Filtering notifications

This page shows example filters that you can use with the Security Command Center API notifications feature, and the Pub/Sub messages that it generates. You can filter notifications by any finding field, including:

  • parent
  • state
  • resource_name
  • category
  • source_properties
  • security_marks

You can also use standard operators as part of your filter string:

  • AND to include fields that contain all of a set of values
  • OR to include fields that contain one of a set of values
  • - to exclude fields that contain a specific value

  • Parentheses to group a set of values, for example:

    (category = \"BUCKET_LOGGING_DISABLED\" OR category = \"CLUSTER_LOGGING_DISABLED\") AND state = \"ACTIVE\"

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, security sources, and security marks depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Setting up a source filter

Every Security Command Center finding includes the source ID of the security source provider. For example, a finding from Security Health Analytics includes a source ID that's unique to Security Health Analytics. The source ID is used in a NotificationConfig filter to specify the provider findings that you want to send to the notifications Pub/Sub topic.

Step 1: Getting the source ID

Use the Google Cloud Console or gcloud command-line tool to get a provider's source ID.

Console

  1. Go to the Security Command Center Findings page in the Cloud Console.
    Go to the Findings page
  2. Select the organization for which you want to create a notifications filter.
  3. On the Findings display, next to View by, click Source Type. The findings display updates to show the name of each security source provider you have enabled.
  4. Click the name of the provider that you want to use to filter the notifications results.
  5. View the finding details page by clicking one of the findings.

  6. On the findings detail page, next to parent, copy the organization ID and provider source ID. The parent information is displayed in the format of:

     organizations/ORGANIZATION_ID/sources/SOURCE_ID

gcloud

To retrieve a source ID, run the following command:

  gcloud scc sources describe ORGANIZATION_ID --source-display-name="SOURCE_NAME"

Replace the following:

  • ORGANIZATION_ID: your organization ID.
  • SOURCE_NAME: the name of the service for which you want the source ID. Use the name of any finding provider, including Security Command Center's built-in services, Security Health Analytics, Web Security Scanner, Event Threat Detection, and Container Threat Detection.

The output for the gcloud tool command resembles the following and includes the source ID:

  {
   "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
   "displayName": "example-source",
   "description": "A source that creates findings."
  }

Next, use the organization ID and source ID to create a notifications filter.

Step 2: Creating a filter

To create a notifications filter, you create a new NotificationConfig. Currently, you can't update filters on an existing NotificationConfig. Instead, you need to delete the NotificationConfig and then create a new one.

You can add a filter to the NotificationConfig file to include or exclude a specific source:

  • Filter findings to send notifications from only the specified source:

      state = \"ACTIVE\" AND parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"

  • Filter findings to send notifications from all sources except the specified source:

      state = \"ACTIVE\" AND -parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"

Filtering findings by category and state

The following sections provide examples of how to create a filter for specific sources and finding types, and the notification message that it sends to your Pub/Sub topic.

Security Health Analytics

This Security Health Analytics example uses the following filters:

category = \"OPEN_FIREWALL\" AND state = \"ACTIVE\"

For more information about the types of findings that Security Health Analytics creates, see the Security Health Analytics findings page.

The Pub/Sub message for the Security Health Analytics filtered finding notification looks like the following:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/security-health-analytics-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/global/firewalls/,
     "state": "ACTIVE",
     "category": "OPEN_FIREWALL",
     "externalUri": "https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
     "sourceProperties": {
       "ReactivationCount": 0.0,
       "Allowed": "[{\"ipProtocol\":\"icmp\"}]",
       "WhitelistInstructions": "Add the security mark \"allow_open_firewall_rule\" to the asset with a value of \"true\" to prevent this finding from being activated again.",
       "Recommendation": "Restrict the firewall rules at: https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
       "AllowedIpRange": "All",
       "ActivationTrigger": "Allows all IP addresses",
       "SourceRange": "[\"0.0.0.0/0\"]",
       "ScanRunId": "2019-04-06T08:50:58.832-07:00",
       "SeverityLevel": "High",
       "ProjectId": "PROJECT_ID",
       "AssetCreationTime": "2019-03-28t17:58:54.409-07:00",
       "ScannerName": "FIREWALL_SCANNER",
       "Explanation": "Firewall rules that allow connections from all IP addresses or on all ports may expose resources to attackers."
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "sccquery152cd5aa66ea4bc8a672d8186a125580": "true",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-22T21:26:57.189Z",
     "createTime": "2019-03-29T15:51:26.435Z"
   }
 }

Anomaly Detection

This Anomaly Detection notification example uses the following filters:

category = \"resource_involved_in_coin_mining\" AND state = \"ACTIVE\"

For more information about the types of findings that Anomaly Detection creates, see the Viewing vulnerabilities and threats page.

The Pub/Sub message for the Anomaly Detection filtered finding notification looks like the following:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/cloud-anomaly-detection-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
     "state": "ACTIVE",
     "category": "resource_involved_in_coin_mining",
     "sourceProperties": {
       "vm_ips": "35.231.191.191",
       "end_time_usec": "1569003180000000",
       "abuse_target_ips": "54.38.176.231",
       "end_datetime_UTC": "2019-09-20 18:13:00 UTC",
       "urls": "swap2.luckypool.io, bitcash.luckypool.io",
       "vm_host_and_zone_names": "ubuntu-1804-tp100-gminer:us-east1-b",
       "finding_type": "Abuse originating from a resource in your organization.",
       "start_time_usec": "1569002700000000",
       "action_taken": "Notification sent",
       "summary_message": "We have recently detected activity on your Google Cloud Platform/APIs project that violates our Terms of Service or Acceptable Use Policy.",
       "start_datetime_UTC": "2019-09-20 18:05:00 UTC"
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {                                                                                                                                                                                             "traige": "required",
         "teste123": "true",
         "sccquery94c23b35ea0b4f8388268415a0dc6c1b": "true"
       }
     },
     "eventTime": "2019-09-20T18:59:00Z",
     "createTime": "2019-05-16T14:16:35.674Z"
   }
 }

Event Threat Detection

This Event Threat Detection example uses the following filters:

category = \"Persistence: Iam Anomalous Grant\" AND state = \"ACTIVE\"

For more information about the types of findings that Event Threat Detection creates, see the Viewing vulnerabilities and threats page.

The Pub/Sub message for the Event Threat Detection filtered finding notification looks like the following:

{
  "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/event-threat-detection-active-findings",
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Persistence: IAM Anomalous Grant",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_grant",
        "subRuleName": "external_member_added_to_policy"
      },
      "detectionPriority": "HIGH",
      "evidence": [{
        "sourceLogId": {
          "timestamp": {
            "seconds": "1601066317",
            "nanos": 4.63E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "sensitiveRoleGrant": {
          "principalEmail": "PRINCIPAL_EMAIL@gmail.com",
          "bindingDeltas": [{
            "action": "ADD",
            "role": "roles/owner",
            "member": "user:USER_EMAIL@gmail.com"
          }, {
            "action": "REMOVE",
            "role": "roles/viewer",
            "member": "user:USER_EMAIL@gmail.com"
          }],
          "members": ["USER_EMAIL@gmail.com"]
        }
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2020-09-25T20:38:39.441Z",
    "createTime": "2020-09-25T20:38:40.667Z"
  }
}

Forseti Security

This Forseti example uses the following filters:

forseti-firewall-denylist-active-findings

For more information about the types of findings that Forseti creates, visit the Forseti website)

The Pub/Sub message for the Forseti filtered finding notification looks like the following:

{
  "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/forseti-firewall-denylist-active-findings",
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "organization/ORGANIZATION_ID/project/PROJECT_ID/firewall/firewall-id/",
    "state": "ACTIVE",
    "category": "FIREWALL_BLACKLIST_VIOLATION",
    "sourceProperties": {
      "scanner_index_id": 6554388765422,
      "resource_id": "PROJECT_ID",
      "db_source": "table:violations/id:10127",
      "inventory_index_id": 1569189610158079,
      "resource_type": "firewall",
      "rule_index": 1,
      "source": "FORSETI",
      "resource_data": "{\"allowed\": [{\"IPProtocol\": \"ah\"}, {\"IPProtocol\": \"esp\"}, {\"IPProtocol\": \"icmp\"}, {\"IPProtocol\": \"sctp\"}, {\"IPProtocol\": \"tcp\"}, {\"IPProtocol\": \"udp\"}], \"direction\": \"INGRESS\", \"name\": \"gke-range-cluster-890sad\", \"network\": \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default\", \"priority\": 1000, \"sourceRanges\": [\"10.48.0.0/14\"], \"targetTags\": [\"gke-firing-range-cluster-73d1fcce-node\"]}",
      "rule_name": "disallow_all_ports",
      "violation_data": "{\"policy_names\": [\"gke-range-cluster-890sad\"], \"recommended_actions\": {\"DELETE_FIREWALL_RULES\": [\"gke-range-cluster-890sad\"]}}"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
      "marks": {
        "priority": "p1"
      }
    },
    "eventTime": "2019-09-22T22:03:58Z",
    "createTime": "2019-08-14T02:19:58.218Z"
  }
}

Cloud Data Loss Prevention

This Cloud DLP example uses the following filters:

category = \"CREDIT_CARD_NUMBER\" AND state = \"ACTIVE\"

For more information about the types of findings that Event Threat Detection creates, see the Viewing vulnerabilities and threats page.

The Pub/Sub message for the Cloud DLP filtered finding notification looks like the following:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/dlp-data-discovery-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
     "state": "ACTIVE",
     "category": "CREDIT_CARD_NUMBER",
     "externalUri": "https://console.cloud.google.com/dlp/projects/PROJECT_ID/dlpJobs/i-7536622736814356939;source\u003d5",
     "sourceProperties": {
       "COUNT": 2.0,
       "JOB_NAME": "projects/PROJECT_ID/dlpJobs/i-7536622736814356939",
       "FULL_SCAN": false
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "priority": "p1",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-16T23:21:19.650Z",
     "createTime": "2019-04-22T23:18:17.731Z"
   }
 }

What's next

Learn more about Accessing Security Command Center using an SDK.