Activate the Security Command Center Enterprise tier

The Security Command Center Enterprise tier provides security enhancements, including the following:

  • Advanced security operations using Google Security Operations
  • Integrations with other Google Cloud products, such as Mandiant Attack Surface Management, Sensitive Data Protection, and Assured OSS
  • Multi-cloud support
  • Risk analysis
  • Compliance support (Preview).

For a description of the Enterprise tier features, see Service tiers.

You can complete the activation process for the Enterprise tier using the setup guide in the Google Cloud console. After the initial mandatory tasks, complete additional steps to set up optional features that your organization requires.

For information about pricing and getting a subscription, see Security Command Center pricing.

For instructions on activating Security Command Center at another tier, see Activate the Security Command Center Standard tier or Premium tier for an organization.

Before you begin

Complete the following before you activate Security Command Center for the first time:

  1. Plan for the activation
  2. Create an organization
  3. Create the management project
  4. Configure permissions and APIs
  5. Configure notification contacts

Plan for the activation

This section describes decisions and information you need to prepare for the activation.

Decide whether to enable data residency support

When you activate Security Command Center, you can enable support for data residency, which gives you more control over where your Security Command Center data is located. For Google SecOps, data residency is always enabled.

For the Enterprise service tier, before you activate Security Command Center with data residency controls, you must contact your Google Cloud account representative and schedule a date and time when you will activate Security Command Center. After activation, your account representative will help ensure that your Google SecOps instance is configured to fully support data residency controls.

After support for data residency is enabled in your organization, you cannot disable it.

If you use the Standard or Premium service tier, then upgrading to the Enterprise tier does not change the location of your Security Command Center data. If you did not enable Security Command Center data residency for the Standard or Premium tier, then you cannot enable it when you upgrade to the Enterprise tier.

Determine the support contact

When you activate a new Google SecOps instance, you provide your company name and an email address of a point of contact. Identify a point of contact from your organization. This configuration is not related to Essential Contacts.

Choose the Google SecOps configuration

During activation, you connect Security Command Center Enterprise to a Google SecOps instance.

  • You can connect to an existing instance.

  • You can provision and connect to a new instance. You can provision and connect to a new instance even if you have an existing instance.

Connect to an existing instance

You can't connect Security Command Center Enterprise to an existing Google SecOps SIEM standalone or Google SecOps SOAR standalone instance. If you have questions about the type of Google SecOps instance you have, contact your Google Cloud sales representative.

When you select an existing Google SecOps instance, the Connect to a SecOps instance page provides a link to the instance so you can verify your selection. You must have access to that instance to verify it. You need at least the Chronicle API Restricted Data Access Viewer (roles/chronicle.restrictedDataAccessViewer) role on the management project to sign in to the instance.

If you provision Security Command Center using an existing Google SecOps instance that is configured to use Workforce Identity Federation, you must update the workforce identity pools with additional permissions to access features in Security Operations console pages that are available with Security Command Center Enterprise. For more information, see Control access to features in Security Operations console pages pages.

Provision a new instance

When you provision a new instance, only the new instance is associated with Security Command Center. When using Security Command Center, you navigate between Google Cloud console and the newly provisioned Security Operations console pages.

During activation, you specify the location where the new Google SecOps instance is to be provisioned. For a list of supported regions and multi-regions, see SecOps Services Locations Page. This location applies to only Google SecOps, and not other Security Command Center features or services.

Each Google SecOps instance must have a dedicated management project that you own and manage. This project must be in the same organization where you activate Security Command Center Enterprise. You can't use the same management project for multiple Google SecOps instances.

When you have an existing Google SecOps instance and provision a new instance for Security Command Center Enterprise, both instances use the same configuration for the direct ingestion of Google Cloud data. The same configuration settings control the ingestion to both Google SecOps instances and they receive the same data.

During activation of Security Command Center Enterprise, the activation process modifies the Google Cloud log ingestion settings to set all data type fields to enabled: Google Cloud Logging, Cloud Asset Metadata, and Security Command Center Premium findings. The export filter settings are not changed. Security Command Center Enterprise requires these data types for all features to function as designed. You can change the Google Cloud log ingestion settings after activation is complete.

Create an organization

Security Command Center requires an organization resource that is associated with a domain. If you haven't created an organization, see Creating and managing organizations.

If you have multiple organizations, identify which organizations you will activate Security Command Center Enterprise in. You must follow these activation steps for each organization where you plan to activate Security Command Center Enterprise.

Verify organization policies

If your organization policies are set to restrict resource usage, verify that the following APIs are permitted:

  • chronicle.googleapis.com
  • cloudsecuritycompliance.googleapis.com
  • securitycenter.googleapis.com
  • securitycentermanagement.googleapis.com

Create a management project

Security Command Center Enterprise requires a project, which is called the management project, to enable Google SecOps and Mandiant Attack Surface Management integration. We recommend that you use this project exclusively for Security Command Center Enterprise.

If you enabled Google SecOps previously, and you want to connect to the existing instance, use the existing management project that is connected to Google SecOps.

If you plan to provision a new Google SecOps instance, create a new management project that is dedicated to the new instance. Don't reuse a management project that is connected to another Google SecOps instance.

Google SecOps does not support using a management project that exists within a VPC Service Controls service perimeter.

Learn more about creating and managing projects.

Configure permissions and APIs

Use information in this section to configure permissions required to activate Security Command Center Enterprise: