaries.
Data retention is limited to three months.

Security Command Center activation levels

You can activate Security Command Center on an individual project, which isknown as project-level activation, oran entire organization, which is known as organization-level activation.

The Enterprise tier requires an organization-level activation.

For more information about activating Security Command Center, seeOverview of activating Security Command Center.

What's next

Learn aboutactivating Security Command Center.
Learn more about Security Command Centerdetection services.
Learn how touse Security Command Center in the Google Cloud console.