过滤通知

本页面展示了一些可与 Security Command Center API 通知功能搭配使用的示例过滤条件,以及该功能导出到 Pub/SubBigQuery 的消息。您可以按任意查找字段过滤通知,包括:

  • parent
  • state
  • resource_name
  • category
  • source_properties(仅限 v1 API)
  • security_marks

您还可以使用标准运算符作为过滤条件字符串的一部分::

  • AND 以包括包含所有值集的字段
  • OR 以包括包含一组值之一的字段
  • -,用于排除包含特定值的字段
  • 圆括号可将一组值进行分组,例如:

    (category = \"BUCKET_LOGGING_DISABLED\" OR category = \"CLUSTER_LOGGING_DISABLED\") AND state = \"ACTIVE\"

设置来源过滤条件

每个 Security Command Center 发现结果都包含安全来源提供商的来源 ID。例如,来自 Security Health Analytics 的一个发现结果包含对 Security Health Analytics 唯一的来源 ID。来源 ID 用于 NotificationConfig 过滤条件,以指定要发送到通知 Pub/Sub 主题或 BigQuery 数据集的提供商发现结果。

第 1 步:获取来源 ID

使用 Google Cloud Console 或 Google Cloud CLI 获取提供商的来源 ID。

控制台

  1. 转到 Google Cloud 控制台中的 Security Command Center 发现结果页面。
    进入“发现结果”页面
  2. 选择要为其创建通知过滤条件的组织。发现结果页面即会打开。
  3. 快速过滤条件面板中,向下滚动到来源显示名称部分,然后选择要用于过滤通知结果的提供方的名称。
  4. 发现结果的查询结果面板的类别列中,点击其中一个发现结果的名称以显示该发现结果的详细信息面板。
  5. 在发现结果详细信息面板上,点击 JSON 标签页。系统会显示该发现结果的完整 JSON 文件。
  6. 复制 JSON 文件中 parent 属性的值。例如:

    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID"

    其中的 ID 分别表示以下项:

    • ORGANIZATION_ID:父级来源提供方的组织的 ID。
    • SOURCE_ID:父级来源提供方的 ID。

gcloud

如需检索来源 ID,请运行以下命令:

  gcloud scc sources describe ORGANIZATION_ID --source-display-name="SOURCE_NAME"

请替换以下内容:

  • ORGANIZATION_ID:您的组织 ID。
  • SOURCE_NAME:替换为您需要其来源 ID 的服务的名称。使用任何发现结果提供商的名称,包括 Security Command Center 的内置服务、Security Health Analytics、Web Security Scanner、Event Threat Detection 和 Container Threat Detection。

gcloud CLI 命令的输出类似如下内容并包含来源 ID:

 {
   "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
   "displayName": "example-source",
   "description": "A source that creates findings."
 }

接下来,使用组织 ID 和来源 ID 创建通知过滤条件。

第 2 步:创建过滤条件

如需创建通知过滤条件,您可以创建一个新的 NotificationConfig

您可以向 NotificationConfig 文件添加过滤条件,以包含或排除特定的来源:

  • 过滤发现结果,以仅从指定来源发送通知:

      state = \"ACTIVE\" AND parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"
    
  • 过滤发现结果,以从除指定来源外的所有来源发送通知:

      state = \"ACTIVE\" AND -parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"
    

如需查看您可以使用的过滤条件的更多示例,请参阅使用 Security Command Center API 列出安全性发现结果

使用 Pub/Sub 主题时按类别和状态过滤发现结果

以下各部分提供了如何为特定来源和发现结果类型创建过滤条件的示例,以及其发送到 Pub/Sub 主题的通知消息。

如果您使用的是 BigQuery 数据集而不是 Pub/Sub 主题,请参阅将发现结果导出到 BigQuery 进行分析中所述的发现结果和相关字段。

Security Health Analytics

此 Security Health Analytics 示例使用以下过滤条件:

category = \"OPEN_FIREWALL\" AND state = \"ACTIVE\"

如需详细了解 Security Health Analytics 创建的发现结果类型,请参阅 Security Health Analytics 发现结果页面。

Security Health Analytics 的 Pub/Sub 消息已过滤发现结果通知如下所示:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/security-health-analytics-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/global/firewalls/,
     "state": "ACTIVE",
     "category": "OPEN_FIREWALL",
     "externalUri": "https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
     "sourceProperties": {
       "ReactivationCount": 0.0,
       "Allowed": "[{\"ipProtocol\":\"icmp\"}]",
       "WhitelistInstructions": "Add the security mark \"allow_open_firewall_rule\" to the asset with a value of \"true\" to prevent this finding from being activated again.",
       "Recommendation": "Restrict the firewall rules at: https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
       "AllowedIpRange": "All",
       "ActivationTrigger": "Allows all IP addresses",
       "SourceRange": "[\"0.0.0.0/0\"]",
       "ScanRunId": "2019-04-06T08:50:58.832-07:00",
       "SeverityLevel": "High",
       "ProjectId": "PROJECT_ID",
       "AssetCreationTime": "2019-03-28t17:58:54.409-07:00",
       "ScannerName": "FIREWALL_SCANNER",
       "Explanation": "Firewall rules that allow connections from all IP addresses or on all ports may expose resources to attackers."
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "sccquery152cd5aa66ea4bc8a672d8186a125580": "true",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-22T21:26:57.189Z",
     "createTime": "2019-03-29T15:51:26.435Z"
   }
 }

异常检测

此异常值检测通知示例使用以下过滤条件:

category = \"resource_involved_in_coin_mining\" AND state = \"ACTIVE\"

如需详细了解异常值检测创建的发现结果类型,请参阅查看漏洞和威胁页面。

Anomaly Detection 过滤发现结果通知的 Pub/Sub 消息如下所示:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/cloud-anomaly-detection-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
     "state": "ACTIVE",
     "category": "resource_involved_in_coin_mining",
     "sourceProperties": {
       "vm_ips": "35.231.191.191",
       "end_time_usec": "1569003180000000",
       "abuse_target_ips": "54.38.176.231",
       "end_datetime_UTC": "2019-09-20 18:13:00 UTC",
       "urls": "swap2.luckypool.io, bitcash.luckypool.io",
       "vm_host_and_zone_names": "ubuntu-1804-tp100-gminer:us-east1-b",
       "finding_type": "Abuse originating from a resource in your organization.",
       "start_time_usec": "1569002700000000",
       "action_taken": "Notification sent",
       "summary_message": "We have recently detected activity on your Google Cloud Platform/APIs project that violates our Terms of Service or Acceptable Use Policy.",
       "start_datetime_UTC": "2019-09-20 18:05:00 UTC"
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "teste123": "true",
         "sccquery94c23b35ea0b4f8388268415a0dc6c1b": "true"
       }
     },
     "eventTime": "2019-09-20T18:59:00Z",
     "createTime": "2019-05-16T14:16:35.674Z"
   }
 }

Event Threat Detection

此 Event Threat Detection 示例使用以下过滤条件:

category = \"Persistence: Iam Anomalous Grant\" AND state = \"ACTIVE\"

如需详细了解事件威胁检测创建的发现结果类型,请参阅查看漏洞和威胁页面。

Event Threat Detection 的 Pub/Sub 消息已过滤发现结果通知如下所示:

{
  "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/event-threat-detection-active-findings",
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Persistence: IAM Anomalous Grant",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_grant",
        "subRuleName": "external_member_added_to_policy"
      },
      "detectionPriority": "HIGH",
      "evidence": [{
        "sourceLogId": {
          "timestamp": {
            "seconds": "1601066317",
            "nanos": 4.63E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "sensitiveRoleGrant": {
          "principalEmail": "PRINCIPAL_EMAIL@gmail.com",
          "bindingDeltas": [{
            "action": "ADD",
            "role": "roles/owner",
            "member": "user:USER_EMAIL@gmail.com"
          }, {
            "action": "REMOVE",
            "role": "roles/viewer",
            "member": "user:USER_EMAIL@gmail.com"
          }],
          "members": ["USER_EMAIL@gmail.com"]
        }
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2020-09-25T20:38:39.441Z",
    "createTime": "2020-09-25T20:38:40.667Z"
  }
}

敏感数据保护

此敏感数据保护示例使用以下过滤条件:

category = \"CREDIT_CARD_NUMBER\" AND state = \"ACTIVE\"

如需详细了解事件威胁检测创建的发现结果类型,请参阅查看漏洞和威胁页面。

敏感数据保护的 Pub/Sub 消息已过滤发现结果通知如下所示:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/dlp-data-discovery-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
     "state": "ACTIVE",
     "category": "CREDIT_CARD_NUMBER",
     "externalUri": "https://console.cloud.google.com/dlp/projects/PROJECT_ID/dlpJobs/i-7536622736814356939;source\u003d5",
     "sourceProperties": {
       "COUNT": 2.0,
       "JOB_NAME": "projects/PROJECT_ID/dlpJobs/i-7536622736814356939",
       "FULL_SCAN": false
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "priority": "p1",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-16T23:21:19.650Z",
     "createTime": "2019-04-22T23:18:17.731Z"
   }
 }

后续步骤