Investigate threats surfaced in Google Cloud’s Security Command Center using Chronicle

3 min readOct 11, 2021


By: Rajesh Gwalani, Chronicle Product Manager

Today we’re excited to announce a brand new integration between Chronicle and Security Command Center, Google Cloud’s security and risk management platform. With this integration, Security Command Center users can now use Chronicle to perform detailed investigation on events surfaced through the Event Threat Detection service.

Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. The service is regularly updated with new detectors to identify emerging threats at cloud scale.

With this new integration, Google Cloud customers can send Security Command Center alerts directly into Chronicle at unprecedented speed and scale. In just a few clicks, you can use a simple, guided UI wizard to link your Google Cloud organization with a Chronicle tenant — and create a connection that is 100% customer controlled.

It’s simple to set up the Chronicle-Security Command Center integration in just a few clicks

When Google Cloud data is ingested into Chronicle, Event Threat Detection logs are incorporated into Chronicle’s Unified Data Model (UDM). UDM makes Google Cloud data useful right away by mapping it to a common data model across machines, users, and threat indicators, so that security teams can work from a unified set of security data. Log parsing and normalization takes place automatically to enable key capabilities like IOC matching, hunting, and investigation across all the data sources you send to Chronicle.

Security Command Center alerts are automatically populated in Chronicle

The Chronicle and Security Command Center integration also includes brand new detection and response capabilities so that security teams can take advantage of a simple click-to-investigate workflow, and Security Command Center-specific alert triage feature.

Security analysts can click-to-investigate Security Command Center alerts directly from the Google Cloud console
Chronicle now features an alert triage capability specifically for Security Command Center alerts
Chronicle adds context to Security Command Center alerts, enabling effective Google Cloud investigations in Chronicle

The Chronicle and Security Command Center integration will be generally available for Chronicle and Google Cloud customers in the coming days. Security Command Center Premium customers can contact sales to enable a Chronicle tenant and perform investigation on incidents surfaced by Event Threat Detection.

To learn more, watch The path to invisible security keynote and Cloud posture and workload protection with Security Command Center breakout session at the Google Cloud Next ’21 digital event.