Skip to main content
Documentation
Technology areas
close
AI and ML
Application development
Application hosting
Compute
Data analytics and pipelines
Databases
Distributed, hybrid, and multicloud
Generative AI
Industry solutions
Networking
Observability and monitoring
Security
Storage
Cross-product tools
close
Access and resources management
Costs and usage management
Google Cloud SDK, languages, frameworks, and tools
Infrastructure as code
Migration
Related sites
close
Google Cloud Home
Free Trial and Free Tier
Architecture Center
Blog
Contact Sales
Google Cloud Developer Center
Google Developer Center
Google Cloud Marketplace
Google Cloud Marketplace Documentation
Google Cloud Skills Boost
Google Cloud Solution Center
Google Cloud Support
Google Cloud Tech Youtube Channel
/
English
Deutsch
Español – América Latina
Français
Indonesia
Italiano
Português – Brasil
中文 – 简体
中文 – 繁體
日本語
한국어
Console
Sign in
Security Command Center
Guides
Reference
Samples
Resources
Contact Us
Start free
Documentation
Guides
Reference
Samples
Resources
Technology areas
More
Cross-product tools
More
Related sites
More
Console
Contact Us
Start free
Discover
Product overview
Service tiers
Data and infrastructure security overview
Activate Security Command Center
Activation overview
Data residency
Plan for data residency
Security Command Center regional endpoints
When to expect findings
Control access with IAM
Overview of access control with IAM
Control access with organization-level activations
Control access with project-level activations
Configure custom organization policies
Activate Security Command Center Standard or Premium
Activate Security Command Center Standard or Premium for an organization
Enable CMEK for Security Command Center
Activate Security Command Center Standard or Premium for a project
Feature availability with project-level activations
Activate Security Command Center Enterprise for an organization
Activate Security Command Center Enterprise
Connect to AWS for configuration and resource data collection
Connect to Azure for configuration and resource data collection
Control access to features in SecOps console pages
Map and authenticate users to enable SOAR-related features
Integrate Security Command Center Enterprise with ticketing systems
Connect to AWS for log data collection
Connect to Azure for log data collection
Enable sensitive data discovery
Integrate with Assured OSS
Advanced configuration for threat management
Update the Enterprise use case for SOAR
Configure additional Security Command Center Enterprise features
Manage SOAR settings
Update AWS connection settings
Use Security Command Center in the Google Cloud console
Configure Security Command Center
Choose security sources
Configure Security Command Center services
Provision Security Command Center resources with Terraform
Connect to other cloud providers
Amazon Web Services (AWS)
Connect to AWS for configuration and resource data collection
Modify the connector for AWS
Microsoft Azure
Connect to Azure for configuration and resource data collection
Modify the connector for Azure
Security Command Center best practices
Cryptomining detection best practices
Integrate with other products
Google Security Operations SOAR
Cortex XSOAR
Elastic Stack
Elastic Stack using Docker
QRadar
ServiceNow
Snyk
Splunk
Work with findings and assets
Review and manage findings in the console
Edit findings queries
Inspect assets monitored by Security Command Center
Mute findings
Mute findings
Migrate from static to dynamic mute rules
Annotate findings and assets with security marks
Configure notifications and exports
Export Security Command Center data
Enable finding notifications for Pub/Sub
Stream findings to BigQuery
Bulk export findings to BigQuery
Export logs to Cloud Logging
Enable real-time email and chat notifications
Finding reference
Finding classes
Finding severities
Finding states
Work with issues
Issues overview
Predefined security graph rules
Manage and remediate issues
Explore the security graph
Work with cases
Cases overview
Using the workdesk
Determine ownership for posture findings
Group findings in cases
Mute findings in cases
Assign tickets in cases
Working with alerts
Work with playbooks
Playbooks overview
Automate IAM recommendations using playbooks
Enable public bucket remediation
Manage security postures
Security posture overview
Manage a security posture
Posture templates
Secure by default, essentials
Secure by default, extended
Secure AI, essentials
Secure AI, extended
Google Cloud services
BigQuery
Cloud Storage, essentials
Cloud Storage, extended
VPC networking, essentials
VPC networking, extended
Compliance standards
CIS Benchmark 2.0
ISO 27001
NIST 800-53
PCI DSS
Validate infrastructure as code
Validate IaC against your policies
Supported asset types and policies for IaC validation
Integrate IaC validation with Cloud Build
Integrate IaC validation with Jenkins
Integrate IaC validation with GitHub Actions
Create a sample IaC validation report
Manage security posture resources by using custom constraints
Assess risk
Assess risk at a glance
Assess risk with attack exposure scores and attack paths
Overview
Define your high-value resource set
Risk Engine feature support
Identify high-sensitivity data with Sensitive Data Protection
Capture risk data
Risk reports overview
Download risk reports
Detect and investigate threats
Detect threats
Detect threats to GKE containers
Container Threat Detection overview
Test Container Threat Detection
Use Container Threat Detection
Detect threats to Cloud Run containers
Cloud Run Threat Detection overview
Use Cloud Run Threat Detection
Detect threats from event logging
Event Threat Detection overview
Test Event Threat Detection
Use Event Threat Detection
Allow Event Threat Detection to access VPC Service Controls perimeters
Custom modules for Event Threat Detection
Overview of custom modules for Event Threat Detection
Create and manage custom modules
Correlated Threats overview
Detect and review sensitive actions
Sensitive Actions Service overview
Test Sensitive Actions
Use Sensitive Actions
Detect threats to VMs
Virtual Machine Threat Detection overview
Using Virtual Machine Threat Detection
Allow VM Threat Detection to access VPC Service Controls perimeters
Enable Virtual Machine Threat Detection for AWS
Inspect a VM for signs of kernel memory tampering
Detect external anomalies
Threat findings reference
Threat findings index
AI
AI threat findings
Initial Access: Dormant Service Account Activity in AI Service
Persistence: New AI API Method
Persistence: New Geography for AI Service
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access
Amazon EC2
Malware: Malicious file on disk
Backup and DR
Backup and DR threat findings
Impact: Deleted Google Cloud Backup and DR Backup
Impact: Deleted Google Cloud Backup and DR Vault
Impact: Deleted Google Cloud Backup and DR host
Impact: Deleted Google Cloud Backup and DR plan association
Impact: Google Cloud Backup and DR delete policy
Impact: Google Cloud Backup and DR delete profile
Impact: Google Cloud Backup and DR delete storage pool
Impact: Google Cloud Backup and DR delete template
Impact: Google Cloud Backup and DR expire all images
Impact: Google Cloud Backup and DR expire image
Impact: Google Cloud Backup and DR reduced backup expiration
Impact: Google Cloud Backup and DR reduced backup frequency
Impact: Google Cloud Backup and DR remove appliance
Impact: Google Cloud Backup and DR remove plan
BigQuery
BigQuery threat findings
Exfiltration: BigQuery Data Exfiltration
Exfiltration: BigQuery Data Extraction
Exfiltration: BigQuery Data to Google Drive
Exfiltration: Move to Public BigQuery resource
Cloud Run
Cloud Run threat findings
Execution: Added Malicious Binary Executed
Execution: Added Malicious Library Loaded
Execution: Built in Malicious Binary Executed
Execution: Container Escape
Execution: Cryptomining Docker Image
Execution: Kubernetes Attack Tool Execution
Execution: Local Reconnaissance Tool Execution
Execution: Malicious Python executed
Execution: Modified Malicious Binary Executed
Execution: Modified Malicious Library Loaded
Impact: Cryptomining Commands
Malicious Script Executed
Malicious URL Observed
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
Reverse Shell
Unexpected Child Shell
Cloud Storage
Cloud Storage threat findings
Defense Evasion: GCS Bucket IP Filtering Modified
Defense Evasion: Project HTTP Policy Block Disabled
Compute Engine
Compute Engine threat findings
Brute force SSH
Defense Evasion: Rootkit
Defense Evasion: Unexpected ftrace handler
Defense Evasion: Unexpected interrupt handler
Defense Evasion: Unexpected kernel modules
Defense Evasion: Unexpected kernel read-only data modification
Defense Evasion: Unexpected kprobe handler
Defense Evasion: Unexpected processes in runqueue
Defense Evasion: Unexpected system call handler
Execution: Cryptocurrency Mining Hash Match
Execution: Cryptocurrency Mining YARA Rule
Execution: cryptocurrency mining combined detection
Impact: GPU Instance Created
Impact: Managed Instance Group Autoscaling Set To Maximum
Impact: Many Instances Created
Impact: Many Instances Deleted
Lateral Movement: Modified Boot Disk Attached to Instance
Lateral Movement: OS Patch Execution From Service Account
Malware: Malicious file on disk (YARA)
Persistence: GCE Admin Added SSH Key
Persistence: GCE Admin Added Startup Script
Persistence: Global Startup Script Added
Privilege Escalation: Global Shutdown Script Added
Database
Database threat findings
Credential Access: CloudDB Failed login from Anonymizing Proxy IP
Exfiltration: Cloud SQL Data Exfiltration
Exfiltration: Cloud SQL Over-Privileged Grant
Exfiltration: Cloud SQL Restore Backup to External Organization
Initial Access: CloudDB Successful login from Anonymizing Proxy IP
Initial Access: Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Over-Privileged Grant
Google Kubernetes Engine
GKE threat findings
Added Binary Executed
Added Library Loaded
Collection: Pam.d Modification
Command and Control: Steganography Tool Detected
Credential Access: Access Sensitive Files On Nodes
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR)
Credential Access: Find Google Cloud Credentials
Credential Access: GPG Key Reconnaissance
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR)
Credential Access: Search Private Keys or Passwords
Credential Access: Secrets Accessed In Kubernetes Namespace
Defense Evasion: Anonymous Sessions Granted Cluster Admin Access
Defense Evasion: Base64 ELF File Command Line
Defense Evasion: Base64 Encoded Python Script Executed
Defense Evasion: Base64 Encoded Shell Script Executed
Defense Evasion: Breakglass Workload Deployment Created
Defense Evasion: Breakglass Workload Deployment Updated
Defense Evasion: Disable or Modify Linux Audit System
Defense Evasion: Launch Code Compiler Tool In Container
Defense Evasion: Manually Deleted Certificate Signing Request (CSR)
Defense Evasion: Potential Kubernetes Pod Masquerading
Defense Evasion: Root Certificate Installed
Defense Evasion: Static Pod Created
Discovery: Can get sensitive Kubernetes object check
Execution: Added Malicious Binary Executed
Execution: Added Malicious Library Loaded
Execution: Built in Malicious Binary Executed
Execution: Container Escape
Execution: Fileless Execution in /memfd:
Execution: GKE launch excessively capable container
Execution: Ingress Nightmare Vulnerability Exploitation
Execution: Kubernetes Attack Tool Execution
Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments
Execution: Local Reconnaissance Tool Execution
Execution: Malicious Python executed
Execution: Modified Malicious Binary Executed
Execution: Modified Malicious Library Loaded
Execution: Netcat Remote Code Execution in Container
Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
Execution: Possible Remote Command Execution Detected
Execution: Program Run with Disallowed HTTP Proxy Env
Execution: Socat Reverse Shell Detected
Execution: Suspicious Cron Modification
Execution: Suspicious Exec or Attach to a System Pod
Execution: Suspicious OpenSSL Shared Object Loaded
Execution: Workload triggered in sensitive namespace
Exfiltration: Launch Remote File Copy Tools in Container
Impact: Detect Malicious Cmdlines
Impact: GKE kube-dns modification detected
Impact: Remove Bulk Data From Disk
Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining
Impact: Suspicious crypto mining activity using the Stratum Protocol
Initial Access: Anonymous GKE Resource Created from the Internet
Initial Access: GKE NodePort service created
Initial Access: GKE Resource Modified Anonymously from the Internet
Initial Access: Successful API call made from a TOR proxy IP
Malicious Script Executed
Malicious URL Observed
Persistence: GKE Webhook Configuration Detected
Persistence: Modify ld.so.preload
Persistence: Service Account Created in sensitive namespace
Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
Privilege Escalation: ClusterRole with Privileged Verbs
Privilege Escalation: ClusterRoleBinding to Privileged Role
Privilege Escalation: Create Kubernetes CSR for master cert
Privilege Escalation: Creation of sensitive Kubernetes bindings
Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access
Privilege Escalation: Fileless Execution in /dev/shm
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
Privilege Escalation: Launch of privileged Kubernetes container
Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape
Privilege Escalation: Workload Created with a Sensitive Host Path Mount
Privilege Escalation: Workload with shareProcessNamespace enabled
Reverse Shell
Unexpected Child Shell
Google Workspace
Google Workspace threat findings
Initial Access: Account Disabled Hijacked
Initial Access: Disabled Password Leak
Initial Access: Government Based Attack
Initial Access: Suspicious Login Blocked
Persistence: SSO Enablement Toggle
Persistence: SSO Settings Changed
Persistence: Strong Authentication Disabled
Persistence: Two Step Verification Disabled
IAM
IAM threat findings
Account has leaked credentials
Defense Evasion: Modify VPC Service Control
Defense Evasion: Organization Policy Changed
Defense Evasion: Organization-Level Service Account Token Creator Role Added
Defense Evasion: Project-Level Service Account Token Creator Role Added
Defense Evasion: Remove Billing Admin
Discovery: Information Gathering Tool Used
Discovery: Service Account Self-Investigation
Discovery: Unauthorized Service Account API Call
Evasion: Access from Anonymizing Proxy
Impact: Billing Disabled (multiple projects)
Impact: Billing Disabled (single project)
Impact: Service API Disabled
Initial Access: Dormant Service Account Action
Initial Access: Dormant Service Account Key Created
Initial Access: Excessive Permission Denied Actions
Initial Access: Leaked Service Account Key Used
Persistence: Add Sensitive Role
Persistence: IAM Anomalous Grant
Persistence: New API Method
Persistence: New Geography
Persistence: New User Agent
Persistence: Project SSH Key Added
Persistence: Service Account Key Created
Persistence: Unmanaged Account Granted Sensitive Role
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
Privilege Escalation: Anomalous Service Account Impersonator for Data Access
Privilege Escalation: Dormant Service Account Granted Sensitive Role
Privilege Escalation: External Member Added To Privileged Group
Privilege Escalation: Impersonation Role Granted For Dormant Service Account
Privilege Escalation: New Service Account is Owner or Editor
Privilege Escalation: Privileged Group Opened To Public
Privilege Escalation: Sensitive Role Granted To Hybrid Group
Privilege Escalation: Suspicious Cross-Project Permission Use
Privilege Escalation: Suspicious Token Generation (cross-project OpenID token)
Privilege Escalation: Suspicious Token Generation (cross-project access token)
Privilege Escalation: Suspicious Token Generation (implicit delegation)
Privilege Escalation: Suspicious Token Generation (signJwt)
Resource Development: Offensive Security Distro Activity
Network
Network threat findings
Active Scan: Log4j Vulnerable to RCE
Cloud IDS: THREAT_IDENTIFIER
Command and Control: DNS Tunneling
Defense Evasion: VPC Route Masquerade Attempt
Impact: VPC Firewall High Priority Block
Impact: VPC Firewall Mass Rule Deletion
Initial Access: Log4j Compromise Attempt
Log4j Malware: Bad Domain
Log4j Malware: Bad IP
Malware: Cryptomining Bad Domain
Malware: Cryptomining Bad IP
Malware: bad IP
Malware: bad domain
Investigate and respond to threats
Overview
Respond to Cloud Run threats
Respond to Compute Engine threats
Respond to Google Kubernetes Engine threats
Respond to Google Workspace threats
Respond to network threats
Investigate threats with curated detections
Manage vulnerabilities
Prioritize the remediation of vulnerabilities
Filter vulnerability findings
Detect and remediate toxic combinations and chokepoints
Overview
Manage toxic combinations and chokepoints
Assess misconfigurations
Detect misconfigurations across cloud platforms
Security Health Analytics overview
Use Security Health Analytics
Remediate Security Health Analytics findings
Custom modules for Security Health Analytics
Overview of custom modules for Security Health Analytics
Use custom modules with Security Health Analytics
Code custom modules for Security Health Analytics
Test custom modules for Security Health Analytics
Detect identity and access misconfigurations across cloud platforms
Cloud Infrastructure Entitlement Management overview
Enable the CIEM detection service
Investigate identity and access findings
Review cases for identity and access issues
Assess software vulnerabilities
Overview
Vulnerability Assessment for Google Cloud
Enable and use Vulnerability Assessment for Google Cloud
Allow Vulnerability Assessment to access VPC Service Controls perimeters
Vulnerability Assessment for AWS
Overview
Enable and use Vulnerability Assessment for AWS
Modify or disable AWS settings for vulnerabilities
Role policy for Vulnerability Assessment for AWS
Assess web application vulnerabilities
Web Security Scanner overview
Use Web Security Scanner
Set up custom scans using Web Security Scanner
Remediate Web Security Scanner findings
Assess package vulnerabilities in Colab Enterprise notebooks
Enable and use Notebook Security Scanner
View Python package vulnerabilities
Send Sensitive Data Protection results to Security Command Center
Use Mandiant Attack Surface Management with VPC Service Controls
Vulnerabilities finding reference
Protect your AI applications
Protect AI workloads with AI Protection
AI Protection overview
Configure AI Protection
Protect AI applications with Model Armor
Model Armor overview
Create and manage Model Armor templates
Configure Model Armor floor settings
Sanitize prompts and responses
Configure logging for Model Armor
Model Armor audit logging
View the monitoring dashboard
Model Armor integrations
Overview
Integration with Vertex AI
Integration with Google Kubernetes Engine
Integration with Agentspace
Manage compliance and data security
Assess and report compliance
Compliance Manager
Compliance Manager overview
Enable Compliance Manager
Apply a framework
Write rules for custom cloud controls
Monitor a framework
Audit your environment
Audit locations
Data security posture management
Data security posture management overview
Use data security posture management
Enhance code security
Configure Assured OSS support for VPC Service Controls
Set up remote repository access
Set up direct repository access
Download Go packages
Download Java packages
Download Python packages
Security metadata fields
Access security metadata and verify packages
Supported packages
List of supported Go packages
List of supported Java and Python packages
Review code-related security findings from Snyk
Use the Security Command Center API
List security findings
Add and manage security marks
Create, manage, and filter Notification Configs
Create and manage Notification Configs
Filter notifications
Create and manage security sources and findings
Create and manage security sources
Create and manage security findings
Discover and list assets
Configure asset discovery
List assets
Monitor
Audit logging
Security Command Center
Security Command Center Management
Web Security Scanner
Security Posture