Viewing vulnerability findings in Security Command Center

This page shows you how to use filters to display specific vulnerability findings.

You can view and filter vulnerability findings in the Google Cloud console on the Vulnerabilities and Findings pages of Security Command Center.

After you display the vulnerability findings that are important to you, you can view detailed information about a particular finding by selecting the vulnerability in Security Command Center. This information includes a description of the vulnerability and the risk, and recommendations for remediation.

On this page, vulnerability refers to both Vulnerability and Misconfiguration class findings.

Comparing the Vulnerabilities page to the Findings page

You can view and filter vulnerability findings in the Google Cloud console on both the Vulnerabilities page and the Findings page.

The filter options on the Vulnerabilities page are limited compared to the filter and query options that are available on the Findings page.

The Vulnerabilities page shows all finding categories in the Vulnerability and Misconfiguration classes of findings, along with the current number of active findings in each category, and the compliance standards that each finding category is mapped to. If there are no active vulnerabilities in a particular category, 0 is shown in the Active findings column.

In contrast, the Findings page can display finding categories from any finding class, but displays a finding category only if a security issue was detected in that category in your environment within your specified time range.

For more information, see the following pages:

Apply query presets

On the Vulnerabilities page, you can select predefined queries, query presets, that return findings that are related to specific security goals.

For example, if your responsibility is cloud infrastructure entitlement management (CIEM) for Google Cloud, you can select the Identity and access misconfigurations query preset to see all of the findings that are related to principal accounts that are misconfigured or that are granted excessive or sensitive permissions.

Or, if your goal is specifically to limit principals to only those permissions that they actually need, you can select the IAM Recommender query preset, to show findings from IAM recommender for principals that have more permissions than they need.

To select a query preset, follow these steps:

  1. Go to the Vulnerabilities page:

    Go to Vulnerabilities

  2. In the Query presets section, click one of the query selectors.

    The display updates to show only the vulnerability categories specified in the query.

Viewing vulnerability findings by project

To view vulnerability findings by project on the Vulnerabilities page in the Google Cloud console, do the following:

  1. Go to the Vulnerabilities page in the Google Cloud console.

    Go to Vulnerabilities

  2. In the project selector at the top of the page, select the project for which you need to see the vulnerability findings.

The Vulnerabilities page displays findings only for the project that you selected.

Alternatively, if your console view is set to your organization, you can filter vulnerability findings by one or more project IDs by using Quick filters on the Findings page.

Viewing vulnerability findings by finding category

To view vulnerability findings by category, do the following:

  1. Go to the Vulnerabilities page in the Google Cloud console.

    Go to Vulnerabilities

  2. In the project selector, select your organization, folder, or project.

  3. In the Category column, select the finding type that you want to display findings for.

The Findings page loads and displays a list of findings that match the type you selected.

For more information about finding categories, see Vulnerabilities findings.

Viewing findings by asset type

To view vulnerability findings for a specific asset type, do the following:

  1. Go to the Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. In the project selector, select your organization, folder, or project.

  3. In the Quick filters panel, select the following:

    • In the Finding class section, select both Vulnerability and Misconfiguration.
    • Optional: In the Project ID section, select the ID of the project in which to view assets.
    • In the Resource type section, select the resource type that you need to see.

The list of findings in the Findings query results panel updates to display only those findings that match your selections.

Viewing vulnerability findings by attack exposure score

Vulnerability findings that are designated as high value and that are supported by attack path simulations are assigned an attack exposure score. You can filter findings by this score.

To view vulnerability findings by attack exposure score, do the following:

  1. Go to Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. In the project selector, select your organization, folder, or project.

  3. To the right of the Query preview panel, click Edit query.

  4. At the top of the Query editor panel, click Add filter.

  5. In the Select filter dialog, select Attack exposure.

  6. In the Attack exposure greater than field, enter a score value.

  7. Click Apply.

    The filter statement is added to your query and the findings in the Findings query results panel are updated to show only findings with an attack exposure score that is greater than the value specified in the new filter statement.

Viewing vulnerability findings by CVE ID

You can see findings by their corresponding CVE ID on either the Overview page or the Findings page.

On the Overview page, in the Top CVE findings section, vulnerability findings are grouped in an interactive chart by the exploitability and impact of the corresponding CVE, as assessed by Mandiant. Click a block in the chart to see a list of vulnerabilities by CVE ID that have been detected in your environment.

On the Findings page, you can query findings by their CVE ID.

To query vulnerability findings by CVE ID, do the following:

  1. Go to Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. In the project selector, select your organization, folder, or project.

  3. To the right in the Query preview field, click Edit query.

  4. In the Query editor, edit the query to include the CVE ID that you are looking for. For example:

    state="ACTIVE"
     AND NOT mute="MUTED"
     AND vulnerability.cve.id="CVE-2016-5195"
    

    The Findings query results are updated to show all of the active findings that are not muted and that contain the CVE ID.

Viewing vulnerability findings by severity

To view vulnerability findings by severity, do the following:

  1. Go to Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. In the project selector, select your organization, folder, or project.

  3. In the Quick filters panel, go to the Finding class section and select both Vulnerability and Misconfiguration.

    The displayed findings are updated to show only Vulnerability and Misconfiguration class findings.

  4. Also in the Quick filters panel, go to the Severity section and select the severities of the findings that you need to see.

    The displayed findings are updated to show only vulnerability findings of the selected severities.

Viewing finding categories by the number active findings

To view finding categories by the number of active findings they contain, you can use either the Google Cloud console or Google Cloud CLI commands.

Console

To view finding categories by the number of active findings that they contain on the Vulnerabilities page, you can sort the categories by the Active findings column or you can filter the categories by the number of active findings each contains.

To filter vulnerability finding categories by the number of active findings they contain, follow these steps:

  1. Open the Vulnerabilities page in the Google Cloud console:

    Go to Vulnerabilities

  2. In the project selector, select your organization, folder, or project.

  3. Place your cursor in the filter field to display a list of filters.

  4. From the list of filters, select Active findings. A list of logical operators is displayed.

  5. Select a logical operator to use in your filter, such as >=.

  6. Type in a number and press Enter.

The display updates to show only the vulnerability categories that contain a number of active findings that matches your filter.

gcloud

To use the gcloud CLI to get a count of all active findings, you first query Security Command Center to get the source ID of a vulnerability service, and then use the source ID to query the active findings count.

Step 1: Get the source ID

To complete this step, get your organization ID, and then get the source ID of one of the vulnerability detection services, which are also referred to as finding sources. If you haven't already enabled the Security Command Center API, you are prompted to enable it.

  1. Get your organization ID by running gcloud organizations list, and then note the number next to the organization name.
  2. Get the Security Health Analytics source ID by running:

    gcloud scc sources describe organizations/ORGANIZATION_ID \
      --source-display-name='SOURCE_DISPLAY_NAME'

    Replace the following:

    • ORGANIZATION_ID: the ID of your organization. An organization ID is required, regardless of the activation level of Security Command Center.
    • SOURCE_DISPLAY_NAME: the display name of the vulnerability detection service that you need to display findings for. For example, Security Health Analytics.
  3. If prompted, enable the Security Command Center API and then run the previous command to get the source ID again.

The command to get the source ID should display output like the following:

description: Scans for deviations from a Google Cloud
security baseline.
displayName: Security Health Analytics
name: organizations/ORGANIZATION_ID/sources/SOURCE_ID

Note the SOURCE_ID to use in the next step.

Step 2: Get the active findings count

Use the SOURCE_ID you noted in the previous step to filter findings. The following gcloud CLI command returns a count of findings by category:

gcloud scc findings group organizations/ORGANIZATION_ID/sources/SOURCE_ID \
  --group-by=category --page-size=PAGE_SIZE

You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization or project:

  groupByResults:
  - count: '1'
    properties:
      category: MFA_NOT_ENFORCED
  - count: '3'
    properties:
      category: ADMIN_SERVICE_ACCOUNT
  - count: '2'
    properties:
      category: API_KEY_APIS_UNRESTRICTED
  - count: '1'
    properties:
      category: API_KEY_APPS_UNRESTRICTED
  - count: '2'
    properties:
      category: API_KEY_EXISTS
  - count: '10'
    properties:
      category: AUDIT_CONFIG_NOT_MONITORED
  - count: '10'
    properties:
      category: AUDIT_LOGGING_DISABLED
  - count: '1'
    properties:
      category: AUTO_UPGRADE_DISABLED
  - count: '10'
    properties:
      category: BUCKET_IAM_NOT_MONITORED
  - count: '10'
    properties:
      category: BUCKET_LOGGING_DISABLED
  nextPageToken: token
        readTime: '2019-08-05T21:56:13.862Z'
        totalSize: 50