Skip to main content
Documentation
Technology areas
close
AI and ML
Application development
Application hosting
Compute
Data analytics and pipelines
Databases
Distributed, hybrid, and multicloud
Generative AI
Industry solutions
Networking
Observability and monitoring
Security
Storage
Cross-product tools
close
Access and resources management
Costs and usage management
Google Cloud SDK, languages, frameworks, and tools
Infrastructure as code
Migration
Related sites
close
Google Cloud Home
Free Trial and Free Tier
Architecture Center
Blog
Contact Sales
Google Cloud Developer Center
Google Developer Center
Google Cloud Marketplace
Google Cloud Marketplace Documentation
Google Cloud Skills Boost
Google Cloud Solution Center
Google Cloud Support
Google Cloud Tech Youtube Channel
/
English
Deutsch
Español
Español – América Latina
Français
Indonesia
Italiano
Português
Português – Brasil
中文 – 简体
中文 – 繁體
日本語
한국어
Console
Sign in
Security Command Center
Guides
Reference
Samples
Resources
Contact Us
Start free
Documentation
Guides
Reference
Samples
Resources
Technology areas
More
Cross-product tools
More
Related sites
More
Console
Contact Us
Start free
Discover
Product overview
Service tiers
Data and infrastructure security overview
Activate Security Command Center
Activation overview
Data residency
Plan for data residency
Security Command Center regional endpoints
When to expect findings
Control access with IAM
Overview of access control with IAM
Control access with organization-level activations
Control access with project-level activations
Configure custom organization policies
Activate Security Command Center Standard or Premium
Activate Security Command Center Standard or Premium for an organization
Enable CMEK for Security Command Center
Activate Security Command Center Standard or Premium for a project
Feature availability with project-level activations
Activate Security Command Center Enterprise for an organization
Activate Security Command Center Enterprise
Connect to AWS for configuration and resource data collection
Connect to Azure for configuration and resource data collection
Control access to features in SecOps console pages
Map and authenticate users to enable SOAR-related features
Integrate Security Command Center Enterprise with ticketing systems
Connect to AWS for log data collection
Connect to Azure for log data collection
Enable sensitive data discovery
Integrate with Assured OSS
Advanced configuration for threat management
Update the Enterprise use case for SOAR
Configure additional Security Command Center Enterprise features
Manage SOAR settings
Update AWS connection settings
Use Security Command Center in the Google Cloud console
Configure Security Command Center
Choose security sources
Configure Security Command Center services
Provision Security Command Center resources with Terraform
Connect to other cloud providers
Amazon Web Services (AWS)
Connect to AWS for configuration and resource data collection
Modify the connector for AWS
Microsoft Azure
Connect to Azure for configuration and resource data collection
Modify the connector for Azure
Security Command Center best practices
Cryptomining detection best practices
Integrate with other products
Google Security Operations SOAR
Cortex XSOAR
Elastic Stack
Elastic Stack using Docker
QRadar
ServiceNow
Snyk
Splunk
Work with findings and assets
Review and manage findings in the console
Edit findings queries
Inspect assets monitored by Security Command Center
Mute findings
Mute findings
Migrate from static to dynamic mute rules
Annotate findings and assets with security marks
Configure notifications and exports
Export Security Command Center data
Enable finding notifications for Pub/Sub
Stream findings to BigQuery
Bulk export findings to BigQuery
Export logs to Cloud Logging
Enable real-time email and chat notifications
Finding reference
Finding classes
Finding severities
Finding states
Work with issues
Issues overview
Predefined security graph rules
Manage and remediate issues
Explore the security graph
Work with cases
Cases overview
Using the workdesk
Determine ownership for posture findings
Group findings in cases
Mute findings in cases
Assign tickets in cases
Working with alerts
Work with playbooks
Playbooks overview
Automate IAM recommendations using playbooks
Enable public bucket remediation
Manage security postures
Security posture overview
Manage a security posture
Posture templates
Secure by default, essentials
Secure by default, extended
Secure AI, essentials
Secure AI, extended
Google Cloud services
BigQuery
Cloud Storage, essentials
Cloud Storage, extended
VPC networking, essentials
VPC networking, extended
Compliance standards
CIS Benchmark 2.0
ISO 27001
NIST 800-53
PCI DSS
Validate infrastructure as code
Validate IaC against your policies
Supported asset types and policies for IaC validation
Integrate IaC validation with Cloud Build
Integrate IaC validation with Jenkins
Integrate IaC validation with GitHub Actions
Create a sample IaC validation report
Manage security posture resources by using custom constraints
Assess risk
Assess risk at a glance
Assess risk with attack exposure scores and attack paths
Overview
Define your high-value resource set
Risk Engine feature support
Identify high-sensitivity data with Sensitive Data Protection
Capture risk data
Risk reports overview
Download risk reports
Detect and investigate threats
Detect threats
Detect threats to GKE containers
Container Threat Detection overview
Test Container Threat Detection
Use Container Threat Detection
Detect threats to Cloud Run containers
Cloud Run Threat Detection overview
Use Cloud Run Threat Detection
Detect threats from event logging
Event Threat Detection overview
Test Event Threat Detection
Use Event Threat Detection
Allow Event Threat Detection to access VPC Service Controls perimeters
Custom modules for Event Threat Detection
Overview of custom modules for Event Threat Detection
Create and manage custom modules
Correlated Threats overview
Detect and review sensitive actions
Sensitive Actions Service overview
Test Sensitive Actions
Use Sensitive Actions
Detect threats to VMs
Virtual Machine Threat Detection overview
Using Virtual Machine Threat Detection
Allow VM Threat Detection to access VPC Service Controls perimeters
Enable Virtual Machine Threat Detection for AWS
Inspect a VM for signs of kernel memory tampering
Detect external anomalies
Threat findings reference
Threat findings index
AI
AI threat findings
Initial Access: Dormant Service Account Activity in AI Service
Persistence: New AI API Method
Persistence: New Geography for AI Service
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access
Amazon EC2
Malware: Malicious file on disk
Backup and DR
Backup and DR threat findings
Impact: Deleted Google Cloud Backup and DR Backup
Impact: Deleted Google Cloud Backup and DR Vault
Impact: Deleted Google Cloud Backup and DR host
Impact: Deleted Google Cloud Backup and DR plan association
Impact: Google Cloud Backup and DR delete policy
Impact: Google Cloud Backup and DR delete profile
Impact: Google Cloud Backup and DR delete storage pool
Impact: Google Cloud Backup and DR delete template
Impact: Google Cloud Backup and DR expire all images
Impact: Google Cloud Backup and DR expire image
Impact: Google Cloud Backup and DR reduced backup expiration
Impact: Google Cloud Backup and DR reduced backup frequency
Impact: Google Cloud Backup and DR remove appliance
Impact: Google Cloud Backup and DR remove plan
BigQuery
BigQuery threat findings
Exfiltration: BigQuery Data Exfiltration
Exfiltration: BigQuery Data Extraction
Exfiltration: BigQuery Data to Google Drive
Exfiltration: Move to Public BigQuery resource
Cloud Run
Cloud Run threat findings
Execution: Added Malicious Binary Executed
Execution: Added Malicious Library Loaded
Execution: Built in Malicious Binary Executed
Execution: Container Escape
Execution: Cryptomining Docker Image
Execution: Kubernetes Attack Tool Execution
Execution: Local Reconnaissance Tool Execution
Execution: Malicious Python executed
Execution: Modified Malicious Binary Executed
Execution: Modified Malicious Library Loaded
Impact: Cryptomining Commands
Malicious Script Executed
Malicious URL Observed
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
Reverse Shell
Unexpected Child Shell
Cloud Storage
Cloud Storage threat findings
Defense Evasion: GCS Bucket IP Filtering Modified
Defense Evasion: Project HTTP Policy Block Disabled
Compute Engine
Compute Engine threat findings
Brute force SSH
Defense Evasion: Rootkit
Defense Evasion: Unexpected ftrace handler
Defense Evasion: Unexpected interrupt handler
Defense Evasion: Unexpected kernel modules
Defense Evasion: Unexpected kernel read-only data modification
Defense Evasion: Unexpected kprobe handler
Defense Evasion: Unexpected processes in runqueue
Defense Evasion: Unexpected system call handler
Execution: Cryptocurrency Mining Hash Match
Execution: Cryptocurrency Mining YARA Rule
Execution: cryptocurrency mining combined detection
Impact: GPU Instance Created
Impact: Managed Instance Group Autoscaling Set To Maximum
Impact: Many Instances Created
Impact: Many Instances Deleted
Lateral Movement: Modified Boot Disk Attached to Instance
Lateral Movement: OS Patch Execution From Service Account
Malware: Malicious file on disk (YARA)
Persistence: GCE Admin Added SSH Key
Persistence: GCE Admin Added Startup Script
Persistence: Global Startup Script Added
Privilege Escalation: Global Shutdown Script Added
Database
Database threat findings
Credential Access: CloudDB Failed login from Anonymizing Proxy IP
Exfiltration: Cloud SQL Data Exfiltration
Exfiltration: Cloud SQL Over-Privileged Grant
Exfiltration: Cloud SQL Restore Backup to External Organization
Initial Access: CloudDB Successful login from Anonymizing Proxy IP
Initial Access: Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Over-Privileged Grant
Google Kubernetes Engine
GKE threat findings
Added Binary Executed
Added Library Loaded
Collection: Pam.d Modification
Command and Control: Steganography Tool Detected
Credential Access: Access Sensitive Files On Nodes
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR)
Credential Access: Find Google Cloud Credentials
Credential Access: GPG Key Reconnaissance
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR)
Credential Access: Search Private Keys or Passwords
Credential Access: Secrets Accessed In Kubernetes Namespace
Defense Evasion: Anonymous Sessions Granted Cluster Admin Access
Defense Evasion: Base64 ELF File Command Line
Defense Evasion: Base64 Encoded Python Script Executed
Defense Evasion: Base64 Encoded Shell Script Executed
Defense Evasion: Breakglass Workload Deployment Created
Defense Evasion: Breakglass Workload Deployment Updated
Defense Evasion: Disable or Modify Linux Audit System
Defense Evasion: Launch Code Compiler Tool In Container
Defense Evasion: Manually Deleted Certificate Signing Request (CSR)
Defense Evasion: Potential Kubernetes Pod Masquerading
Defense Evasion: Root Certificate Installed
Defense Evasion: Static Pod Created
Discovery: Can get sensitive Kubernetes object check
Execution: Added Malicious Binary Executed
Execution: Added Malicious Library Loaded
Execution: Built in Malicious Binary Executed
Execution: Container Escape
Execution: Fileless Execution in /memfd:
Execution: GKE launch excessively capable container
Execution: Ingress Nightmare Vulnerability Exploitation
Execution: Kubernetes Attack Tool Execution
Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments
Execution: Local Reconnaissance Tool Execution
Execution: Malicious Python executed
Execution: Modified Malicious Binary Executed
Execution: Modified Malicious Library Loaded
Execution: Netcat Remote Code Execution in Container
Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
Execution: Possible Remote Command Execution Detected
Execution: Program Run with Disallowed HTTP Proxy Env
Execution: Socat Reverse Shell Detected
Execution: Suspicious Cron Modification
Execution: Suspicious Exec or Attach to a System Pod
Execution: Suspicious OpenSSL Shared Object Loaded
Execution: Workload triggered in sensitive namespace
Exfiltration: Launch Remote File Copy Tools in Container
Impact: Detect Malicious Cmdlines
Impact: GKE kube-dns modification detected
Impact: Remove Bulk Data From Disk
Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining
Impact: Suspicious crypto mining activity using the Stratum Protocol
Initial Access: Anonymous GKE Resource Created from the Internet
Initial Access: GKE NodePort service created
Initial Access: GKE Resource Modified Anonymously from the Internet
Initial Access: Successful API call made from a TOR proxy IP
Malicious Script Executed
Malicious URL Observed
Persistence: GKE Webhook Configuration Detected
Persistence: Modify ld.so.preload
Persistence: Service Account Created in sensitive namespace
Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
Privilege Escalation: ClusterRole with Privileged Verbs
Privilege Escalation: ClusterRoleBinding to Privileged Role
Privilege Escalation: Create Kubernetes CSR for master cert
Privilege Escalation: Creation of sensitive Kubernetes bindings
Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access
Privilege Escalation: Fileless Execution in /dev/shm
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
Privilege Escalation: Launch of privileged Kubernetes container
Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape
Privilege Escalation: Workload Created with a Sensitive Host Path Mount
Privilege Escalation: Workload with shareProcessNamespace enabled
Reverse Shell
Unexpected Child Shell
Google Workspace
Google Workspace threat findings
Initial Access: Account Disabled Hijacked
Initial Access: Disabled Password Leak
Initial Access: Government Based Attack
Initial Access: Suspicious Login Blocked
Persistence: SSO Enablement Toggle
Persistence: SSO Settings Changed
Persistence: Strong Authentication Disabled
Persistence: Two Step Verification Disabled
IAM
IAM threat findings
Account has leaked credentials
Defense Evasion: Modify VPC Service Control
Defense Evasion: Organization Policy Changed
Defense Evasion: Organization-Level Service Account Token Creator Role Added
Defense Evasion: Project-Level Service Account Token Creator Role Added
Defense Evasion: Remove Billing Admin
Discovery: Information Gathering Tool Used
Discovery: Service Account Self-Investigation