Two types of services run on Security Command Center: built-in services and integrated services. Built-in services are part of Security Command Center. Integrated services are Google Cloud or third-party services that provide findings to Security Command Center.
This page describes how to configure built-in services and integrated services.
Enable or disable a built-in service
The following built-in services are part of Security Command Center:
- Container Threat Detection
- Event Threat Detection
- Security Health Analytics
- Security posture
- Sensitive Actions Service
- Virtual Machine Threat Detection
- Vulnerability Assessment for Amazon Web Services (AWS)
- Web Security Scanner
Some built-in services are only available with the Security Command Center Premium or Enterprise tiers. Learn more about Security Command Center tiers.
You can't enable or disable the Security posture service; it is available by default when you activate the Security Command Center Enterprise tier.
Most built-in services can be enabled for your entire organization or just for selected folders or projects. By default, folders and projects inherit service enablement settings from their parent organization or folder.
The Vulnerability Assessment for AWS service can be enabled only for a Google Cloud organization and requires that you establish a connection between Security Command Center and AWS.
The Container Threat Detection service can be enabled only for clusters. For information about required permissions for Container Threat Detection, see Required IAM permissions.
To enable or disable a Security Command Center service for a resource, do the following:
In the Google Cloud console, go to the Security Command Center page.
Select the organization, folder, or project for which you need to manage services.
Click
Settings.For the service that you want to modify, click Manage settings.
On the Service enablement tab, in the hierarchical view of resources, select the organization, folder, project, or container for which you need to enable the service. If you are enabling the Vulnerability Assessment for AWS service, select Enable.
For that resource, set the service to Enable, Disable, or Inherit.
Some services, like Security Health Analytics, operate using batch scans. When you disable such a service, the change might not be reflected immediately. The change is effective after all ongoing batch scans are complete. This can lead to a scenario where new vulnerabilities are still detected for a short period after you disable the service.
View and edit the detectors of a service
For some services (for example, Security Health Analytics), you can enable or disable certain detectors, also known as modules. To configure the detectors of a service and view their current statuses, do the following:
In the Google Cloud console, go to the Security Command Center page.
Select the organization, folder, or project for which you need to manage services.
Click
Settings.For the service that you want to view, click Manage settings.
Click the Modules tab. The service's detectors are displayed, along with their respective statuses.
Find the detector that you want to modify, and set its status to Enable or Disable.
Add integrated Google Cloud services to Security Command Center
You can add an integrated service to an organization-level activation of Security Command Center. Project-level activations don't support integrated Google Cloud services.
The following are Google Cloud security services that integrate with organization-level activations of Security Command Center:
- Assured Open Source Software (Assured OSS)
- Mandiant Attack Surface Management
- Anomaly Detection
- Google Cloud Armor
- IAM Recommender
- Sensitive Data Protection
- VM Manager (Preview)
Some built-in services are only available with the Security Command Center Premium or Enterprise tiers. Learn more about Security Command Center tiers.
For more information about these services, see Detection services for vulnerabilities and threats.
In the Google Cloud console, go to the Security Command Center page.
Select your organization or project.
Click
Settings.Click the Integrated services tab.
Next to the integrated source that you want to enable, click the Status list and select Enable.
Findings from the services that you enable are displayed on the Findings page in the Security Command Center dashboard.
Some Google Cloud security services require additional integration steps that you must complete. See the following:
- To configure the Assured OSS integration, see Integrate with Assured OSS.
- To configure the Sensitive Data Protection integration, see Integrate with Sensitive Data Protection.
To disable an integrated service, next to its name, click the list and select Disable.
Add a third-party security service
Organization-level activations of Security Command Center can display findings from third-party security services that have registered as Cloud Marketplace partners.
Project-level activations of Security Command Center don't support third-party services.
To integrate security services that aren't registered as Cloud Marketplace partners, ask the providers to complete the guide to Onboard as a Security Command Center partner.
To add a new third-party security service to Security Command Center, you set up the security service, and then enable it in the Google Cloud console.
Before you begin
To add a security service for a registered Cloud Marketplace partner, you need the following:
- The following Identity and Access Management (IAM) roles:
- Security Center Admin (
roles/securitycenter.admin
) - Service Account Admin (
roles/iam.serviceAccountAdmin
)
- Security Center Admin (
- A Google Cloud project that you want to use for the security service.
Set up a security service
To set up a third-party security service, you need a service account for that service. When you add the new security service, you can choose from the following service account options:
- Create a service account.
- Use your own existing service account.
- Use a service account from the service provider.
To set up a new security service that's already registered as a Cloud Marketplace partner, complete the following:
Go to the Security Command Center Services Marketplace page in the Google Cloud console.
The Marketplace page displays security services that are directly associated with Security Command Center.
- If you don't see the security service that you want to add, search for Security, and then select the security service provider.
- If the security service provider isn't registered in the Cloud Marketplace, ask your provider to complete the guide to Onboard as a Security Command Center partner.
On the security service provider page in the Cloud Marketplace, follow any provider setup instructions in the Overview.
When configured correctly, the security service you added is available in Security Command Center.
After you set up a new security service, you need to enable it in the Google Cloud console.
Enable the security service
Third-party security services use service accounts that might be outside your organization.
In the Google Cloud console, go to the Security Command Center page.
Select your organization or project.
Click
Settings.Click the Integrated services tab.
Next to the integrated source that you want to enable, click the Status list and select Enable.
Findings from the services that you enable are displayed on the Findings page in the Security Command Center dashboard.
Change the service account of a security service
You can change the service account used for a third-party security service, for example to address service account leakage or rotation. To change the service account for a security service, you need to update it in the Google Cloud console. Afterward, follow the service provider's instructions to update the service account for their service.
In the Google Cloud console, go to the Security Command Center page.
Select your organization or project.
Click
Settings.Click the Integrated services tab.
In the drop-down list next to the integrated service:
- Select Disabled to temporarily disable the integrated service.
- Select Manage service account.
On the Edit [provider name] panel that appears, enter the new service account, then click Submit.
In the drop-down list next to the integrated service, select Enabled to enable the security service.
When configured correctly, the service account for the integrated service is updated in Security Command Center. Follow the service provider's instructions to update the service account information for their service.
What's next
- Learn about Google Cloud security services and how to view the vulnerabilities and threats they surface.
- Learn how to optimize Security Command Center.
- Export logs to Cloud Logging.
- Configure attack exposure scores to assess risk.