GSP1124

Overview

Security Command Center (SCC) is a security monitoring platform that helps users accomplish the following:

• Discover security-related misconfigurations of Google Cloud resources.
• Report on active threats in Google Cloud environments.
• Fix vulnerabilities across Google Cloud assets.

In this lab, you take your first steps with Security Command Center by exploring the service's interface, configurations, and vulnerability findings.

Objectives

In this lab, you learn how to perform the following tasks:

• Explore SCC interface elements.
• Configure SCC settings at the project level.
• Analyze and fix SCC vulnerability findings.

Prerequisites

It is recommended, but not required, that you are familiar with the following before starting this lab:

• Cloud computing concepts.
• The Google Cloud console.
• The severity classifications for findings.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.

This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab—remember, once you start, you cannot pause a lab.

Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

   • The Open Google Cloud console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

   The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username below and paste it into the Sign in dialog.

   {{{user_0.username | "Username"}}}

   You can also find the Username in the Lab Details pane.

4. Click Next.

5. Copy the Password below and paste it into the Welcome dialog.

   {{{user_0.password | "Password"}}}

   You can also find the Password in the Lab Details pane.

6. Click Next.

   Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

7. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

1. Click Activate Cloud Shell at the top of the Google Cloud console.

2. Click through the following windows:

   • Continue through the Cloud Shell information window.
   • Authorize Cloud Shell to use your credentials to make Google Cloud API calls.

When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:

Your Cloud Platform project in this session is set to {{{project_0.project_id | "PROJECT_ID"}}}

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

3. (Optional) You can list the active account name with this command:

gcloud auth list

4. Click Authorize.

Output:

ACTIVE: * ACCOUNT: {{{user_0.username | "ACCOUNT"}}} To set the active account, run: $ gcloud config set account `ACCOUNT`

5. (Optional) You can list the project ID with this command:

gcloud config list project

Output:

[core] project = {{{project_0.project_id | "PROJECT_ID"}}} Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

Scenario

Cymbal Bank is an American retail bank with over 2,000 branches in all 50 states. It offers comprehensive debit and credit services that are built on top of a robust payments platform. Cymbal Bank is a digitally transforming legacy financial services institution.

Cymbal Bank was founded in 1920 under the name Troxler. Cymbal Group acquired the company in 1975 after it had been investing heavily in Cymbal Group's proprietary ATMs. As the bank grew into a national leader, they put strategic emphasis on modernizing the customer experience both in-person at their branches and digitally through an app they released in 2014. Cymbal Bank employs 42,000 people nationwide and, in 2019, reported $24 billion in revenue.

Cymbal Bank is interested in integrating a centralized security monitoring platform to help monitor threats and remediate vulnerabilities across their Google Cloud resources in their corporate banking applications. As a Cloud Security Engineer, you are tasked with learning about Security Command Center's cutting-edge features so you can deliver a presentation to the CTO on the services' benefits.

Task 1. Explore SCC interface elements

In this task, you explore the Security Command Center (SCC) interface to learn about the service's chief features.

1. In the Cloud console, on the Navigation menu (), select Security > Overview.

Note: If you receive a message informing you that you need to "Create an Organization", simply refresh the browser.

2. On the Risk Overview page, explore the panels displaying information on New threats over time in the Threats tab and Vulnerabilities dashboard in the Vulnerabilities tab on the navigation bar.

Threats and vulnerabilities are two different types of finding classes, which SCC uses to categorize and report security issues in your environment. Refer to the Finding classes documentation to learn more about finding classes.

• Threats notify Google Cloud users about current suspicious activities happening in their Google Cloud environments, such as a service account investigating its own permissions.

• Vulnerabilities provide information on misconfigurations or vulnerabilities of resources, such as an open TCP port or an outdated library running on a virtual machine.

A finding is a record generated by SCC, which provides details on vulnerability or threat data in the Security Command Center dashboard.

Note: In this lab instance, the number of threats are zero because you are in a sandbox Google Cloud project that has never been attacked before. You explore how to protect yourself from threats in another lab, Detect and Investigate Threats with Security Command Center.

3. Select the All Risk tab, then in the Misconfigurations card, choose the By date tab.

This card enumerates currently active threats that have happened in your project during the period of time determined by the "Time range" dropdown on the right side of this information panel.

By default, the time range dropdown shows all threats that appeared during the last 30 days, but you can view all threats that happened during the last 180 days.

4. From the Time range selector, select Last 180 days.

5. Review the Vulnerabilities By resource type tab.

There should be around 60 active vulnerabilities listed.

A majority of these findings are generated because you are using a default VPC network, which is insecure by design, for the purposes of this lab. For example, it contains firewall rules that allow SSH and RDP access from any IP address.

6. Click the By category tab.

This shows your environment's vulnerabilities organized by different categories of vulnerabilities and their severity. The severity is a property of the finding that helps to estimate the potential risk that an issue poses to the Google Cloud environment.

The level of severity cannot be changed—each type of finding has a severity level that is predetermined by SCC. Below is a list of the different types of severities and common examples:

• Critical - For example, a Reverse Shell session launched from inside of a GKE Pod.
• High - For example, an SSH port opened to the entire Internet (0.0.0.0/0);
• Medium - For example, one of primitive IAM roles (Owner/Editor/Viewer) has been granted to a user or a service account.
• Low - For example, no VPC Flow logs are collected.
• Unspecified - Can appear in SCC, but is not common.

Detailed criteria for how SCC sets a finding's severity are described on the Finding severities page.

Note: Take notice that the findings about open RDP and SSH ports have high severity levels.

7. From the Security portal, which you access if you select Security from the Navigation menu (), note the various tabs listed under the Security Command Center header. Here is a description of each.

SCC section	Description
Overview	Shows your environment's vulnerabilities organized by different categories of vulnerabilities and severity.
Graph Search	Lets you search for assets and findings using natural language queries.
Issues	Issues are notable security risks that Security Command Center Premium and Enterprise have identified in your cloud environments.
Findings	A finding is a record that Security Command Center services create when they detect a security issue.
Assets	Includes asset information from Cloud Asset Inventory, which continuously monitors assets in your cloud environment.
Compliance	Shows information about compatibility of your Project with the most important compliance standards such as CIS, PCI DSS, NIST 800-53 and others.
Sources	Details the software modules that analyze configuration of Google Cloud resources and monitor current activities by reading log files and checking currently running processes.
Posture Management	Lets you use the security posture service in the SCC. Refer to the Manage a security posture guide for more detail.

Task 2. Configure SCC settings at the project level

In this task, you explore how to configure Security Command Center’s integrated services (sources) at the project level by managing module settings and enabling a specific Security Health Analytics detection module.

1. Click Settings from the left navigation menu under Security Command Center.

2. Ensure you are on the Services tab.

This tab allows you to set up parameters of SCC's integrated services, which are also called sources ("the brains of SCC" that you explored in the previous task). For the purposes of this lab, the terms services and sources are interchangeable.

Services detect threats and vulnerabilities and provide information to SCC. Most of them are available only in the Premium edition of SCC, which is provisioned in this lab.

The following are built-in services that you can configure:

• Security Health Analytics (SHA)—Finds and reports misconfigurations of resources (disabled logs, extra IAM permissions, publicly exposed services). This is what we have currently enabled in our project and what detected the 76 vulnerabilities in our project.
• Web Security Scanner (WSS)—Scans publicly available web applications exposed via external IP addresses and checks for OWASP top 10 vulnerabilities.
• Event Threat Detection (ETD)—Provides log-based threat analysis that continuously monitors Google Cloud and Google Workspace logs to scan for potential threats.
• Container Threat Detection (CTD)—Detects the most common container runtime attacks in a Container Optimized OS.
• Virtual Machine Threat Detection—Analyzes memory of VM instances on the level of a Hypervisor and can detect suspicious activities happening in VM memory. Examples are unexpected kernel modules or running crypto-mining software.
• Cloud Run Threat Detection-Available for Premium or Enterprise Use kernel-level instrumentation to identify potential compromise of Cloud Run resources, including suspicious binaries. If enabled, all workloads will use the second generation execution environment when redeployed. Test your workloads on second generation before enabling.
• Vulnerability Assessment-Available for Premium or Enterprise Scan your Google Cloud and Amazon Web Services resources for common vulnerabilities and exposures (CVE).
• Notebook Security Scanner-Available for Premium or Enterprise Scan your Colab Enterprise notebooks for package vulnerabilities in the integrated open-source Python packages.

3. Select the Manage settings link for Security Health Analytics.

4. Choose the Modules tab.

Modules are pre-defined or custom units of detection logic. As you can see, SCC offers many different types of modules that can help you detect different misconfigurations of resources. SCC makes it easy to enable and disable different types of modules to support your security posture and the resources you are interested in monitoring.

5. In the filter field, type VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED and press Enter.

6. From the Status section choose the dropdown option by Disabled and select Enable.

With this enabled, Security Health Analytics checks whether the enableFlowLogs property of VPC subnetworks is missing or set to false.

Note: There is a delay until SCC starts scanning resources using the newly enabled module.

Now that you are familiar with Security Command Center's different services and how to configure them, you can explore how to identify and fix a vulnerability with SCC.

Task 3. Analyze and fix SCC vulnerability findings

In this task, you analyze and manage vulnerability findings by applying filters, changing finding states, and creating mute rules, then remediate high-severity network risks by updating firewall configurations.

Mark a finding as INACTIVE to change its state

1. From the Navigation menu (), select Overview under Security Command Center.

2. In the menu on the left, click the Findings tab.

3. Set the Time range selector in the top-right corner to All time.

4. In the top-left corner of the screen, find the Query preview window, which contains a filter for sorting through all available findings.

By default, the Findings tab displays unmuted findings with a state of ACTIVE.

The two properties, state and mute, of every finding define visibility of findings in many filters used for SCC.

• The mute value can be set on findings by the security analyst or it can be set automatically if the analyst does not want to see irrelevant and noisy findings in the SCC interface.
• The state property indicates whether a finding requires attention and has not been addressed yet, or if it's been fixed or otherwise addressed and is no longer active.

Note: There is a 3rd property called launch_state which is not pertinent to this lab. It is used to indicate whether a finding is in preview, beta, or GA.

5. On the Quick filters card, select the checkbox associated with the Default network category.

6. Notice that the query string in the Query preview has changed. (It now has AND category="DEFAULT_NETWORK" attached to it.)

7. In the Findings query results section, select the checkbox associated with Default network and click Change active state.

8. Set the state to Inactive for this finding.

Now the finding has been deactivated and hidden from the screen because, by default, only active and unmuted findings are listed.

Filter findings results by applying a query

1. You can reset the Findings tab view. To do this, select Overview and then choose Findings under the SCC header.

2. Click the Edit query button.

3. Change the query string in the Query editor to category="DEFAULT_NETWORK".

4. When you're finished editing, click the Apply button.

   It may take a minute or two for the change to take effect. Once it does, only one finding for Default network is listed.

5. In the Findings query results section, select the checkbox for Default network and click Change active state.

6. Set the state for this finding to Active.

Findings can be activated and deactivated manually, but they can never be deleted by a user. They are deleted automatically only when a finding has not been refreshed by scanners during a period of 13 months.

When a security scanner checks the same finding and does not detect the misconfiguration that kicked off the finding, it marks it as INACTIVE. If the vulnerability still presents in the system, the finding stays in an ACTIVE state.

7. Click the Clear All button next to Quick Filters to reset the findings tab.

8. In the Query preview window, click Edit Query.

9. Now copy and paste the following query:

state="ACTIVE" AND NOT mute="MUTED" AND resource.type="google.compute.Subnetwork"

10. When you're finished editing, click the Apply button.

Now all findings related to subnetworks are displayed. For this lab, the default VPC network is created with the --subnet-mode=auto parameter, so none of its subnets have Private Google Access enabled or write VPC Flow Logs.

Filter findings by category and mute them

When working in a test environment, you sometimes want to hide certain findings. In this instance, you do not want to see SCC findings about Private Google Access in this network, so you want to mute those findings.

1. In the Quick filters window, select the category Private google access disabled.

2. In the Finding query results pane, select the uppermost Category checkbox so all "Private google access disabled" findings are selected.

3. Select Mute options button.

4. In the dropdown, select Apply mute override. This operation mutes existing findings.

5. Select Overview in the left-hand menu, and then select Findings to reset the findings view.

Notice that the Private Google access disabled findings are now muted and no longer displayed. Muting is a powerful way to filter SCC results and provides fine-grained control over the resources and findings of interest.

Create a mute rule to hide certain findings

Another misconfiguration of the default network is that VPC Flow Logs are also disabled in the subnets of this network. Since you are working in a test environment, you don't need VPC Flow Logs enabled.

In this section, mute all existing and future findings related to this category.

1. In the Findings query results window, select Mute options > Manage mute rules.

2. Click the Create mute rule button.

Note: Muting the "Private Google Access disabled" findings in the previous step was a one-time operation. Any new findings matching that condition will still appear in SCC.

In contrast, Dynamic Mute Rules will automatically silence matching findings in the future.

3. In the Create dynamic mute rule window, configure the following:

   • Mute rule ID: mute-flowlogs-findings
   • Description: Mute rule for VPC Flow Logs
   • Findings query: category="FLOW_LOGS_DISABLED"

4. Select the Save button.

You'll see a notification that a mute rule was created.

Click Check my progress to verify you've completed this objective. Create a mute rule

7. Now refresh the main SCC Dashboard by selecting Findings from the left-hand menu.

Note: Since dynamic mute rules apply asynchronously to existing findings, the initial Flow logs disabled findings will still be visible in the dashboard for a few hours. However, the rule will immediately apply to any new findings generated.

Create another VPC network to test the findings mute rule

In this section, you create one more network with automatically configured subnets to test out the recent modifications to your finding rules.

1. Open a new Cloud Shell session (), and run the following command to create the network:

gcloud compute networks create scc-lab-net --subnet-mode=auto Note: It may take a few minutes for the subnet to be created.

Ensure the output you receive is similar to the following.

Output:

Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-03-c6821aef4c0f/global/networks/SCC-lab-net]. NAME: SCC-lab-net SUBNET_MODE: AUTO BGP_ROUTING_MODE: REGIONAL IPV4_RANGE: GATEWAY_IPV4:

Click Check my progress to verify you've completed this objective. Create a network

2. Close the Cloud Shell window after you have verified the above message.

3. Refresh the SCC findings window to see any new Private google access disabled findings.

   You’ll notice that the mute rule you created removed the VPC Flow Log findings.

   Although you created mute rules for VPC Flow Logs, SCC still allows you to view them using the query editor.

4. Click the Edit Query button, and paste in the following to overwrite the existing query filter text:

category="FLOW_LOGS_DISABLED"

5. Click Apply.

   In the Findings query results window, both the "default" and "SCC-lab-net" networks are listed in the Resource display name column.

Note: If you do not see the default network listed, please make sure that the parameter Rows per page is set to 100. Also check that the Time Range parameter is set to the All time value.

6. In the Query preview window, click Edit Query.

7. Copy and paste this query to overwrite the existing query text:

state="ACTIVE" AND NOT mute="MUTED"

8. When you're finished editing, click the Apply button.

   This shows you the findings you had muted previously.

Investigate and fix two findings with high severity.

In this section, you investigate and explore how to fix two findings with high severity.

1. In the Quick Filters section, scroll down to the Severity type and select High from the list of severity options.

You’ll see two findings: Open RDP port and Open SSH port. They were initiated because the "default" network contains two firewall rules, which enable SSH and RDP internet traffic for all instances in this network.

2. In the Findings query results window, click on the Open RDP port finding.

A new window appears, which provides a detailed description of the issue itself, a list of affected resources, and "Next steps" to help you remediate it.

3. In the Next steps section, click the link to go to the firewall rules page, which opens in a new tab.

4. Click Edit.

5. Delete the source IP range, 0.0.0.0/0.

6. Add the following source IP range 35.235.240.0/20 and press Enter.

Note: This range of IP addresses is used for connecting to VM instances securely via Identity Aware Proxy. More information is available on the Using IAP for TCP forwarding page.

Do not change any other parameters!

7. Click Save.

8. Once saved, close the browser tab where you edited the firewall rule.

9. Refresh the SCC findings browser tab.

   You should now see only one finding with High severity—Open SSH Port.

Update the firewall rules to address a finding

1. Click on the Open SSH port finding.

2. Scroll down to the Next steps section, and click the link to go to the firewall rules page, which opens in a new tab.

3. Click Edit.

4. Delete the source IP range, 0.0.0.0/0.

5. Add the following source IP range 35.235.240.0/20 and press Enter.

   Do not change any other parameters!

6. Click Save.

7. Once saved, close the browser tab where you edited the firewall rule.

Click Check my progress to verify you've completed this objective. Update the firewall rules

8. Close the window with the open findings description and refresh the browser window.

   You should see no findings with High severity.

Congratulations!

Throughout this lab, you learned how to explore the Security Command Center interface elements, configure SCC settings at the project level, and analyze and fix SCC vulnerability. You have also used SCC to identify and remediate critical security vulnerabilities in your Google Cloud environment.

Next steps / Learn more

• Check out the lab titled Analyze Findings with Security Command Center.

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated on February 23, 2026

Lab last tested on February 23, 2026

Copyright 2026 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.