Skip to main content
Documentation
Technology areas
close
AI and ML
Application development
Application hosting
Compute
Data analytics and pipelines
Databases
Distributed, hybrid, and multicloud
Generative AI
Industry solutions
Networking
Observability and monitoring
Security
Storage
Cross-product tools
close
Access and resources management
Costs and usage management
Google Cloud SDK, languages, frameworks, and tools
Infrastructure as code
Migration
Related sites
close
Google Cloud Home
Free Trial and Free Tier
Architecture Center
Blog
Contact Sales
Google Cloud Developer Center
Google Developer Center
Google Cloud Marketplace
Google Cloud Marketplace Documentation
Google Cloud Skills Boost
Google Cloud Solution Center
Google Cloud Support
Google Cloud Tech Youtube Channel
/
English
Deutsch
Español – América Latina
Français
Português – Brasil
中文 – 简体
日本語
한국어
Console
Sign in
Security Command Center
Guides
Reference
Samples
Resources
Contact Us
Start free
Documentation
Guides
Reference
Samples
Resources
Technology areas
More
Cross-product tools
More
Related sites
More
Console
Contact Us
Start free
Discover
Product overview
Service tiers
Data and infrastructure security overview
Activate Security Command Center
Activation overview
Data residency
Plan for data residency
Security Command Center regional endpoints
When to expect findings
Control access with IAM
Overview of access control with IAM
Control access with organization-level activations
Control access with project-level activations
Configure custom organization policies
Activate Security Command Center Standard or Premium
Activate Security Command Center Standard or Premium for an organization
Enable CMEK for Security Command Center
Activate Security Command Center Standard or Premium for a project
Feature availability with project-level activations
Activate Security Command Center Enterprise for an organization
Activate Security Command Center Enterprise
Connect to AWS for configuration and resource data collection
Connect to Azure for configuration and resource data collection
Control access to features in SecOps console pages
Map and authenticate users to enable SOAR-related features
Integrate Security Command Center Enterprise with ticketing systems
Connect to AWS for log data collection
Connect to Azure for log data collection
Enable sensitive data discovery
Integrate with Assured OSS
Advanced configuration for threat management
Update the Enterprise use case for SOAR
Configure additional Security Command Center Enterprise features
Manage SOAR settings
Update AWS connection settings
Use the Security Command Center consoles
Use Security Command Center in the Google Cloud console
Use Security Command Center Enterprise console
Configure Security Command Center
Choose security sources
Configure Security Command Center services
Provision Security Command Center resources with Terraform
Connect to other cloud providers
Amazon Web Services (AWS)
Connect to AWS for configuration and resource data collection
Modify the connector for AWS
Microsoft Azure
Connect to Azure for configuration and resource data collection
Modify the connector for Azure
Security Command Center best practices
Cryptomining detection best practices
Integrate with other products
Google Security Operations SOAR
Cortex XSOAR
Elastic Stack
Elastic Stack using Docker
QRadar
ServiceNow
Snyk
Splunk
Work with findings and assets
Review and manage findings in the console
Edit findings queries
Inspect assets monitored by Security Command Center
Mute findings
Mute findings
Migrate from static to dynamic mute rules
Annotate findings and assets with security marks
Configure notifications and exports
Export Security Command Center data
Enable finding notifications for Pub/Sub
Stream findings to BigQuery
Bulk export findings to BigQuery
Export logs to Cloud Logging
Enable real-time email and chat notifications
Finding reference
Finding classes
Finding severities
Finding states
Work with issues
Issues overview
Predefined security graph rules
Manage and remediate issues
Work with cases
Cases overview
Using the workdesk
Determine ownership for posture findings
Group findings in cases
Mute findings in cases
Assign tickets in cases
Working with alerts
Work with playbooks
Playbooks overview
Automate IAM recommendations using playbooks
Enable public bucket remediation
Manage security postures
Security posture overview
Manage a security posture
Posture templates
Secure by default, essentials
Secure by default, extended
Secure AI, essentials
Secure AI, extended
Google Cloud services
BigQuery
Cloud Storage, essentials
Cloud Storage, extended
VPC networking, essentials
VPC networking, extended
Compliance standards
CIS Benchmark 2.0
ISO 27001
NIST 800-53
PCI DSS
Validate infrastructure as code
Validate IaC against your policies
Supported asset types and policies for IaC validation
Integrate IaC validation with Cloud Build
Integrate IaC validation with Jenkins
Integrate IaC validation with GitHub Actions
Create a sample IaC validation report
Manage security posture resources by using custom constraints
Assess risk
Assess risk at a glance
Assess risk with attack exposure scores and attack paths
Overview
Define your high-value resource set
Risk Engine feature support
Identify high-sensitivity data with Sensitive Data Protection
Capture risk data
Risk reports overview
Download risk reports
Detect and investigate threats
Detect threats
Detect threats to GKE containers
Container Threat Detection overview
Test Container Threat Detection
Use Container Threat Detection
Detect threats to Cloud Run containers
Cloud Run Threat Detection overview
Use Cloud Run Threat Detection
Detect threats from event logging
Event Threat Detection overview
Test Event Threat Detection
Use Event Threat Detection
Allow Event Threat Detection to access VPC Service Controls perimeters
Custom modules for Event Threat Detection
Overview of custom modules for Event Threat Detection
Create and manage custom modules
Detect and review sensitive actions
Sensitive Actions Service overview
Test Sensitive Actions
Use Sensitive Actions
Detect threats to VMs
Virtual Machine Threat Detection overview
Using Virtual Machine Threat Detection
Allow VM Threat Detection to access VPC Service Controls perimeters
Enable Virtual Machine Threat Detection for AWS
Inspect a VM for signs of kernel memory tampering
Detect external anomalies
Threat findings reference
Threat findings index
AI
Initial Access: Dormant Service Account Activity in AI Service
Persistence: New AI API Method
Persistence: New Geography for AI Service
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access
Amazon EC2
Malware: Malicious file on disk
Backup and DR
Impact: Deleted Google Cloud Backup and DR Backup
Impact: Deleted Google Cloud Backup and DR Vault
Impact: Deleted Google Cloud Backup and DR host
Impact: Deleted Google Cloud Backup and DR plan association
Impact: Google Cloud Backup and DR delete policy
Impact: Google Cloud Backup and DR delete profile
Impact: Google Cloud Backup and DR delete storage pool
Impact: Google Cloud Backup and DR delete template
Impact: Google Cloud Backup and DR expire all images
Impact: Google Cloud Backup and DR expire image
Impact: Google Cloud Backup and DR reduced backup expiration
Impact: Google Cloud Backup and DR reduced backup frequency
Impact: Google Cloud Backup and DR remove appliance
Impact: Google Cloud Backup and DR remove plan
BigQuery
Exfiltration: BigQuery Data Exfiltration
Exfiltration: BigQuery Data Extraction
Exfiltration: BigQuery Data to Google Drive
Cloud Run
Overview of Cloud Run threats
Execution: Added Malicious Binary Executed
Execution: Added Malicious Library Loaded
Execution: Built in Malicious Binary Executed
Execution: Container Escape
Execution: Cryptomining Docker Image
Execution: Kubernetes Attack Tool Execution
Execution: Local Reconnaissance Tool Execution
Execution: Malicious Python executed
Execution: Modified Malicious Binary Executed
Execution: Modified Malicious Library Loaded
Impact: Cryptomining Commands
Malicious Script Executed
Malicious URL Observed
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
Reverse Shell
Unexpected Child Shell
Cloud Storage
Defense Evasion: GCS Bucket IP Filtering Modified
Defense Evasion: Project HTTP Policy Block Disabled
Compute Engine
Brute force SSH
Defense Evasion: Rootkit
Defense Evasion: Unexpected ftrace handler
Defense Evasion: Unexpected interrupt handler
Defense Evasion: Unexpected kernel modules
Defense Evasion: Unexpected kernel read-only data modification
Defense Evasion: Unexpected kprobe handler
Defense Evasion: Unexpected processes in runqueue
Defense Evasion: Unexpected system call handler
Execution: Cryptocurrency Mining Hash Match
Execution: Cryptocurrency Mining YARA Rule
Execution: cryptocurrency mining combined detection
Lateral Movement: Modified Boot Disk Attached to Instance
Malware: Malicious file on disk (YARA)
Persistence: GCE Admin Added SSH Key
Persistence: GCE Admin Added Startup Script
Database
Credential Access: CloudDB Failed login from Anonymizing Proxy IP
Exfiltration: Cloud SQL Data Exfiltration
Exfiltration: Cloud SQL Over-Privileged Grant
Exfiltration: Cloud SQL Restore Backup to External Organization
Initial Access: CloudDB Successful login from Anonymizing Proxy IP
Initial Access: Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables
Privilege Escalation: AlloyDB Over-Privileged Grant
Google Kubernetes Engine
Added Binary Executed
Added Library Loaded
Command and Control: Steganography Tool Detected
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR)
Credential Access: Find Google Cloud Credentials
Credential Access: GPG Key Reconnaissance
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR)
Credential Access: Search Private Keys or Passwords
Credential Access: Secrets Accessed In Kubernetes Namespace
Defense Evasion: Base64 ELF File Command Line
Defense Evasion: Base64 Encoded Python Script Executed
Defense Evasion: Base64 Encoded Shell Script Executed
Defense Evasion: Breakglass Workload Deployment Created
Defense Evasion: Breakglass Workload Deployment Updated
Defense Evasion: Launch Code Compiler Tool In Container
Defense Evasion: Manually Deleted Certificate Signing Request (CSR)
Defense Evasion: Potential Kubernetes Pod Masquerading
Defense Evasion: Static Pod Created
Discovery: Can get sensitive Kubernetes object check
Execution: Added Malicious Binary Executed
Execution: Added Malicious Library Loaded
Execution: Built in Malicious Binary Executed
Execution: Container Escape
Execution: Fileless Execution in /memfd:
Execution: GKE launch excessively capable container
Execution: Ingress Nightmare Vulnerability Exploitation
Execution: Kubernetes Attack Tool Execution
Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments
Execution: Local Reconnaissance Tool Execution
Execution: Malicious Python executed
Execution: Modified Malicious Binary Executed
Execution: Modified Malicious Library Loaded
Execution: Netcat Remote Code Execution in Container
Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
Execution: Possible Remote Command Execution Detected
Execution: Program Run with Disallowed HTTP Proxy Env
Execution: Socat Reverse Shell Detected
Execution: Suspicious Exec or Attach to a System Pod
Execution: Suspicious OpenSSL Shared Object Loaded
Execution: Workload triggered in sensitive namespace
Exfiltration: Launch Remote File Copy Tools in Container
Impact: Detect Malicious Cmdlines
Impact: GKE kube-dns modification detected
Impact: Remove Bulk Data From Disk
Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining
Impact: Suspicious crypto mining activity using the Stratum Protocol
Initial Access: Anonymous GKE Resource Created from the Internet
Initial Access: GKE NodePort service created
Initial Access: GKE Resource Modified Anonymously from the Internet
Initial Access: Successful API call made from a TOR proxy IP
Malicious Script Executed
Malicious URL Observed
Persistence: GKE Webhook Configuration Detected
Persistence: Service Account Created in sensitive namespace
Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
Privilege Escalation: ClusterRole with Privileged Verbs
Privilege Escalation: ClusterRoleBinding to Privileged Role
Privilege Escalation: Create Kubernetes CSR for master cert
Privilege Escalation: Creation of sensitive Kubernetes bindings
Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access
Privilege Escalation: Fileless Execution in /dev/shm
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
Privilege Escalation: Launch of privileged Kubernetes container
Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape
Privilege Escalation: Workload Created with a Sensitive Host Path Mount
Privilege Escalation: Workload with shareProcessNamespace enabled
Reverse Shell
Unexpected Child Shell
Google Workspace
Initial Access: Account Disabled Hijacked
Initial Access: Disabled Password Leak
Initial Access: Government Based Attack
Initial Access: Suspicious Login Blocked
Persistence: SSO Enablement Toggle
Persistence: SSO Settings Changed
Persistence: Strong Authentication Disabled
Persistence: Two Step Verification Disabled
IAM
Account has leaked credentials
Defense Evasion: Modify VPC Service Control
Discovery: Service Account Self-Investigation
Evasion: Access from Anonymizing Proxy
Initial Access: Dormant Service Account Action
Initial Access: Dormant Service Account Key Created
Initial Access: Excessive Permission Denied Actions
Initial Access: Leaked Service Account Key Used
Persistence: IAM Anomalous Grant
Persistence: New API Method
Persistence: New Geography
Persistence: New User Agent
Persistence: Unmanaged Account Granted Sensitive Role
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
Privilege Escalation: Anomalous Service Account Impersonator for Data Access
Privilege Escalation: Dormant Service Account Granted Sensitive Role
Privilege Escalation: External Member Added To Privileged Group
Privilege Escalation: Impersonation Role Granted For Dormant Service Account
Privilege Escalation: Privileged Group Opened To Public
Privilege Escalation: Sensitive Role Granted To Hybrid Group
Network
Active Scan: Log4j Vulnerable to RCE
Cloud IDS: THREAT_IDENTIFIER
Initial Access: Log4j Compromise Attempt
Log4j Malware: Bad Domain
Log4j Malware: Bad IP
Malware: Cryptomining Bad Domain
Malware: Cryptomining Bad IP
Malware: bad IP
Malware: bad domain
Investigate and respond to threats
Overview
Respond to Cloud Run threats
Respond to Compute Engine threats
Respond to Google Workspace threats
Respond to network threats
Investigate threats with curated detections
Manage vulnerabilities
Prioritize the remediation of vulnerabilities
Filter vulnerability findings
Detect and remediate toxic combinations and chokepoints
Overview