Skip to main content
Documentation
Technology areas
close
AI and ML
Application development
Application hosting
Compute
Data analytics and pipelines
Databases
Distributed, hybrid, and multicloud
Generative AI
Industry solutions
Networking
Observability and monitoring
Security
Storage
Cross-product tools
close
Access and resources management
Costs and usage management
Google Cloud SDK, languages, frameworks, and tools
Infrastructure as code
Migration
Related sites
close
Google Cloud Home
Free Trial and Free Tier
Architecture Center
Blog
Contact Sales
Google Cloud Developer Center
Google Developer Center
Google Cloud Marketplace
Google Cloud Marketplace Documentation
Google Cloud Skills Boost
Google Cloud Solution Center
Google Cloud Support
Google Cloud Tech Youtube Channel
/
English
Deutsch
Español
Español – América Latina
Français
Indonesia
Italiano
Português
Português – Brasil
中文 – 简体
中文 – 繁體
日本語
한국어
Console
Sign in
Security Command Center
Guides
Reference
Samples
Resources
Contact Us
Start free
Documentation
Guides
Reference
Samples
Resources
Technology areas
More
Cross-product tools
More
Related sites
More
Console
Contact Us
Start free
Discover
Product overview
Service tiers
Data and infrastructure security overview
Activate Security Command Center
Activation overview
Data residency
Plan for data residency
Security Command Center regional endpoints
When to expect findings
Control access with IAM
Overview of access control with IAM
Control access with organization-level activations
Control access with project-level activations
Configure custom organization policies
Activate Security Command Center Standard or Premium
Activate Security Command Center Standard or Premium for an organization
Enable CMEK for Security Command Center
Activate Security Command Center Standard or Premium for a project
Feature availability with project-level activations
Activate Security Command Center Enterprise for an organization
Activate Security Command Center Enterprise
Connect to AWS for configuration and resource data collection
Connect to Azure for configuration and resource data collection
Control access to features in SecOps console pages
Map and authenticate users to enable SOAR-related features
Integrate Security Command Center Enterprise with ticketing systems
Connect to AWS for log data collection
Connect to Azure for log data collection
Enable sensitive data discovery
Integrate with Assured OSS
Advanced configuration for threat management
Update the Enterprise use case for SOAR
Configure additional Security Command Center Enterprise features
Manage SOAR settings
Update AWS connection settings
Use the Security Command Center consoles
Use Security Command Center in the Google Cloud console
Use Security Command Center Enterprise console
Configure Security Command Center
Choose security sources
Configure Security Command Center services
Provision Security Command Center resources with Terraform
Connect to other cloud providers
Amazon Web Services (AWS)
Connect to AWS for configuration and resource data collection
Modify the connector for AWS
Microsoft Azure
Connect to Azure for configuration and resource data collection
Modify the connector for Azure
Security Command Center best practices
Cryptomining detection best practices
Integrate with other products
Google Security Operations SOAR
Cortex XSOAR
Elastic Stack
Elastic Stack using Docker
QRadar
ServiceNow
Snyk
Splunk
Work with findings and assets
Review and manage findings in the console
Edit findings queries
Inspect assets monitored by Security Command Center
Mute findings
Mute findings
Migrate from static to dynamic mute rules
Annotate findings and assets with security marks
Configure notifications and exports
Export Security Command Center data
Enable finding notifications for Pub/Sub
Stream findings to BigQuery
Bulk export findings to BigQuery
Export logs to Cloud Logging
Enable real-time email and chat notifications
Finding reference
Finding classes
Finding severities
Finding states
Work with issues
Issues overview
Predefined security graph rules
Manage and remediate issues
Explore the security graph
Work with cases
Cases overview
Using the workdesk
Determine ownership for posture findings
Group findings in cases
Mute findings in cases
Assign tickets in cases
Working with alerts
Work with playbooks
Playbooks overview
Automate IAM recommendations using playbooks
Enable public bucket remediation
Manage security postures
Security posture overview
Manage a security posture
Posture templates
Secure by default, essentials
Secure by default, extended
Secure AI, essentials
Secure AI, extended
Google Cloud services
BigQuery
Cloud Storage, essentials
Cloud Storage, extended
VPC networking, essentials
VPC networking, extended
Compliance standards
CIS Benchmark 2.0
ISO 27001
NIST 800-53
PCI DSS
Validate infrastructure as code
Validate IaC against your policies
Supported asset types and policies for IaC validation
Integrate IaC validation with Cloud Build
Integrate IaC validation with Jenkins
Integrate IaC validation with GitHub Actions
Create a sample IaC validation report
Manage security posture resources by using custom constraints
Assess risk
Assess risk at a glance
Assess risk with attack exposure scores and attack paths
Overview
Define your high-value resource set
Risk Engine feature support
Identify high-sensitivity data with Sensitive Data Protection
Capture risk data
Risk reports overview
Download risk reports
Detect and investigate threats
Detect threats
Detect threats to GKE containers
Container Threat Detection overview
Test Container Threat Detection
Use Container Threat Detection
Detect threats to Cloud Run containers
Cloud Run Threat Detection overview
Use Cloud Run Threat Detection
Detect threats from event logging
Event Threat Detection overview
Test Event Threat Detection
Use Event Threat Detection
Allow Event Threat Detection to access VPC Service Controls perimeters
Custom modules for Event Threat Detection
Overview of custom modules for Event Threat Detection
Create and manage custom modules
Detect and review sensitive actions
Sensitive Actions Service overview
Test Sensitive Actions
Use Sensitive Actions
Detect threats to VMs
Virtual Machine Threat Detection overview
Using Virtual Machine Threat Detection
Allow VM Threat Detection to access VPC Service Controls perimeters
Enable Virtual Machine Threat Detection for AWS
Inspect a VM for signs of kernel memory tampering
Detect external anomalies
Threat findings reference
Threat findings index
AI
AI threat findings
Initial Access: Dormant Service Account Activity in AI Service
Persistence: New AI API Method
Persistence: New Geography for AI Service
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access
Amazon EC2
Malware: Malicious file on disk
Backup and DR
Backup and DR threat findings
Impact: Deleted Google Cloud Backup and DR Backup
Impact: Deleted Google Cloud Backup and DR Vault
Impact: Deleted Google Cloud Backup and DR host
Impact: Deleted Google Cloud Backup and DR plan association
Impact: Google Cloud Backup and DR delete policy
Impact: Google Cloud Backup and DR delete profile
Impact: Google Cloud Backup and DR delete storage pool
Impact: Google Cloud Backup and DR delete template
Impact: Google Cloud Backup and DR expire all images
Impact: Google Cloud Backup and DR expire image
Impact: Google Cloud Backup and DR reduced backup expiration
Impact: Google Cloud Backup and DR reduced backup frequency
Impact: Google Cloud Backup and DR remove appliance
Impact: Google Cloud Backup and DR remove plan
BigQuery
BigQuery threat findings
Exfiltration: BigQuery Data Exfiltration
Exfiltration: BigQuery Data Extraction
Exfiltration: BigQuery Data to Google Drive
Exfiltration: Move to Public BigQuery resource
Cloud Run
Cloud Run threat findings
Execution: Added Malicious Binary Executed
Execution: Added Malicious Library Loaded
Execution: Built in Malicious Binary Executed
Execution: Container Escape
Execution: Cryptomining Docker Image
Execution: Kubernetes Attack Tool Execution
Execution: Local Reconnaissance Tool Execution
Execution: Malicious Python executed
Execution: Modified Malicious Binary Executed
Execution: Modified Malicious Library Loaded
Impact: Cryptomining Commands
Malicious Script Executed
Malicious URL Observed
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
Reverse Shell
Unexpected Child Shell
Cloud Storage
Cloud Storage threat findings
Defense Evasion: GCS Bucket IP Filtering Modified
Defense Evasion: Project HTTP Policy Block Disabled
Compute Engine
Compute Engine threat findings
Brute force SSH
Defense Evasion: Rootkit
Defense Evasion: Unexpected ftrace handler
Defense Evasion: Unexpected interrupt handler
Defense Evasion: Unexpected kernel modules
Defense Evasion: Unexpected kernel read-only data modification
Defense Evasion: Unexpected kprobe handler
Defense Evasion: Unexpected processes in runqueue
Defense Evasion: Unexpected system call handler
Execution: Cryptocurrency Mining Hash Match
Execution: Cryptocurrency Mining YARA Rule
Execution: cryptocurrency mining combined detection
Impact: GPU Instance Created
Impact: Managed Instance Group Autoscaling Set To Maximum
Impact: Many Instances Created
Impact: Many Instances Deleted
Lateral Movement: Modified Boot Disk Attached to Instance
Lateral Movement: OS Patch Execution From Service Account
Malware: Malicious file on disk (YARA)
Persistence: GCE Admin Added SSH Key
Persistence: GCE Admin Added Startup Script
Persistence: Global Startup Script Added
Privilege Escalation: Global Shutdown Script Added
Database
Database threat findings
Credential Access: CloudDB Failed login from Anonymizing Proxy IP
Exfiltration: Cloud SQL Data Exfiltration
Exfiltration: Cloud SQL Over-Privileged Grant
Exfiltration: Cloud SQL Restore Backup to External Organization
Initial Access: CloudDB Successful login from Anonymizing Proxy IP
Initial Access: Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Over-Privileged Grant
Google Kubernetes Engine
GKE threat findings
Added Binary Executed
Added Library Loaded
Collection: Pam.d Modification
Command and Control: Steganography Tool Detected
Credential Access: Access Sensitive Files On Nodes
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR)
Credential Access: Find Google Cloud Credentials
Credential Access: GPG Key Reconnaissance
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR)
Credential Access: Search Private Keys or Passwords
Credential Access: Secrets Accessed In Kubernetes Namespace
Defense Evasion: Anonymous Sessions Granted Cluster Admin Access
Defense Evasion: Base64 ELF File Command Line
Defense Evasion: Base64 Encoded Python Script Executed
Defense Evasion: Base64 Encoded Shell Script Executed
Defense Evasion: Breakglass Workload Deployment Created
Defense Evasion: Breakglass Workload Deployment Updated
Defense Evasion: Disable or Modify Linux Audit System
Defense Evasion: Launch Code Compiler Tool In Container
Defense Evasion: Manually Deleted Certificate Signing Request (CSR)
Defense Evasion: Potential Kubernetes Pod Masquerading
Defense Evasion: Root Certificate Installed
Defense Evasion: Static Pod Created
Discovery: Can get sensitive Kubernetes object check
Execution: Added Malicious Binary Executed