This page contains a list of the detection services, sometimes alsoreferred to assecurity sources, that Security Command Center uses to detectsecurity issues in your cloud environments.

When these services detect an issue, they generate afinding, which isa record that identifies the security issue and provides you with theinformation you need to prioritize and resolve the issue.

You can view findings in the Google Cloud console and filter themin many different ways, such as by finding type, resource type, or fora specific asset. Each security source might provide more filters tohelp you organize your findings.

The IAM roles for Security Command Center can be granted at the organization,folder, or project level. Your ability to view, edit, create, or update findings, assets,and security sources depends on the level for which you are granted access. To learn more aboutSecurity Command Center roles, seeAccess control.

Vulnerability detection services

Vulnerability detection services include built-in and integrated servicesthat detect software vulnerabilities, misconfigurations, andposture violations in your cloud environments. Collectively, these typesof security issues are referred to asvulnerabilities.

Artifact Registry vulnerability assessment

Artifact Registry vulnerability assessment is a detection service that alertsyou to vulnerabilities in your deployed container images.

This detection service generates vulnerability findings for containerimages under the following conditions:

• The container image is stored inArtifact Registry.

• The container image is deployed to one of the following assets:

  • Google Kubernetes Engine cluster
  • Cloud Run service
  • Cloud Run job
  • App Engine

Artifact Registry vulnerability assessment surfaces findings for vulnerabilities that areclassified aHIGH orCRITICAL severity. Artifact Registry vulnerability assessment won'tgenerate findings for vulnerabilities that have a lower severity.

If you enable Artifact Registry vulnerability assessment with Security Command Center,Artifact Registry vulnerability assessment automatically writes high and criticalfindings to Security Command Center. If your container images have vulnerabilitiescategorized as medium or low, you can manage them in theArtifact Registry vulnerability assessment, but Security Command Center doesn't display them.

After Artifact Registry vulnerability assessment findings are generated, they remain availablefor you to query up to five weeks after the last container image scan performed.For more information about Security Command Center data retention, seeDataretention.

Enable Artifact Registry vulnerability assessment findings

For Artifact Registry vulnerability assessment to generate findings inSecurity Command Center for deployed container images stored in Artifact Registry,theContainer Scanning APImust be enabled for your project.

If you haven't enabled the Container Scanning API, do the following:

1. In the Google Cloud console, go to theContainer Scanning API page.

   Go to Container Scanning API

2. Select the project you want to enable the Container Scanning API for.

3. ClickEnable.

Security Command Center will display findings for scanned vulnerable containerimages that are actively deployed to theapplicable runtimeassets. However, the detection service behaves differentlydepending on when you enabled Security Command Center and when you enabled theContainer Scanning API.

Disable Artifact Registry vulnerability assessment findings

To disable Artifact Registry vulnerability assessment findings, do the following:

1. In the Google Cloud console, go to theAPI/Service Details page for theContainer Scanning API.

   Go to API/Service Details

2. Select the project you want to disable the Container Scanning API for.

3. ClickDisable API.

Security Command Center won't display findings for vulnerabilities detected in futurecontainer image scans. Security Command Center retains any existingArtifact Registry vulnerability assessment findings for at least 35 days after the lastcontainer image scan performed. For more information about Security Command Centerdata retention, seeData retention.

You can also disable Artifact Registry vulnerability assessment by disabling the VulnerabilityAssessment source ID in the Security Command Center settings; however, we don'trecommend this. Disabling the Vulnerability Assessment source ID will disableall the detection services classified under the Vulnerability Assessment sourceID. Therefore, we recommend disabling the Container Scanning API with thepreceding procedure.

View Artifact Registry vulnerability assessment findings in the console

1. In the Google Cloud console, go to theFindings page of Security Command Center.

   Go to Findings

2. Select your Google Cloud project or organization.
3. In theQuick filters section, in theSource display name subsection, selectVulnerability Assessment. The findings query results are updated to show only the findings from this source.
4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.
5. On theSummary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
6. Optional: To view the full JSON definition of the finding, click theJSON tab.

Compliance Manager findings

Compliance Manager creates findings for the detective and preventive cloud controls that you deploy in your Google Cloud environment. You can view these findingson theFindings page in Security Command Center.

View Compliance Manager findings in the console

1. In the Google Cloud console, go to theFindings page of Security Command Center.

   Go to Findings

2. Select your Google Cloud project or organization.
3. In theQuick filters section, in theSource display name subsection, selectCompliance Evaluation Service. The findings query results are updated to show only the findings from this source.
4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.
5. On theSummary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
6. Optional: To view the full JSON definition of the finding, click theJSON tab.

Data Security Posture Management

Data Security Posture Management (DSPM)creates findings for potential violations to the data security frameworks andcloud controls that you apply in your environment. You can view these findingson theData Security & Compliance page, theRisk Overview page (undertheData tab), or in theFindings page inSecurity Command Center.

View DSPM findings in the console

1. In the Google Cloud console, go to theFindings page of Security Command Center.

   Go to Findings

2. Select your Google Cloud organization.

3. Use the following query to view the findings for DSPM:

   state="ACTIVE" AND NOT mute="MUTED" AND resource.name="//aiplatform.googleapis.com/projects/478190632149/locations/us-central1/models/1244151282898305024" AND category="DATA_SECURITY_POSTURE_ACCESS_VIOLATION" OR category="DATA_SECURITY_POSTURE_FLOW_VIOLATION" OR category="DATA_SECURITY_POSTURE_DELETION_VIOLATION" OR category="DATA_SECURITY_POSTURE_PROTECTION_KEY_GOVERNANCE" OR category="BIGQUERY_TABLE_CMEK_DISABLED" OR category="VERTEX_AI_MODEL_CMEK_DISABLED" OR category="VERTEX_AI_METADATA_STORE_CMEK_DISABLED" OR category="VERTEX_AI_DATASET_CMEK_DISABLED" OR category="VERTEX_AI_FEATURE_STORE_TABLE_CMEK_DISABLED" OR category="DATA_SECURITY_POSTURE_CMEK_POLICY_MISCONFIGURED" OR category="DATA_SECURITY_POSTURE_CMEK_POLICY_DELETED" OR category="DATA_SECURITY_POSTURE_CMEK_VIOLATION" OR category="SENSITIVE_DATA_PUBLIC_SQL_INSTANCE" OR category="SENSITIVE_DATA_PUBLIC_DATASET" OR category="SENSITIVE_DATA_BIGQUERY_TABLE_CMEK_DISABLED" OR category="SENSITIVE_DATA_DATASET_CMEK_DISABLED" OR category="SENSITIVE_DATA_SQL_CMEK_DISABLED" OR category="PUBLIC_DATASET" OR category="PUBLIC_SQL_INSTANCE" OR category="SQL_PUBLIC_IP" OR category="ACCESS_TRANSPARENCY_DISABLED" OR category="ORG_POLICY_LOCATION_RESTRICTION" OR category="BUCKET_POLICY_ONLY_DISABLED" OR category="DATA_EXFILTRATION_BIG_QUERY" OR category="DATA_EXFILTRATION_BIG_QUERY_EXTRACTION" OR category="DATA_EXFILTRATION_BIG_QUERY_TO_GOOGLE_DRIVE"

4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.

5. On theSummary tab, review the details of the finding, includinginformation about what was detected, the affected resource, and—ifavailable—steps that you can take to remediate the finding.

6. Optional: To view the full JSON definition of the finding, click theJSONtab.

GKE security posture dashboard

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

The Google Kubernetes Engine (GKE) security posture dashboard is a page in theGoogle Cloud console that provides you with opinionated, actionable findingsabout potential security issues in your GKE clusters.

To see these findings, enable any of the following GKEsecurity posture dashboard features:

The findings display information about the security issue and providerecommendations to resolve them in your workloads or clusters.

View GKE security posture dashboard findings in the console

1. In the Google Cloud console, go to theFindings page of Security Command Center.

   Go to Findings

2. Select your Google Cloud project or organization.
3. In theQuick filters section, in theSource display name subsection, selectGKE Security Posture. The findings query results are updated to show only the findings from this source.
4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.
5. On theSummary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
6. Optional: To view the full JSON definition of the finding, click theJSON tab.

IAM recommender

IAM recommendergenerates recommendations that you can follow to improve security by removingor replacing IAM roles from principals when the roles containIAM permissions that the principal does not need.

IAM recommender is automatically enabled when you activateSecurity Command Center.

Enable or disable IAM recommender findings

To enable or disable IAM recommender findings in Security Command Center,follow these steps:

1. Go to theIntegrated services tab of the Security Command CenterSettings page in the Google Cloud console:

   Go to Integrated Services

2. Go to theIAM recommender entry.

3. To the right of the entry, selectEnable orDisable.

Findings from IAM recommender are classified as vulnerabilities.

To remediate an IAM recommender finding, expand the following section tosee a table of the IAM recommender findings. The remediation steps foreach finding are included in the table entry.

View IAM recommender findings in the console

1. In the Google Cloud console, go to theFindings page of Security Command Center.

   Go to Findings

2. Select your Google Cloud project or organization.
3. In theQuick filters section, in theSource display name subsection, selectIAM Recommender. The findings query results are updated to show only the findings from this source.
4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.
5. On theSummary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
6. Optional: To view the full JSON definition of the finding, click theJSON tab.

In Security Command Center Premium, you can also view the IAM recommenderfindings on the legacyVulnerabilities page by selectingtheIAM recommender query preset.

Mandiant Attack Surface Management

Mandiant is a world leader in frontline threat intelligence.Mandiant Attack Surface Management identifies vulnerabilities and misconfigurationsin your external attack surfaces to help you stay up-to-date against thelatest cyber attacks.

Mandiant Attack Surface Management is automatically enabled when you activate theSecurity Command Center Enterprise tier and findings are available in the Google Cloud console.

For information about how the standalone Mandiant Attack Surface Management product differsfrom the Mandiant Attack Surface Management integration within Security Command Center, seeASM and Security Command Centeron the Mandiant documentation portal. This link requires Mandiantauthentication.

Review Mandiant Attack Surface Management findings in the console

1. In the Google Cloud console, go to theFindings page of Security Command Center.

   Go to Findings

2. Select your Google Cloud project or organization.
3. In theQuick filters section, in theSource display name subsection, selectMandiant Attack Surface Management. The findings query results are updated to show only the findings from this source.
4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.
5. On theSummary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
6. Optional: To view the full JSON definition of the finding, click theJSON tab.

Neither Security Command Center nor Mandiant Attack Surface Management mark findings as resolved. Onceyou resolve an issue, you can manually mark the issue resolved. If it is notidentified in the next Mandiant Attack Surface Management scan, it stays resolved.

Model Armor

Model Armor is a fully managed Google Cloud service that enhances thesecurity and safety of AI applications by screening LLM prompts and responses.

Vulnerability findings from the Model Armor service

Notebook Security Scanner

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Notebook Security Scanner is a built-in package vulnerability detection serviceofSecurity Command Center. After Notebook Security Scanner is enabled, it automaticallyscans Colab Enterprise notebooks (files with theipynb filename extension)every 24 hours to detect vulnerabilities in Python packages and publishesthese findings to the Security Command CenterFindings page.

You can use Notebook Security Scanner for Colab Enterprise notebooksthat are created in the following regions:us-central1,us-east4,us-west1,andeurope-west4.

To get started with Notebook Security Scanner, seeEnable and use Notebook Security Scanner.

Policy Controller

Policy Controllerenables the application and enforcement of programmable policiesfor your Kubernetes clusters. These policies act asguardrails and can helpwith best practices, security, and compliance management of your clusters andfleet.

If youinstall Policy Controller,and enable any of thePolicy Controller bundles, Policy Controller automatically writescluster violations to Security Command Center asMisconfiguration classfindings. The finding description and next steps in the Security Command Centerfindings are the same as the constraint description and remediation stepsof the corresponding Policy Controller bundle.

The Policy Controller findings come from the following Policy Controller bundles:

• CIS Kubernetes Benchmark v.1.5.1,a set of recommendations for configuring Kubernetes to support a strong securityposture. You can also view information about this bundle in theGitHub repository forcis-k8s-v1.5.1.
• PCI-DSS v3.2.1,a bundle which evaluates the compliance of your cluster resources againstsome aspects of the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1.You can also view information about this bundle in theGitHub repository forpci-dss-v3.

To find and remediate Policy Controller findings, seeRemediating Policy Controller findings.

Risk Engine

The Security Command Center Risk Engine assesses the risk exposure of yourcloud deployments, assigns attack exposure scores to vulnerability findingsand your high-value resources, and diagrams paths that a potentialattacker could take to reach your high-value resources.

In the Enterprise or Premium tier of Security Command Center, the Risk Enginedetects groups of security issues that, when they occur together in aparticular pattern, create a path to one or more of your high-valueresources that a determined attacker couldpotentially use to reach and compromise those resources.

When Risk Engine detects one of these combinations, it generatesaTOXIC_COMBINATION class finding. In the finding, Risk Engineis listed as the source of the finding.

Risk Engine also identifies common resources or resource groupswhere multiple attack paths converge, and then generates aCHOKEPOINT classfinding.

For more information, seeToxic combinations and chokepoints overview.

Security Health Analytics

Security Health Analytics is a built-in detection service of Security Command Centerthat provides managed scans of your cloud resources to detectcommon misconfigurations.

When a misconfiguration is detected, Security Health Analytics generates a finding.Most Security Health Analytics findings are mapped to security standard controls sothat you can assess compliance.

Security Health Analytics scans your resources on Google Cloud. If you areusing the Enterprise tier and establish connections to other cloud platforms,Security Health Analytics can also scan your resources on those cloud platforms.

Depending on the Security Command Centerservice tier you are using, the availabledetectors differ:

• In the Standard tier, Security Health Analytics includes only abasic group of medium-severity and high-severity vulnerability detectors.
• ThePremium tier includes all vulnerability detectors for Google Cloud.
• TheEnterprise tier includes additional detectors for other cloud platforms.

Security Health Analytics is automatically enabled when you activateSecurity Command Center.

For more information, see the following:

• Security Health Analytics overview
• How to use Security Health Analytics
• Remediating Security Health Analytics findings
• Reference of Security Health Analytics findings

Security posture service

Thesecurity posture serviceis a built-in service for the Security Command Center Premium tier that lets you define,assess, and monitor the overall status of your security in Google Cloud.It provides information about how your environment aligns with the policies thatyou define in your security posture.

The security posture service isn't related to theGKEsecurity posture dashboard, which only shows findings in GKEclusters.

Sensitive Data Protection

Sensitive Data Protection is a fully managed Google Cloud servicethat helps you discover, classify, and protect your sensitive data. You can useSensitive Data Protection to determine whether you're storing sensitiveor personally identifiable information (PII), like the following:

• Person names
• Credit card numbers
• National or state ID numbers
• Health insurance ID numbers
• Secrets

In Sensitive Data Protection, each type of sensitive data that yousearch for is called aninfoType.

If you configure your Sensitive Data Protection operation to sendresults to Security Command Center, you can see the findings directly in theSecurity Command Center section of the Google Cloud console, in addition to theSensitive Data Protection section.

Vulnerability findings from the Sensitive Data Protection discovery service

The Sensitive Data Protection discovery service helps you determine whether you are storing highly sensitive data that is not protected.

Misconfiguration findings from the Sensitive Data Protection discovery service

The Sensitive Data Protection discovery service helps you determine whether you havemisconfigurations that might expose sensitive data.

Observation findings from Sensitive Data Protection

This section describes the observation findings that Sensitive Data Protection generates in Security Command Center.

Observation findings from the discovery service

The Sensitive Data Protection discovery service helps you determinewhether your data contains specific infoTypes and where they reside in yourorganization, folders, and projects. It generatesthe following observation finding categories in Security Command Center:

Data sensitivity

An indication of the sensitivity level of the data in a particular data asset.Data is sensitive if it contains PII or other elements that might requireadditional control or management. The severity of the finding is thesensitivity level that Sensitive Data Protectioncalculated whengenerating the data profile.

Data risk

The risk associated with the data in its current state. When calculating datarisk, Sensitive Data Protection considers the sensitivity level ofthe data in the data asset and the presence of access controls to protect thatdata. The severity of the finding is thedata risk level thatSensitive Data Protectioncalculated when generatingthe data profile.

Depending on the size of your organization, Sensitive Data Protectionfindings can start appearing in Security Command Center within a few minutes afteryou enable sensitive data discovery. For larger organizations ororganizations with specific configurations that affect finding generation, itcan take up to 12 hours before initial findings appear in Security Command Center.

Subsequently, Sensitive Data Protection generates findings inSecurity Command Center within a few minutes after the discovery service scans yourresources.

For information about how to send data profile results to Security Command Center,seeEnable sensitive datadiscovery.

Observation findings from the Sensitive Data Protection inspection service

A Sensitive Data Protection inspection job identifies each instance ofdata of a specific infoType in a storage system like a Cloud Storage bucketor a BigQuery table. For example, you can run an inspection jobthat searches for all strings that match theCREDIT_CARD_NUMBER infoTypedetector in a Cloud Storage bucket.

For each infoType detector that has one or more matches, Sensitive Data Protectiongenerates a corresponding Security Command Center finding. The finding category isthe name of the infoType detector that had a match—for example,Creditcard number. The finding includes the number of matching strings that weredetected in text or images in the resource.

For security reasons, the actual strings that were detected aren't included inthe finding. For example, aCredit card number finding shows how manycredit card numbers were found, but doesn't show the actual credit card numbers.

Because there are more than 150 built-in infoType detectors inSensitive Data Protection, all possible Security Command Center findingcategories aren't listed here. For a full list of infoType detectors, seeInfoType detector reference.

For information on how to send the results of an inspection job toSecurity Command Center, seeSend Sensitive Data Protection inspection job results toSecurity Command Center.

Review Sensitive Data Protection findings in the console

1. In the Google Cloud console, go to theFindings page of Security Command Center.

   Go to Findings

2. Select your Google Cloud project or organization.
3. In theQuick filters section, in theSource display name subsection, selectSensitive Data Protection. The findings query results are updated to show only the findings from this source.
4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.
5. On theSummary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
6. Optional: To view the full JSON definition of the finding, click theJSON tab.

VM Manager

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

VM Manager is a suite of tools thatcan be used to manage operating systems for large virtual machine (VM) fleetsrunning Windows and Linux on Compute Engine.

To use VM Manager withproject-level activationsof Security Command Center Premium, activate Security Command Center Standardin the parent organization.

If youenable VM Manager withthe Security Command Center Premium tier, VM Managerautomatically writeshigh andcritical findings from itsvulnerability reports, whichare in preview, to Security Command Center. The reports identify vulnerabilities inoperating systems (OS) that are installed on VMs, includingCommon Vulnerabilities and Exposures (CVEs).

Vulnerability reports are not available for Security Command Center Standard.

Findings simplify the process of using VM Manager's PatchCompliance feature, which is in preview. The feature lets you conductpatchmanagement at the organization level acrossall of your projects. VM Manager supports patch management at thesingle project level.

To remediate VM Manager findings, seeRemediating VM Manager findings.

To stop vulnerability reports from being written to Security Command Center, seeMute VM Manager findings.

Vulnerabilities of this type all relate to installed operating system packages in supported Compute Engine VMs.

Vulnerability Assessment for AWS

The Vulnerability Assessment for Amazon Web Services (AWS) service detects software vulnerabilitiesin your workloads that are running on EC2 virtual machines (VMs) on theAWS cloud platform.

For each detected vulnerability, Vulnerability Assessment for AWS generates aVulnerability class finding in theSoftware vulnerability findingcategory in Security Command Center.

The Vulnerability Assessment for AWS service scans snapshots of the running EC2 machineinstances, so production workloads are unaffected. This scan method iscalledagentless disk scanning, because no agents are installed thescan targets.

For more information, see the following:

• Overview of Vulnerability Assessment for AWS
• Enable and use Vulnerability Assessment for AWS

Vulnerability Assessment for Google Cloud

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

The Vulnerability Assessment for Google Cloud service detects software vulnerabilities in the followingresources on the Google Cloud platform:

• Running Compute Engine VM instances
• Nodes inGKE Standard clusters
• Containers running in GKE Standard andGKE Autopilot clusters

For each detected vulnerability, Vulnerability Assessment for Google Cloud generates aVulnerabilityclass finding in theSoftware vulnerability orOS vulnerability findingcategory in Security Command Center.

The Vulnerability Assessment for Google Cloud service scans your Compute Engine VM instances bycloning their disks approximately every 12 hours, mounting them in a secure VMinstance, and assessing them with theSCALIBR scanner.

For more information, seeVulnerability Assessment for Google Cloud.

Web Security Scanner

Web Security Scannerprovides managed and custom web vulnerability scanning for publicApp Engine, GKE, and Compute Engine serviced webapplications.

Managed scans

Web Security Scanner managed scans are configured and managed bySecurity Command Center. Managed scans automatically run once each week to detect andscan public web endpoints. These scans don't use authentication and they sendGET-only requests so they don't submit any forms on live websites.

Managed scans run separately from custom scans.

If Security Command Center is activated at theorganization level,you can use managed scans to centrally manage basic web applicationvulnerability detection for projects in your organization, without having toinvolve individual project teams. When findings are discovered, you can workwith those teams to set up more comprehensive custom scans.

When you enable Web Security Scanner as a service, managed scan findings areautomatically available in the Security Command CenterVulnerabilities page andrelated reports. For information about how to enable Web Security Scannermanaged scans, seeConfigure Security Command Center services.

Managed scans support only applications that use the default port, which is 80for HTTP connections and 443 for HTTPS connections. If your application usesa non-default port, do a custom scan instead.

Custom scans

Web Security Scanner custom scans provide granular information aboutapplication vulnerability findings, like outdated libraries, cross-sitescripting, or use of mixed content.

You define custom scans at the project level.

Custom scan findings are available inSecurity Command Center after you complete the guide toset up Web Security Scanner custom scans.

Detectors and compliance

Web Security Scanner supports categories in theOWASP Top Ten,a document that ranks and provides remediation guidance for the top 10 mostcritical web application security risks, as determined by the Open WebApplication Security Project (OWASP). For guidance on mitigating OWASP risks,seeOWASP Top 10 mitigation options on Google Cloud.

Note:The categoryA09:2021 Security Logging and Monitoring Failures(previouslyA10:2017 Insufficient Logging & Monitoring) is not supported.This category describes insufficiencies that allow attackers to remain undetected. Unlikethe other nine OWASP categories, it doesn't pertain to specific vulnerabilitiesthat attackers can exploit. Similarly, Web Security Scanner can't attack webapplications to provoke a detectable response. The issues included in thiscategory require human judgment.

The compliance mapping is included for reference and is not provided or reviewedby the OWASP Foundation.

This functionality is only intended for you to monitor for compliance controlsviolations. The mappings are not provided for use as the basis of, or as asubstitute for, the audit, certification, or report of compliance of yourproducts or services with any regulatory or industry benchmarks or standards.

For more information, seeWeb Security Scanner Overview.

Threat detection services

Threat detection services include built-in and integrated servicesthat detect events that might indicate potentially harmful events,such as compromised resources or cyberattacks.

Anomaly Detection

Anomaly Detection is a built-in service that uses behavior signals fromoutside your system. It displays granular information about securityanomalies detected for your service accounts, suchas potential leaked credentials. Anomaly Detection isautomatically enabled when you activate Security Command Center Standard orPremium tier, and findings are available in the Google Cloud console.

Anomaly Detection findings include the following:

Account has leaked credentials

GitHub notified Security Command Center that the credentialsthat were used for a commit appear to be the credentials for aGoogle Cloud Identity and Access Management service account.

The notification includes the service account name and the private keyidentifier. Google Cloud also sends yourdesignated contact for security and privacyissues a notification by email.

To remediate this issue, take one or more of the following actions:

• Identify the legitimate user of the key.
• Rotate the key.
• Remove the key.
• Investigate any actions that were taken by the key after thekey was leaked to ensure that none of the actions were malicious.

{"findings":{"access":{},"assetDisplayName":"PROJECT_NAME","assetId":"organizations/ORGANIZATION_ID/assets/ASSET_ID","canonicalName":"projects/PROJECT_ID/sources/SOURCE_INSTANCE_ID/findings/FINDING_ID","category":"account_has_leaked_credentials","contacts":{"security":{"contacts":[{"email":"EMAIL_ADDRESS"}]}},"createTime":"2022-08-05T20:59:41.022Z","database":{},"eventTime":"2022-08-05T20:59:40Z","exfiltration":{},"findingClass":"THREAT","findingProviderId":"organizations/ORGANIZATION_ID/firstPartyFindingProviders/cat","indicator":{},"kubernetes":{},"mitreAttack":{},"mute":"UNDEFINED","name":"organizations/ORGANIZATION_ID/sources/SOURCE_INSTANCE_ID/findings/FINDING_ID","parent":"organizations/ORGANIZATION_ID/sources/SOURCE_INSTANCE_ID","parentDisplayName":"Cloud Anomaly Detection","resourceName":"//cloudresourcemanager.googleapis.com/projects/PROJECT_ID","severity":"CRITICAL","sourceDisplayName":"Cloud Anomaly Detection","state":"ACTIVE","vulnerability":{},"workflowState":"NEW"},"resource":{"name":"//cloudresourcemanager.googleapis.com/projects/PROJECT_ID","display_name":"PROJECT_NAME","project_name":"//cloudresourcemanager.googleapis.com/projects/PROJECT_ID","project_display_name":"PROJECT_NAME","parent_name":"//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID","parent_display_name":"ORGANIZATION_NAME","type":"google.cloud.resourcemanager.Project","folders":[]},"sourceProperties":{"project_identifier":"PROJECT_ID","compromised_account":"SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com","finding_type":"Potential compromise of a resource in your organization.","summary_message":"We have detected leaked Service Account authentication credentials that could be potentially compromised.","action_taken":"Notification sent","private_key_identifier":"SERVICE_ACCOUNT_KEY_ID","url":"https://github.com/KEY_FILE_PATH/KEY_FILE_NAME.json"}}

Container Threat Detection

Container Threat Detection can detect the most common container runtime attacks and alert youin Security Command Center and optionally in Cloud Logging. Container Threat Detectionincludes several detection capabilities, an analysis tool, and an API.

Container Threat Detection detection instrumentation collects low-level behavior in theguest kernel and performs natural language processing on code to detect thefollowing events:

• Added Binary Executed
• Added Library Loaded
• Command and Control: Steganography Tool Detected (Preview)
• Credential Access: Find Google Cloud Credentials
• Credential Access: GPG Key Reconnaissance
• Credential Access: Search Private Keys or Passwords
• Defense Evasion: Base64 ELF File Command Line
• Defense Evasion: Base64 Encoded Python Script Executed
• Defense Evasion: Base64 Encoded Shell Script Executed
• Defense Evasion: Launch Code Compiler Tool In Container (Preview)
• Execution: Added Malicious Binary Executed
• Execution: Added Malicious Library Loaded
• Execution: Built in Malicious Binary Executed
• Execution: Container Escape
• Execution: Fileless Execution in /memfd:
• Execution: Ingress Nightmare Vulnerability Execution (Preview)
• Execution: Kubernetes Attack Tool Execution
• Execution: Local Reconnaissance Tool Execution
• Execution: Malicious Python executed
• Execution: Modified Malicious Binary Executed
• Execution: Modified Malicious Library Loaded
• Execution: Netcat Remote Code Execution In Container
• Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
• Execution: Possible Remote Command Execution Detected (Preview)
• Execution: Program Run with Disallowed HTTP Proxy Env
• Execution: Socat Reverse Shell Detected
• Execution: Suspicious OpenSSL Shared Object Loaded
• Exfiltration: Launch Remote File Copy Tools in Container
• Impact: Detect Malicious Cmdlines (Preview)
• Impact: Remove Bulk Data From Disk
• Impact: Suspicious crypto mining activity using the Stratum Protocol
• Malicious Script Executed
• Malicious URL Observed
• Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
• Privilege Escalation: Fileless Execution in /dev/shm
• Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
• Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
• Reverse Shell
• Unexpected Child Shell

Learn more about Container Threat Detection.

Event Threat Detection

Event Threat Detection uses log data frominside your systems. It watchesCloud Logging stream for projects, and consumeslogs as they become available. When a threat is detected, Event Threat Detectionwrites a finding to Security Command Center and to a Cloud Logging project.Event Threat Detection is automatically enabled when you activate theSecurity Command Center Premium tier and findings are available in theGoogle Cloud console.

The following table lists examples of Event Threat Detection findings.

When Security Command Center isactivated at the project level, certain Event Threat Detection detection modules are unsupported. For a list of Event Threat Detection findings that are unavailable with project-level activations as a result, seeEvent Threat Detection findings that are unsupported.

Learn more about Event Threat Detection.

Google Cloud Armor

Cloud Armor helps protect yourapplication by providing Layer 7 filtering. Cloud Armor scrubs incomingrequests for common web attacks or other Layer 7 attributes to potentially blocktraffic before it reaches your load-balanced backend services or backendbuckets.

Cloud Armor exports two findings to Security Command Center:

• Allowed Traffic Spike

• Increasing Deny Ratio

Virtual Machine Threat Detection

Virtual Machine Threat Detection is a built-in service of Security Command Center. This service scansvirtual machines to detect potentially malicious applications, such ascryptocurrency mining software, kernel-mode rootkits, and malware running incompromised cloud environments.

VM Threat Detection is part of the Security Command Center threat detectionsuite and is designed to complement the existing capabilities ofEvent Threat Detection andContainer Threat Detection.

For more information about VM Threat Detection, seeVM Threat Detectionoverview.

VM Threat Detection threat findings

VM Threat Detection can generate the following threat findings.

Cryptocurrency mining threat findings

VM Threat Detection detects the following finding categories through hash matching or YARA rules.

Kernel-mode rootkit threat findings

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

VM Threat Detection analyzes kernel integrity at run time to detect common evasion techniques that are used by malware.

TheKERNEL_MEMORY_TAMPERING module detects threats by doing a hash comparison on the kernel code and kernel read-only data memory of a virtual machine.

TheKERNEL_INTEGRITY_TAMPERING module detects threats by checking the integrity of important kernel data structures.

Errors

Error detectors can help you detect errors in your configuration that preventsecurity sources from generating findings. Error findings are generated bytheSecurity Command Center security source andhave the finding classSCC errors.

Inadvertent actions

The following finding categories represent errors possibly caused by unintentional actions.

For more information, seeSecurity Command Center errors.

What's next

• Learn about Security Command Center in theSecurity Command Center overview.
• Learn how to add new security sources byconfiguring Security Command Center services.