--- id: cloud-security-command-center title: Google Cloud Security Command Center sidebar_label: Google Cloud Security Command Center description: The Sumo Logic app for Google Cloud Security Command Center helps you to monitor, investigate, and respond effectively to security issues, helping you to improve cloud security, reduce risk, and maintain compliance. slug: /help/docs/integrations/google/cloud-security-command-center/ canonical: https://www.sumologic.com/help/docs/integrations/google/cloud-security-command-center/ --- import useBaseUrl from '@docusaurus/useBaseUrl'; Google Cloud Security Command Center icon The Sumo Logic app for Google Cloud Security Command Center (SCC) provides real-time visibility into cloud risks, including misconfigurations, threats, and vulnerabilities in Google Cloud environments. It features pre-configured dashboards that highlight high-priority security findings, such as privileged account issues, API misuse, software vulnerabilities, severity breakdowns, resource and project-level filtering, and detailed summaries to streamline triage and remediation workflows. This enables you to monitor, investigate, and respond effectively to improve cloud security, reduce risk, and maintain compliance. :::info This app includes [built-in monitors](#google-cloud-security-command-center-alerts). For details on creating custom monitors, refer to the [Create monitors for Google Cloud Security Command Center app](#create-monitors-for-google-cloud-security-command-center-app). ::: ## Log types This app uses the [Findings](https://cloud.google.com/security-command-center/docs/finding-classes) generated by [Security Command Center](https://cloud.google.com/security-command-center/docs/security-command-center-overview) (SCC). ### Sample log message
Misconfigurations ```json { "message": { "data": { "notificationConfigName": "projects/175089404040/locations/global/notificationConfigs/Sumo-export", "finding": { "name": "organizations/175089404094/sources/1750894040375988750/locations/global/findings/1750894040375598723", "canonicalName": "projects/175089404040/sources/1750894040375988750/locations/global/findings/1750894040375598723", "parent": "organizations/175089404094/sources/1750894040375988750/locations/global", "resourceName": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west3-a/clusters/k8sng-79-gke1-32-otc-dev-v4-a2a460d400a0", "state": "ACTIVE", "category": "GKE_PRIVILEGE_ESCALATION", "externalUri": "https://provides-homeland.gl.at.ply.gg/kubernetes/security/dashboard?project=prod-backend-infra", "securityMarks": { "name": "organizations/175089404094/sources/1750894040375988750/locations/global/findings/1750894040375598723/securityMarks" }, "eventTime": "2025-06-25T16:27:20-070003055Z", "createTime": "2025-06-25T16:27:20.375Z", "severity": "MEDIUM", "mute": "UNDEFINED", "findingClass": "MISCONFIGURATION", "muteUpdateTime": "2025-06-25T16:27:20Z", "parentDisplayName": "GKE Security Posture", "description": "A container can be explicitly configured to allow privilege escalation on execution. This permits a process created within the container by executing a set-user-id, set-group-id, or file capability executable to gain the privileges specified by the executable. The lack of preventive security control increases the risk of container escape.", "nextSteps": "**Apply the following steps to your affected workloads:**\n1. Open the manifest for each affected workload.\n2. Set the following restricted fields to one of the allowed values:\n\n**Restricted Fields**\n- spec.containers[*].securityContext.allowPrivilegeEscalation\n- spec.initContainers[*].securityContext.allowPrivilegeEscalation\n- spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation\n\n**Allowed Values**\n- false\n", "kubernetes": { "objects": [ { "kind": "StatefulSet", "ns": "demo-nginx-docker", "name": "nginx" } ] }, "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "2025-06-25T16:27:20Z" } } }, "resource": { "name": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west3-a/clusters/k8sng-79-gke1-32-otc-dev-v4-a2a460d400a0", "displayName": "k8sng-79-gke1-32-otc-dev-v4-a2a460d400a0", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "europe-west3-a", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/175089404040", "projectDisplayName": "prod-backend-infra", "parent": "//cloudresourcemanager.googleapis.com/projects/175089404040", "parentDisplayName": "prod-backend-infra", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/175089404055", "resourceFolderDisplayName": "Product Team" } ], "organization": "organizations/175089404094" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/175089404040", "displayName": "prod-backend-infra" }, { "nodeType": "GCP_FOLDER", "id": "folders/175089404055", "displayName": "Product Team" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/175089404094" } ] }, "resourcePathString": "organizations/175089404094/folders/175089404055/projects/175089404040" } }, "messageId": "17508940403752739", "message_id": "17508940403752739", "publishTime": "2025-06-25T16:27:20.375Z", "publish_time": "2025-06-25T16:27:20.375Z" }, "subscription": "projects/prod-backend-infra/subscriptions/scc" } ```
Threat ```json { "message": { "data": { "notificationConfigName": "projects/175089404040/locations/global/notificationConfigs/Sumo-export", "finding": { "name": "organizations/175089404094/sources/1750894040330370653/locations/global/findings/bb7f1949a4044d38a5b1dd7e47676113", "canonicalName": "projects/175089404040/sources/1750894040330370653/locations/global/findings/bb7f1949a4044d38a5b1dd7e47676113", "parent": "organizations/175089404094/sources/1750894040330370653/locations/global", "resourceName": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west2-a/clusters/devclust-gke-otc-rel-v4-ac141583d8a4", "state": "ACTIVE", "category": "Persistence: New API Method", "sourceProperties": { "sourceId": { "projectNumber": "175089404040", "customerOrganizationNumber": "175089404094" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "anomalous_behavior", "subRuleName": "new_api_method" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/container-watcher-status-reporter" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/175089404040" } ], "evidence": [ { "sourceLogId": { "projectId": "prod-backend-infra", "resourceContainer": "projects/prod-backend-infra", "timestamp": { "seconds": 1750894040, "nanos": 5.33346E8 }, "insertId": "c4bc72fe-2e35-4c1d-a188-fcc812ab3822", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": { "newApiMethod": { "newApiMethod": { "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.roles.delete" }, "principalEmail": "service-project-175089404040@gcp-sa-ktd-hpsa.iam.gserviceaccount.com", "callerIp": "147.45.44.104", "callerUserAgent": "Google-KTD-Control", "resourceContainer": "projects/175089404040" } }, "findingId": "bb7f1949a4044d38a5b1dd7e47676113", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://rofl13.no-ip.biz/tactics/TA0003/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://rofl13.no-ip.biz/logs/query;query=timestamp%3D%222025-06-25T16:27:20-070046Z%22%0AinsertId%3D%22c4bc72fe-2e35-4c1d-a188-fcc812ab3822%22?project=prod-backend-infra" } ], "relatedFindingUri": { } } }, "securityMarks": { "name": "organizations/175089404094/sources/1750894040330370653/locations/global/findings/bb7f1949a4044d38a5b1dd7e47676113/securityMarks" }, "eventTime": "2025-06-25T16:27:20-070057Z", "createTime": "2025-06-25T16:27:20.329Z", "severity": "CRITICAL", "mute": "UNDEFINED", "findingClass": "THREAT", "muteUpdateTime": "2025-06-25T16:27:20Z", "mitreAttack": { "primaryTactic": "PERSISTENCE" }, "access": { "principalEmail": "service-project-175089404040@gcp-sa-ktd-hpsa.iam.gserviceaccount.com", "callerIp": "147.45.44.104", "callerIpGeo": { }, "userAgent": "Google-KTD-Control", "serviceName": "k8s.io", "methodName": "io.k8s.authorization.rbac.v1.roles.delete" }, "parentDisplayName": "Event Threat Detection", "logEntries": [ { "cloudLoggingEntry": { "insertId": "c4bc72fe-2e35-4c1d-a188-fcc812ab3822", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/prod-backend-infra", "timestamp": "2025-06-25T16:27:20-070046Z" } } ], "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "2025-06-25T16:27:20Z" } } }, "resource": { "name": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west2-a/clusters/devclust-gke-otc-rel-v4-ac141583d8a4", "displayName": "devclust-gke-otc-rel-v4-ac141583d8a4", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "europe-west2-a", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/175089404040", "projectDisplayName": "prod-backend-infra", "parent": "//cloudresourcemanager.googleapis.com/projects/175089404040", "parentDisplayName": "prod-backend-infra", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/175089404055", "resourceFolderDisplayName": "Product Team" } ], "organization": "organizations/175089404094" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/175089404040", "displayName": "prod-backend-infra" }, { "nodeType": "GCP_FOLDER", "id": "folders/175089404055", "displayName": "Product Team" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/175089404094" } ] }, "resourcePathString": "organizations/175089404094/folders/175089404055/projects/175089404040" } }, "messageId": "17508940403301574", "message_id": "17508940403301574", "publishTime": "2025-06-25T16:27:20.329Z", "publish_time": "2025-06-25T16:27:20.329Z" }, "subscription": "projects/prod-backend-infra/subscriptions/scc" } ```
Vulnerability ```json { "message": { "data": { "notificationConfigName": "projects/175089404040/locations/global/notificationConfigs/Sumo-export", "finding": { "name": "organizations/175089404094/sources/1750894040384815997/locations/global/findings/20ffcd76a0dd9628d7fe8d27c1b55c19", "canonicalName": "projects/175089404040/sources/1750894040384815997/locations/global/findings/20ffcd76a0dd9628d7fe8d27c1b55c19", "parent": "organizations/175089404094/sources/1750894040384815997/locations/global", "resourceName": "//compute.googleapis.com/projects/prod-backend-infra/zones/us-central1-a/instances/dgarbacz-linux", "state": "ACTIVE", "category": "SOFTWARE_VULNERABILITY", "securityMarks": { "name": "organizations/175089404094/sources/1750894040384815997/locations/global/findings/20ffcd76a0dd9628d7fe8d27c1b55c19/securityMarks" }, "eventTime": "2025-06-25T16:27:20-070077141Z", "createTime": "2025-06-25T16:27:20.384Z", "severity": "HIGH", "mute": "UNDEFINED", "findingClass": "VULNERABILITY", "vulnerability": { "cve": { "id": "CVE-2023-33953", "references": [ { "source": "More Info", "uri": "https://world-training.gl.at.ply.gg/tracker/CVE-2023-33953" }, { "source": "More Info", "uri": "https://world-training.gl.at.ply.gg/vuln/detail/CVE-2023-33953" }, { "source": "More Info", "uri": "https://world-training.gl.at.ply.gg/security/cve/CVE-2023-33953" } ], "cvssv3": { "baseScore": 7.5, "attackVector": "ATTACK_VECTOR_NETWORK", "attackComplexity": "ATTACK_COMPLEXITY_LOW", "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", "userInteraction": "USER_INTERACTION_NONE", "scope": "SCOPE_UNCHANGED", "confidentialityImpact": "IMPACT_NONE", "integrityImpact": "IMPACT_NONE", "availabilityImpact": "IMPACT_HIGH" }, "upstreamFixAvailable": true, "impact": "MEDIUM", "exploitationActivity": "NO_KNOWN", "exploitReleaseDate": "2025-06-25T16:27:20Z", "firstExploitationDate": "2025-06-25T16:27:20Z" }, "offendingPackage": { "packageName": "grpcio", "cpeUri": "cpe:/a:ghsa:pip", "packageType": "PYPI", "packageVersion": "1.54.0" }, "fixedPackage": { "packageName": "grpcio", "cpeUri": "cpe:/a:ghsa:pip", "packageType": "PYPI", "packageVersion": "1.54.3" }, "securityBulletin": { "submissionTime": "2025-06-25T16:27:20Z" } }, "muteUpdateTime": "2025-06-25T16:27:20Z", "parentDisplayName": "Vulnerability Assessment", "description": "gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:\n\n- Unbounded memory buffering in the HPACK parser\n- Unbounded CPU consumption in the HPACK parser\n\nThe unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.\n\nThe unbounded memory buffering bugs:\n\n- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4-gigabyte string before rejecting it as longer than 8 or 16kb.\n- HPACK varints have an encoding quirk whereby an infinite number of 0\u2019s can be added at the start of an integer. gRPC\u2019s hpack parser needed to read all of them before concluding a parse.\n- gRPC\u2019s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc\u2026", "files": [ { "diskPath": { "partitionUuid": "72d18f0c-ddaf-4b73-b512-56102153f78f", "relativePath": "usr/lib/google-cloud-sdk/platform/bundledpythonunix/lib/python3.9/site-packages/grpcio-1.54.0.dist-info/METADATA" } } ], "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "2025-06-25T16:27:20Z" } } }, "resource": { "name": "//compute.googleapis.com/projects/prod-backend-infra/zones/us-central1-a/instances/dgarbacz-linux", "displayName": "dgarbacz-linux", "type": "google.compute.Instance", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "compute.googleapis.com", "location": "us-central1-a", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/175089404040", "projectDisplayName": "prod-backend-infra", "parent": "//cloudresourcemanager.googleapis.com/projects/175089404040", "parentDisplayName": "prod-backend-infra", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/175089404055", "resourceFolderDisplayName": "Product Team" } ], "organization": "organizations/175089404094" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/175089404040", "displayName": "prod-backend-infra" }, { "nodeType": "GCP_FOLDER", "id": "folders/175089404055", "displayName": "Product Team" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/175089404094" } ] }, "resourcePathString": "organizations/175089404094/folders/175089404055/projects/175089404040" } }, "messageId": "17508940403846729", "message_id": "17508940403846729", "publishTime": "2025-06-25T16:27:20.384Z", "publish_time": "2025-06-25T16:27:20.384Z" }, "subscription": "projects/prod-backend-infra/subscriptions/scc" } ```
### Sample log queries ```sumo title="Misconfiguration" _sourceCategory=Labs/googleCloudSCC MISCONFIGURATION | json field=_raw "message.data.finding.name", "message.data.resource", "message.data.finding.resourceName", "message.data.finding.parentDisplayName", "message.data.finding.sourceProperties.Explanation", "message.data.finding.sourceProperties.ExceptionInstructions", "message.data.finding.sourceProperties.Recommendation", "message.data.resource.displayName", "message.data.resource.type", "message.data.finding.description", "message.data.finding.findingClass", "message.data.finding.mute", "message.data.finding.severity", "message.data.finding.state", "message.data.finding.category" as findingName, resource,resourceName, ParentDisplayName, explanation, ExceptionInstructions, Recommendation, displayName, type, description, findingClass, mute, severity, state, category nodrop | parse regex field = findingName "organizations\/(?\d+)\/sources\/\d+\/locations\/global\/findings\/(?[a-f0-9]+)" | dedup 1 by finding_id | json field=resource "service", "displayName", "location", "type", "gcpMetadata.projectDisplayName", "gcpMetadata.folders[0].resourceFolderDisplayName" as service, resource_name, location, type, project_name, folder_name | where findingClass = "MISCONFIGURATION" | count by finding_id,description, category, severity,findingClass, resource_name, location, folder_name, project_name, state ``` ```sumo title="Threat" sourceCategory=Labs/googleCloudSCC THREAT | json field=_raw "message.data.finding.name", "message.data.resource", "message.data.finding.resourceName", "message.data.finding.parentDisplayName", "message.data.finding.sourceProperties.Explanation", "message.data.finding.sourceProperties.ExceptionInstructions", "message.data.finding.sourceProperties.Recommendation", "message.data.resource.displayName", "message.data.resource.type", "message.data.finding.description", "message.data.finding.findingClass", "message.data.finding.mute", "message.data.finding.severity", "message.data.finding.state", "message.data.finding.category" as findingName, resource,resourceName, ParentDisplayName, explanation, ExceptionInstructions, Recommendation, displayName, type, description, findingClass, mute, severity, state, category nodrop | parse regex field = findingName "organizations\/(?\d+)\/sources\/\d+\/locations\/global\/findings\/(?[a-f0-9]+)" | dedup 1 by finding_id | json field=resource "service", "displayName", "location", "type", "gcpMetadata.projectDisplayName", "gcpMetadata.folders[0].resourceFolderDisplayName" as service, resource_name, location, type, project_name, folder_name | where findingClass = "THREAT" | count by finding_id, category, severity,findingClass, resource_name, location, folder_name, project_name, state ``` ```sumo title="Vulnerability" _sourceCategory=Labs/googleCloudSCC VULNERABILITY | json field=_raw "message.data.finding.name", "message.data.resource", "message.data.finding.resourceName", "message.data.finding.parentDisplayName", "message.data.finding.sourceProperties.Explanation", "message.data.finding.sourceProperties.ExceptionInstructions", "message.data.finding.sourceProperties.Recommendation", "message.data.resource.displayName", "message.data.resource.type", "message.data.finding.description", "message.data.finding.findingClass", "message.data.finding.mute", "message.data.finding.severity", "message.data.finding.state", "message.data.finding.category" as findingName, resource,resourceName, ParentDisplayName, explanation, ExceptionInstructions, Recommendation, displayName, type, description, findingClass, mute, severity, state, category nodrop | parse regex field = findingName "organizations\/(?\d+)\/sources\/\d+\/locations\/global\/findings\/(?[a-f0-9]+)" | dedup 1 by finding_id | json field=resource "service", "displayName", "location", "type", "gcpMetadata.projectDisplayName", "gcpMetadata.folders[0].resourceFolderDisplayName" as service, resource_name, location, type, project_name, folder_name | where findingClass = "VULNERABILITY" | count by finding_id,description, category, severity,findingClass, resource_name, location, folder_name, project_name, state ``` ## Configure the data collection from Google Cloud Security Command Center This section describes the Sumo Logic pipeline for collecting the data from Google Cloud Security Command Center (SCC). ### Integrating the Google Cloud Security Command Center app Follow the steps below to integrate the Google Cloud Security Command Center (SCC) app: 1. Enable the [Security Command Center (SCC)](https://cloud.google.com/security-command-center/docs/activate-scc-overview) at the GCP console. 1. In Sumo Logic, [configure the Google Cloud Platform source](/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/#configure-agoogle-cloud-platform-source). 1. In the GCP console, configure a Pub/Sub Topic for [GCP](/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/#configure-a-pubsub-topicfor-gcp). This topic will be used to send SCC findings from GCP to Sumo Logic. 1. In the SCC blade of the GCP console, click **Continuous Exports**.
Google Cloud Storage dashboards 1. In the GCP console, export the findings from SCC to the [Pub/Sub Topic](https://cloud.google.com/security-command-center/docs/how-to-export-data?_gl=1*1dt4zsw*_ga*ODU1MTc4OTQ1LjE3Mzg3ODM5NzI.*_ga_WH2QY8WWF5*czE3NDY2Mzc3MzQkbzMkZzEkdDE3NDY2MzgxNDUkajYwJGwwJGgw#configure-pubsub-exports) created above. ### Testing the integration 1. Refer to this [link](https://cloud.google.com/security-command-center/docs/how-to-export-data?_gl=1*1nrezew*_ga*ODU1MTc4OTQ1LjE3Mzg3ODM5NzI.*_ga_WH2QY8WWF5*czE3NDY3MjYwNjEkbzUkZzEkdDE3NDY3MjY2OTQkajMzJGwwJGgw#test_continuous_exports) to test the continuous exports created above.
Google Cloud Storage dashboards 1. *Live Tail* at Sumo Logic to see the findings from SCC. ## Installing the Google Cloud Security Command Center app Now that you have set up the collection for Google Cloud Security Command Center (SCC), install the Sumo Logic app to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. import AppInstall2 from '../../reuse/apps/app-install-v2.md'; ## Viewing Google Cloud Security Command Center dashboards import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Misconfigurations The **Google Cloud - Security Command Center - Misconfigurations** dashboard provides you with a comprehensive view of misconfigurations across Google Cloud. It shows the total number of misconfigurations by severity, category, project, and resource type, helping identify high-risk issues like over-privileged accounts or insecure Kubernetes settings. You can quickly identify high-risk issues like over-privileged accounts or insecure Kubernetes settings and pinpoint the most affected resources. The dashboard supports rapid investigation and proactive remediation, enhancing overall cloud security posture. *Google Cloud - Security Command Center - Misconfigurations dashboard ### Threats The **Google Cloud - Security Command Center - Threats** dashboard provides you with real-time visibility into threats in the Google Cloud environments. It displays threat counts by severity and type, identifies affected projects and resources, and offers detailed findings for incident investigation. The dashboard aids in prioritizing responses, detecting suspicious activity early, and improving overall cloud threat detection and response. Google Cloud - Security Command Center - Threats dashboard ### Vulnerabilities The **Google Cloud - Security Command Center - Vulnerabilities** dashboard provides you with insights into known vulnerabilities across cloud resources for effective risk assessment and remediation. The dashboard displays the total count of vulnerabilities detected, categorized by severity and type (for example, GKE Security Bulletin, Software, OS), helping prioritize critical and high-severity issues. Analysts can drill into project-specific data and detailed findings like CVEs or SQL injection risks, making this dashboard key to reducing exposure and maintaining a secure cloud environment. Google Cloud - Security Command Center - Vulnerabilities dashboard ## Create monitors for Google Cloud Security Command Center app import CreateMonitors from '../../reuse/apps/create-monitors.md'; ### Google Cloud Security Command Center alerts | Name | Description | Alert Condition | Trigger Type | |:--|:--|:--|:--| | `Critical Misconfigurations` | This alert is triggered when critical misconfiguration findings, such as insecure default settings or overly permissive roles, are detected, indicating security vulnerabilities or compliance violations. It helps security analysts quickly identify and address high-risk configuration issues. | Count > 0 | Critical | | `Critical Threats` | This alert is triggered when critical threat detections are logged in the environment, indicating potential active attacks or malicious behavior. It serves as an early warning system for high-severity incidents requiring immediate investigation and response. | Count > 0 | Critical | | `Critical Vulnerabilities` | This alert is triggered when critical vulnerabilities, such as unpatched software or exposed components, are detected that pose a significant risk to cloud infrastructure. It allows analysts to prioritize remediation efforts on the most impactful security weaknesses. | Count > 0 | Critical | ## Upgrade/Downgrade the Google Cloud Security Command Center app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; ## Uninstalling the Google Cloud Security Command Center app (Optional) import AppUninstall from '../../reuse/apps/app-uninstall.md';