Google Security Operations limits in Security Command Center Enterprise

The Security Command Center Enterprise service tier offers additional features compared to the Standard and Premium tiers, including a selection of Google Security Operations features and the ability to ingest data from other cloud providers. These features make Security Command Center a cloud-native application protection platform (CNAPP).

The Google Security Operations features in the Security Command Center Enterprise tier have different limits than those in the Google Security Operations plans. These limits are described in the following table.

Feature	Limits
Applied Threat Intelligence	No access
Curated detections	Limited to detecting cloud threats on Google Cloud, Microsoft Azure, and AWS.
Custom rules	20 custom single-event rules, multi-event rules aren't supported.
Data retention	3 months
Gemini for Google Security Operations	Limited to natural language search and case investigation summaries
Google SecOps security information and event management (SIEM)	Cloud data only.
Google SecOps security orchestration, automation, and response (SOAR)	Cloud response integrations only. For the list of supported integrations, see Supported Google Security Operations integrations. Supports one SOAR environment.
Log ingestion	Limited to logs that are supported for cloud threat detection. For the list, see Supported log data collection in Google SecOps
Risk analytics	No access

Supported Google Security Operations integrations

The following sections list the Google Security Operations Marketplace integrations that are supported with Security Command Center Enterprise. They are listed in separate columns in the following table.

Packaged and preconfigured integrations: are included in the SCC Enterprise - Cloud Orchestration and Remediation use case and are preconfigured to support cloud-native application protection platform (CNAPP) use cases. They are available when you activate Security Command Center Enterprise and update the Enterprise use case.

Configurations in the SCC Enterprise - Cloud Orchestration and Remediation use case include, as an example, dedicated playbooks that use Jira and ServiceNow with predefined handling of response cases. The integrations are preconfigured to support all cloud providers that Security Command Center Enterprise supports.
Downloadable integrations: with Security Command Center Enterprise, you can download the following integrations and use them in a playbook. The versions that you download from Google Security Operations Marketplace are not configured specifically for Security Command Center Enterprise and require additional manual configuration.

Each integration is listed by name. For information about a specific integration, see Google Security Operations Marketplace integrations.

Type of application or information	Packaged and preconfigured integrations	Downloadable integrations
Google Cloud and Google Workspace integrations	AppSheet Google Alert Center Google BigQuery Google Chat Google Chronicle Google Cloud Asset Inventory Google Cloud Compute Google Cloud IAM Google Cloud Policy Intelligence Google Cloud Recommender Google Cloud Storage Google Kubernetes Engine Google Rapid Response (GRR) Google Security Command Center Google Translate GSuite SCCEnterprise	AppSheet Google Alert Center Google BigQuery Google Chat Google Chronicle Google Cloud Asset Inventory Google Cloud Compute Google Cloud IAM Google Cloud Policy Intelligence Google Cloud Recommender Google Cloud Storage Google Kubernetes Engine Google Rapid Response (GRR) Google Security Command Center Google Translate GSuite SCCEnterprise
Amazon Web Services integrations	AWS CloudTrail AWS CloudWatch AWS Elastic Compute Cloud (EC2) AWS GuardDuty AWS Identity and Access Management (IAM) AWS IAM Access Analyzer AWS S3 AWS Security Hub AWS WAF	AWS CloudTrail AWS CloudWatch AWS Elastic Compute Cloud (EC2) AWS GuardDuty AWS Identity and Access Management (IAM) AWS IAM Access Analyzer Amazon Macie* AWS S3 AWS Security Hub AWS WAF
Microsoft Azure and Office365 integrations	Azure Active Directory Azure AD Identity Protection Azure Security Center Microsoft Graph Mail Microsoft Teams	Azure Active Directory Azure AD Identity Protection Azure Security Center Microsoft Graph Mail Microsoft Teams
IT service management (ITSM)-related applications	BMC Helix Remedyforce BMC Remedy ITSM CA Service Desk Manager Easy Vista Freshworks Freshservice Jira Micro Focus ITSMA Service Desk Plus V3 ServiceNow SysAid Zendesk Zoho Desk	BMC Helix Remedyforce BMC Remedy ITSM CA Service Desk Manager Easy Vista Freshworks Freshservice Jira Micro Focus ITSMA Service Desk Plus V3 ServiceNow SysAid Zendesk Zoho Desk
Communication-related applications	Email V2 Exchange Google Chat Microsoft Graph Mail Microsoft Teams Slack	Email V2 Exchange Google Chat Microsoft Graph Mail Microsoft Teams Slack
Threat intelligence	Mandiant Threat Intelligence Mitre Att&ck VirusTotalV3	Mandiant Threat Intelligence Mitre Att&ck VirusTotalV3
* Integration is not packaged in the SCC Enterprise - Cloud Orchestration and Remediation use case

Supported Google SecOps log data collection

The following sections describe the type of log data that customers with Security Command Center Enterprise can ingest directly to the Google Security Operations tenant. This data collection mechanism is different than the AWS connector in Security Command Center that collects resource and configuration data.

The information is grouped by cloud provider.

Google Cloud log data
Amazon Web Services log data
Microsoft Azure log data

For each type of log listed, the Google SecOps ingestion label is provided, for example GCP_CLOUDAUDIT. See Supported log types and default parsers for a complete list of Google SecOps ingestion labels.

Google Cloud

The following Google Cloud data can be ingested to Google SecOps:

Cloud Audit Logs (GCP_CLOUDAUDIT)
Cloud Intrusion Detection System (GCP_IDS)
Cloud Next Generation Firewall (GCP_NGFW_ENTERPRISE)
Cloud Asset Inventory metadata
Sensitive Data Protection context
Model Armor logs

The following must also be enabled and routed to Cloud Logging:

For information about how to collect logs from Linux and Windows VM instances and send to Cloud Logging, see Google Cloud Observability agents.

The Security Command Center Enterprise activation process automatically configures the ingestion of Google Cloud data to Google SecOps. For more information about this, see Activate the Security Command Center Enterprise tier > Provision a new instance.

For information about how to modify the Google Cloud data ingestion configuration, see Ingest Google Cloud data to Google Security Operations.

Amazon Web Services

The following AWS data can be ingested to Google SecOps:

AWS CloudTrail (AWS_CLOUDTRAIL)
AWS GuardDuty (GUARDDUTY)
AWS EC2 HOSTS (AWS_EC2_HOSTS)
AWS EC2 INSTANCES (AWS_EC2_INSTANCES)
AWS EC2 VPCS (AWS_EC2_VPCS)
AWS Identity and Access Management (IAM) (AWS_IAM)

For information about collecting AWS log data and using curated detections, see Connect to AWS for log data collection.

Microsoft Azure

The following Microsoft data can be ingested to Google SecOps:

Microsoft Azure Cloud Services (AZURE_ACTIVITY). See Ingest Microsoft Azure activity logs for information about how to set up data collection.
Microsoft Entra ID, previously Azure Active Directory (AZURE_AD). See Collect Microsoft Azure AD logs for information about how to set up data collection.
Microsoft Entra ID audit logs, previously Azure AD audit logs (AZURE_AD_AUDIT). See Collect Microsoft Azure AD logs for information about how to set up data collection.
Microsoft Defender for Cloud (MICROSOFT_GRAPH_ALERT). See Collect Microsoft Graph API alert logs for information about how to set up data collection.

For information about collecting Azure log data and using curated detections, see Connect to Microsoft Azure for log data collection.