Standard, Premium, and Enterpriseservice tiers

This page provides recommendations for managing Security Command Center services andfeatures to help you get the most out of the product.

Security Command Center is a powerful platform for monitoring data and security risksacross your organization or individual projects. Security Command Center isdesigned to provide maximum protection withminimal configuration being necessary. But there are steps you can take totailor the platform to your workflow and ensure your resources are protected.

Enable the Premium tier or Enterprise tier

Premium and Enterpriseservice tiers

The Premium and Enterprise tiers of Security Command Center provide themost protection through the a broad set of cloud security and securityoperations capabilities, including threat detection, software vulnerabilitydetection, compliance assessments, security operations capabilities, andmuch more. The Standard tier offers only limited services and features.

For information about the capabilities that are included with each service tier,seeService tiers.

Use project-level activations

Standard and Premiumservice tiers

For the Standard and Premium service tiers, you can activate Security Command Center forindividual projects.

With project-level activations, certain features that requireorganization-level access are not available, regardless of tier. For moreinformation, seeFeature availability with project-level activations.

For more information about activating either tier of Security Command Center, seeOverview of activating Security Command Center.

To learn how you're charged for Security Command Center when you activate it at theproject level, seePricing.

Enable all built-in services

Standard, Premium, and Enterpriseservice tiers

We recommend enabling all built-in services, subject to the best practicerecommendations of individual services.

If Security Command Center isalready activated, you can confirm which services are enabled on theSettings page.

You can disable any service, but it's best to keep all services in yourtier turned on all the time. Keeping all servicesenabled lets you take advantage of continuous updates and helps ensurethat protections are provided for new and changed resources.

Before enabling Web Security Scanner in production, reviewWeb Security Scanner best practices.

Also, consider enabling integrated services(Anomaly Detection, Sensitive Data Protection, and Google Cloud Armor), exploringthird-party security services,and turning onCloud Logging forEvent Threat Detection and Container Threat Detection. Depending on the quantity ofinformation, Sensitive Data Protection and Cloud Armor costscan be significant. Follow best practices forkeepingSensitive Data Protection costs under controland read theCloud Armor pricing guide.

Enable logs for Event Threat Detection

Premium and Enterpriseservice tiers

If you use Event Threat Detection, you might need to turn on certain logsthat Event Threat Detection scans.Although some logs are always on, such as Cloud Logging Admin Activityaudit logs, other logs, such as most Data Access audit logs, are off bydefault and need to be enabled before Event Threat Detection can scan them.

Some of the logs that you should consider enabling include:

• Cloud Logging Data Access audit logs
• Google Workspace logs (organization-level activations only)

Which logs you need to enable depends on:

• The Google Cloud services you are using
• The security needs of your business

Logging might charge for the ingestion and storage ofcertain logs. Before enabling any logs, reviewLogging Pricing.

After a log is enabled, Event Threat Detection starts scanning it automatically.

For more detailed information about which detection modules require whichlogs and which of those logs you need to turn on, seeLogs that you need to turn on.

Define your high-value resource set

Premium and Enterpriseservice tiers (requiresorganization-level activation)

To help you prioritize vulnerability and misconfiguration findings thatexpose the resources that are the most important to you to protect, specifywhich of your high-value resources belong in yourhigh-value resource set.

Findings that expose the resources in your high-value resource set get higherattack exposure scores.

You specify the resources that belong in your high-value resource set bycreatingresource value configurations.Until you create your firstresource value configuration, Security Command Center uses a default high-valueresource set that is not customized to your security priorities.

Use Security Command Center in the Google Cloud console

Standard, Premium, and Enterpriseservice tiers

In the Google Cloud console, Security Command Center provides features and visualelements that are not available in the Security Command Center API. These features,including an intuitive interface, formatted charts, compliance reports,and visual hierarchies of resources, give you greater insight into yourorganization. For more information, seeUsing Security Command Centerin the Google Cloud console.

Extend functionality with the API and gcloud

Standard, Premium, and Enterpriseservice tiers

If you need programmatic access, try out theSecurity Command Center client libraries andtheSecurity Command Center API, which let you access and control yourSecurity Command Center environment. You can use API Explorer, labeled "Try This API"in panels onAPI reference pages, tointeractively explore the Security Command Center API without an API key. You can checkout available methods and parameters, execute requests, and see responses inreal time.

The Security Command Center API lets analysts and administrators manage your resourcesand findings. Engineers can use the API to build custom reporting and monitoringsolutions.

Extend functionality with custom detection modules

Premium and Enterpriseservice tiers

If you need detectors that meet the unique needs of your organization, considercreating custom modules:

• Custom modules for Security Health Analyticslet you define your own detection rules for vulnerabilities,misconfigurations, or compliance violations.
• Custom modules for Event Threat Detectionlet you monitor your Logging stream for threats based onparameters that you specify.

Review and manage resources

Standard, Premium, and Enterpriseservice tiers

Security Command Center displays all of your assets on theAssets pagein the Google Cloud console, where you can view information such as the findings foreach asset, their change history, their metadata, and their IAMpolicies. For the Premium and Enterprise service tiers, you can also useSQL queries to analyze yourassets.

The asset information on theAssets page is read fromCloud Asset Inventory.To receive real-time notifications about resource and policy changes,create and subscribe to a feed.

For more information, seeAssets page.

Rapidly respond to vulnerabilities and threats

Standard, Premium, and Enterpriseservice tiers

Security Command Center findings provide records of detected security issuesthat include extensive details on the affected resources andstep-by-step suggested instructions for investigating and remediatingvulnerabilities and threats.

Vulnerabilities findings describe the detected vulnerability ormisconfiguration, calculate an attack exposure score, and an estimatedseverity. Vulnerabilities findings also alert you to violations of securitystandards or benchmarks. For more information, seeSupported benchmarks.

For the Premium and Enterprise service tiers, vulnerability findings also includeinformation from Mandiant about theexploitability and potential impact of the vulnerability based onthe vulnerability's correspondingCVE record.You can use this information to help prioritizethe remediation of the vulnerability.For more information, seePrioritize by CVE impact and exploitability.

Threat findings include data from theMITRE ATT&CKframework, which explains techniques forattacks against cloud resources and provides remediation guidance, andVirusTotal, anAlphabet-owned service that provides context on potentially malicious files,URLs, domains, and IP addresses.

The following guides are a starting point to help you fix issues and protectyour resources.

• Remediating Security Health Analytics findings
• Remediating Web Security Scanner findings
• Investigating and responding to threats

Control finding volume

Standard, Premium, and Enterpriseservice tiers

To control the volume of findings in Security Command Center, you can manually orprogrammatically mute individual findings, or create mute rules thatautomatically mute findings based on filters you define. There are two types ofmute rules you can use to control finding volume:

• Static mute rules that indefinitely mutefuture findings.
• Dynamic mute rules that contain an option to temporarily mute currentandfuture findings.

We recommend using dynamic mute rules exclusively to reduce the number offindings you review manually. To avoid confusion, we don't recommend using bothstatic and dynamic mute rules simultaneously. For a comparison of the two ruletypes, seeTypes of muterules.

Muted findings are hidden and silenced, but continue to be logged for audit andcompliance purposes. You can view muted findings or unmute them at any time. Tolearn more, seeMute findings in Security Command Center.

Muting findings with dynamic mute rules is the recommended and most effectiveapproach for controlling finding volume. Alternatively, you can use securitymarks toadd assets toallowlists.

Each Security Health Analytics detector has a dedicated mark type that lets you excludemarked resources from the detection policy. This feature is helpful when youdon't want findings created for specific resources or projects.

To learn more about security marks, seeUsing security marks.

Set up notifications

Standard, Premium, and Enterpriseservice tiers

Notifications alert you to new and updated findings in near-real time and, withemail and chat notifications,can do so even when you're not logged in to Security Command Center. Learn more inSetting up finding notifications.

You can also createcontinuous exports,which simplify the process of exporting findings toPub/Sub.

Explore Cloud Run functions

Standard, Premium, and Enterpriseservice tiers

Cloud Run functions is aGoogle Cloud service that lets you connect cloud services and run code inresponse to events. You can use the Notifications API and Cloud Run functions tosend findings to third-party remediation and ticketing systems or take automatedactions, like automatically closing findings.

To get started, visit Security Command Center's open source repository ofCloud Run functions code.The repository contains solutions to help you take automated actions on securityfindings.

Caution: Deploying functions that take automated actions on your findings might have unintended consequences, like reducing access to resources or changing production systems. Carefully weigh the potential impact before deploying or executing functions.

Keep communications on

Standard, Premium, and Enterpriseservice tiers

Security Command Center is regularly updated with new detectors and features.Release notes inform you about productchanges and updates to documentation. But you can set yourcommunication preferences inthe Google Cloud console to receive product updates and special promotions byemail or mobile. You can also let us know whether you're interested inparticipating in user surveys and pilot programs.

If you have comments or questions, you can give feedback by talking with yoursalesperson, contacting ourCloud Support staff, orfiling a bug.

What's next

• Learn more aboutusing Security Command Center.

• Learn how toconfigure Security Command Center services.