Google Cloud Security Command Center

Overview

Google Cloud Security Command Center helps you strengthen your security posture by:

  • Evaluating your security and data attack surface
  • Providing asset inventory and discovery
  • Identifying misconfigurations, vulnerabilities, and threats
  • Helping you mitigate and remediate risks

Security Command Center uses services, such as Event Threat Detection and Security Health Analytics, to detect security issues in your environment. These services scan your logs and resources in Google Cloud, looking for threat indicators, software vulnerabilities, and misconfigurations. Services are also referred to as sources. For more information, see Security sources.

When these services detect a threat, vulnerability, or misconfiguration, they issue a finding. A finding is a report or record of an individual threat, vulnerability, or misconfiguration that service has found in your Google Cloud environment. Findings show the issue that was detected, the Google Cloud resource that is affected by the issue, and guidance on how you can address the issue.

Setup

Installation

Before you start, ensure the following APIs are enabled for the projects you want to collect Google Cloud Security Command Center findings for:

Assign role to service accounts

A service account must have this role to retrieve findings from the GCP Security Command Center. Logs may not show up due to a permissions denied error if this role is not enabled.

Assign the following role:

  • Security Center Findings Viewer

NOTE:

If the same project is discovered by multiple service accounts, all attached service accounts must have Security Center Findings Viewer Role added.

Failure to comply with this requirement may result in PermissionDenied errors. We will not be able to collect the Security Findings for this project. Therefore, it is important to ensure that all service accounts have the necessary permissions to access security findings for any project they are associated with.

Configuration

Google Cloud Security Command Center is included as part of the main Google Cloud Platform integration package. If you haven’t already, follow this doc to set up the Google Cloud Platform integration first.

On the main Google Cloud Platform Integration tile:

  1. Open the Service Account and/or ProjectID corresponding to the project you are looking to pull security findings for.
  2. Under the Security Findings tab, Enable collection of security findings using the toggle.

Once enabled, your security findings may take up to 1 day to be collected.

Data Collected

Log collection

Google Cloud Security Command Center findings are collected as logs with the Google Cloud Security Command Center Client API.

Inside the Datadog Log Explorer, find Google Cloud Security Command Center logs with the following filter:

  • Set Findings as the Service
  • Set google.security.command.center as the Source
  • The log status is Info.

Metrics

Google Cloud Security Command Center does not include any metrics.

Service Checks

Google Cloud Security Command Center does not include any service checks.

Events

Google Cloud Security Command Center does not include any events.

Troubleshooting

Need help? Contact Datadog support.

Further Reading

Additional helpful documentation, links, and articles:

PREVIEWING: esther/docs-9478-fix-split-after-example