You can activate Security Command Center atdifferent tiers: Standard, Premium, orEnterprise. If you select the Standard tier or the Premium tier, you canactivate Security Command Center for an entire organization (organization-levelactivation) or for individual projects (project-level activation). If youselect the Enterprise tier, you can activate Security Command Center at theorganization level only.

The activation process is different for the different tiers. Also, when you activate Security Command Center at the project level, certain detection modules and serviceintegrations are not available, due to Security Command Center's reduced scope ofaccess.

Overview of organization-level activation

Activating Security Command Center at the organization level is considereda best practice because it provides the mostcomplete protection for your business by allowing Security Command Center toaccess and scan resources and assets across all of the folders and projectsin the organization.

With theappropriate IAM permissions,you can activate the Standard or Premium tier for an organization yourself byusing the Google Cloud console.

To activate the Premium tier for an organization, you use pay-as-you-go pricing.The pay-as-you-go pricing gives you the flexibility to base yourSecurity Command Center charges on usage of Google Cloud services. Your usageis charged to the billing accounts associated with the projects in yourorganization. With theappropriate IAM permissions,you can activate the Premium tier using the pay-as-you-go option yourself byusing the Google Cloud console.

To activate the Enterprise tier for an organization, you must purchase asubscription fromGoogle Cloud sales or yourGoogle Cloud partner.

For more information about the pricing options for the Enterprise tier or thePremium tier, seePricing.

Activate the Standard or Premium tier

For the Standard and Premium tiers, you use the Google Cloud console to enable andconfigure Security Command Center. For step-by-step activation instructions, see thefollowing:

• Activate Security Command Center Standard tier for an organization

• Activate Security Command Center Premium tier for an organization

If you want to enabledata residency, then you must usethe jurisdictional Google Cloud console instead. To learn how to access thejurisdictional Google Cloud console, seeAbout the jurisdictional Google Cloud console.

Activate the Enterprise tier

For the Enterprise tier, you use the Google Cloud console to enable andconfigure Security Command Center.

If you want to enabledata residency, then you use thejurisdictional Google Cloud console instead. For step-by-step activationinstructions, seeActivate the Security Command Center Enterprise tier.

Activating Security Command Center on an individual project givesyou the flexibility to use Security Command Center for only the projects thatmatter to you most and to base your Security Command Center charges on theresource usage in that project alone.

For a project-level activation, you can activate the Standard or Premium tiersof Security Command Center yourself in the Google Cloud console, as long as youhave the appropriate IAM permissions. You don't need to contactSales first.

With project-level activations, the charges for the Premium tier arebased on the usage of certain Google Cloud resources in the projectand are billed to the project by using apay-as-you-go model.

When you activate Security Command Center at the project level,Security Command Center's access to logs, data, and other resources islimited to the project in which it is activated. Consequently, anyservices that require data from outside of the project are eithernot available or they cannot produce their full set of findings. Formore information about the findings and services that are not available with aproject-level activation, seeFeature availability with project-level activations.

Data residency is not supported with project-level activations ofSecurity Command Center.

Optimize project-level activations by activating the Standard tier at the organization level

To optimize project-level activations of the Premium tier, we recommendthat you activate the Standard tier of Security Command Center atthe organization level.

Activating the Standard tier at the organization level lets youmanage multiple project-level activations globally and ensures that anyStandard-tier detection modules or service integrations that requireorganization-level activation are available to the projects.

For more information, seeStandard tier features that require an organization-level activation.

When to use project-level activation

Typically, you activate Security Command Center for a project in thefollowing scenarios:

• Your organization doesn't use Security Command Center at any tier.In this case, you can activate Security Command Center for a project ateither the Standard tier or the Premium tier.
• The organization uses the Standard tier.In this case, you can activate only the Premium tier fora project, because every project in the organization can alreadyuse the Standard tier.
• The organization uses the Premium tier, but you only requireSecurity Command Center Premium tier for particular projects. In this case, youmustdowngrade the organization-level activation to the Standard tierfor the project-level Premium tier activation to take effect. If you are usingan organization-level subscription, this change only comes into effect afterthe subscription expires.

View your current activation type

The activation type for Security Command Center determines whether Security Command Center is activated at the project level or the organization level, the tier, and the pricing option.

When you open a project in the Google Cloud console, the level at whichSecurity Command Center is activated—the project level or the organizationlevel—is not immediately obvious, because the projectcould be inheriting the use of Security Command Center from its parentorganization.

To determine whether Security Command Center is already activated and to view your current activation type for Security Command Center, complete the following:

1. In the Google Cloud console, go to Security Command Center:

   Go to Security Command Center

2. Select the organization or project that you need to check.

3. If Security Command Center is active in either the organization or the project,the Security Command CenterOverview page displays. If it is not active in either,theGet Security Command Center page displays. For activationinstructions, seeActivate Security Command Center for an organizationorActivate Security Command Center for a project.

4. Go to theSettings page. Do one of the following:

   • On Security Command Center Standard or Premium, select theSettings button.
   • On Security Command Center Enterprise, selectSCC settings in the navigation.

5. On theSettings page, select theTier detail tab.

6. On theTier detail tab, determine your activation type by checking theTier andBilling status rows:

   • Tier: Shows the tier (Enterprise, Premium, or Standard) for theorganization or project. If the organization is set to the Enterprise orPremium tier, all projects inherit the Enterprise or Premium tierautomatically and the Google Cloud console displays a banner thatdescribes this inheritance. When the organization is set to the Enterpriseor Premium tier, then, at the project level, this setting shows the tierthat the project will use if you downgrade the organization's tier to the Standard tier.

   • Billing row: One of the following:

     • Active: Indicates that your Premium tier pricing is using thepay-as-you-go option for the organization or project.

     • Paused: Indicates that the Enterprise or Premium tier is active atthe organization level and being inherited by this project.

     • Expiry date: Indicates that your organization-level activation ofEnterprise or Premium tier is using a subscription.

     • If the billing row isn't shown: Indicates that the Standard tier isactive for the organization or project. Projects can inherit the Standardtier from the organization.

   Text above theManage tier button in the Google Cloud consoledescribes what tiers and activation options are available to you.

   • Add-ons: Shows any Security Command Center add-ons that have beengranted through subscriptions to other Google Cloud products. Theseadd-ons automatically grant access to a limited number of relevant Premiumtier services and detection modules.

View when Security Command Center was activated

To find out when Security Command Center was activated, you can use aCloud Logging query.This query returns results if the activation was completed during thelogretention period.

1. In the Google Cloud console, go to theLogs Explorer page:

   Go toLogs Explorer

2. Select the organization that you activated Security Command Center in.
3. Run the following query:

      protoPayload.serviceName="securitycenter.googleapis.com"   protoPayload.request.securityHealthAnalyticsSettings.serviceEnablementState="ENABLED"