过滤通知

>

本页面展示了一些可与 Security Command Center API 通知功能搭配使用的示例过滤条件及其生成的 Pub/Sub 消息。您可以按任意查找字段过滤通知,包括:

  • parent
  • state
  • resource_name
  • category
  • source_properties
  • security_marks

您还可以使用标准运算符作为过滤条件字符串的一部分::

  • AND 以包括包含所有值集的字段
  • OR 以包括包含一组值之一的字段
  • -,用于排除包含特定值的字段
  • 圆括号可将一组值进行分组,例如:

    (category = \"BUCKET_LOGGING_DISABLED\" OR category = \"CLUSTER_LOGGING_DISABLED\") AND state = \"ACTIVE\"

设置来源过滤条件

每个 Security Command Center 发现结果都包含安全来源提供商的来源 ID。例如,来自 Security Health Analytics 的一个发现结果包含对 Security Health Analytics 唯一的来源 ID。来源 ID 用于 NotificationConfig 过滤条件,用于指定要发送到通知 Pub/Sub 主题的提供商发现结果。

第 1 步:获取来源 ID

使用 Google Cloud Console 获取提供商的来源 ID:

  1. 转到 Cloud Console 中的 Security Command Center 发现结果 页面。
    转到“发现结果”页面
  2. 选择要为其创建通知过滤条件的组织。
  3. 发现结果屏幕的查看方式旁边,点击来源类型。发现结果会显示更新,以显示您已启用的每个安全来源提供商的名称。
  4. 点击您要用于过滤通知结果的提供商的名称。
  5. 点击其中一个发现结果以查看发现结果详情页面。
  6. 在发现结果的详情页面中,在父级旁边,复制组织 ID 和提供商来源 ID。父级信息采用以下格式:

       organizations/organization-id/sources/source-id
    

接下来,使用组织 ID 和来源 ID 创建通知过滤条件。

第 2 步:创建过滤条件

要创建通知过滤条件,您可以创建一个新的 NotificationConfig。目前,您无法在现有 NotificationConfig 上更新过滤条件。相反,您需要删除 NotificationConfig,然后创建一个新的。

您可以向 NotificationConfig 文件添加过滤条件,以包含或排除特定的来源:

  • 过滤发现结果,以仅从指定来源发送通知:

      state = \"ACTIVE\" AND parent = \"organizations/$ORG_ID/sources/$SOURCE_ID\"
    
  • 过滤发现结果,以从除指定来源外的所有来源发送通知:

      state = \"ACTIVE\" AND -parent = \"organizations/$ORG_ID/sources/$SOURCE_ID\"
    

按类别和状态过滤发现结果

以下各部分提供了如何为特定来源和发现结果类型创建过滤条件的示例,以及其发送到 Pub/Sub 主题的通知消息。

安全状况分析

此 Security Health Analytics 示例使用以下过滤条件:

category = \"OPEN_FIREWALL\" AND state = \"ACTIVE\"

如需详细了解 Security Health Analytics 创建的发现结果类型,请参阅 Security Health Analytics 发现结果页面。

Security Health Analytics 的 Pub/Sub 消息已过滤发现结果通知将如下所示:

{
   "notificationConfigName": "organizations/organization-id/notificationConfigs/security-health-analytics-active-findings",
   "finding": {
     "name": "organizations/organization-id/sources/source-id/findings/finding-id",
     "parent": "organizations/organization-id/sources/source-id",
     "resourceName": "//compute.googleapis.com/projects/project-id/global/firewalls/,
     "state": "ACTIVE",
     "category": "OPEN_FIREWALL",
     "externalUri": "https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003project-id",
     "sourceProperties": {
       "ReactivationCount": 0.0,
       "Allowed": "[{\"ipProtocol\":\"icmp\"}]",
       "WhitelistInstructions": "Add the security mark \"allow_open_firewall_rule\" to the asset with a value of \"true\" to prevent this finding from being activated again.",
       "Recommendation": "Restrict the firewall rules at: https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003project-id",
       "AllowedIpRange": "All",
       "ActivationTrigger": "Allows all IP addresses",
       "SourceRange": "[\"0.0.0.0/0\"]",
       "ScanRunId": "2019-04-06T08:50:58.832-07:00",
       "SeverityLevel": "High",
       "ProjectId": "project-id",
       "AssetCreationTime": "2019-03-28t17:58:54.409-07:00",
       "ScannerName": "FIREWALL_SCANNER",
       "Explanation": "Firewall rules that allow connections from all IP addresses or on all ports may expose resources to attackers."
     },
     "securityMarks": {
       "name": "organizations/organization-id/sources/source-id/findings/finding-id/securityMarks",
       "marks": {
         "sccquery152cd5aa66ea4bc8a672d8186a125580": "true",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-22T21:26:57.189Z",
     "createTime": "2019-03-29T15:51:26.435Z"
   }
 }

异常检测

此异常值检测通知示例使用以下过滤条件:

category = \"resource_involved_in_coin_mining\" AND state = \"ACTIVE\"

如需详细了解异常值检测创建的发现结果类型,请参阅查看漏洞和威胁页面。

异常值检测的 Pub/Sub 消息已过滤发现结果通知将如下所示:

{
   "notificationConfigName": "organizations/organization-id/notificationConfigs/cloud-anomaly-detection-active-findings",
   "finding": {
     "name": "organizations/organization-id/sources/source-id/findings/finding-id",
     "parent": "organizations/organization-id/sources/source-id",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/project-id",
     "state": "ACTIVE",
     "category": "resource_involved_in_coin_mining",
     "sourceProperties": {
       "vm_ips": "35.231.191.191",
       "end_time_usec": "1569003180000000",
       "abuse_target_ips": "54.38.176.231",
       "end_datetime_UTC": "2019-09-20 18:13:00 UTC",
       "urls": "swap2.luckypool.io, bitcash.luckypool.io",
       "vm_host_and_zone_names": "ubuntu-1804-tp100-gminer:us-east1-b",
       "finding_type": "Abuse originating from a resource in your organization.",
       "start_time_usec": "1569002700000000",
       "action_taken": "Notification sent",
       "summary_message": "We have recently detected activity on your Google Cloud Platform/APIs project that violates our Terms of Service or Acceptable Use Policy.",
       "start_datetime_UTC": "2019-09-20 18:05:00 UTC"
     },
     "securityMarks": {
       "name": "organizations/organization-id/sources/source-id/findings/finding-id/securityMarks",
       "marks": {                                                                                                                                                                                             "traige": "required",
         "teste123": "true",
         "sccquery94c23b35ea0b4f8388268415a0dc6c1b": "true"
       }
     },
     "eventTime": "2019-09-20T18:59:00Z",
     "createTime": "2019-05-16T14:16:35.674Z"
   }
 }

事件威胁检测

此事件威胁检测示例使用以下过滤条件:

category = \"Persistence: Iam Anomalous Grant\" AND state = \"ACTIVE\"

如需详细了解事件威胁检测创建的发现结果类型,请参阅查看漏洞和威胁页面。

事件威胁检测的 Pub/Sub 消息已过滤发现结果通知将如下所示:

{
   "notificationConfigName": "organizations/organization-id/notificationConfigs/event-threat-detection-active-findings",
   "finding": {
     "name": "organizations/organization-id/sources/source-id/findings/finding-id",
     "parent": "organizations/organization-id/sources/source-id",
     "resourceName": "//cloudresourcemanager.googleapis.com/organizations/organization-id",
     "state": "ACTIVE",
     "category": "Persistence: Iam Anomalous Grant",
     "sourceProperties": {
       "properties_principalEmail": "user-email@google.com",
       "properties_bindingDeltas_0_action": "ADD",
       "detectionCategory_ruleName": "iam_anomalous_grant",
       "properties_bindingDeltas_0_role": "roles/owner",
       "eventTime": "2019-08-29T19:37:01.889Z",
       "properties_bindingDeltas_0_member": "user:user-email@gmail.com",
       "properties_organization_id": "organization-id",
       "detectionCategory_subRuleName": "external_member_added_to_policy",
       "properties_externalMembers_0": "user:user-email@gmail.com",
       "evidence_0_sourceLogId_timestamp": "2019-08-29T19:37:00.619Z",
       "detectionPriority": "HIGH",
       "detectionCategory_technique": "persistence",
       "sourceId_customerOrganizationNumber": "organization-id",
       "evidence_0_sourceLogId_insertId": "2s1323c96g",
       "sourceId_organizationNumber": "organization-id",
       "detectionCategory_indicator": "audit_log"
     },
     "securityMarks": {
       "name": "organizations/organization-id/sources/source-id/findings/finding-id/securityMarks",
       "marks": {
         "priority": "p1"
       }
     },
     "eventTime": "2019-09-22T22:42:11.299Z",
     "createTime": "2019-08-29T19:37:02.974Z"
   }
 }

Forseti Security

此 Forseti 示例使用以下过滤条件:

forseti-firewall-blacklist-active-findings

如需详细了解 Forseti 创建的发现结果类型,请访问 Forseti 网站

Forseti 的 Pub/Sub 消息已过滤发现结果通知将如下所示:

{
  "notificationConfigName": "organizations/organization-id/notificationConfigs/forseti-firewall-blacklist-active-findings",
  "finding": {
    "name": "organizations/organization-id/sources/source-id/findings/finding-id",
    "parent": "organizations/organization-id/sources/source-id",
    "resourceName": "organization/organization-id/project/project-id/firewall/firewall-id/",
    "state": "ACTIVE",
    "category": "FIREWALL_BLACKLIST_VIOLATION",
    "sourceProperties": {
      "scanner_index_id": 6554388765422,
      "resource_id": "project-id",
      "db_source": "table:violations/id:10127",
      "inventory_index_id": 1569189610158079,
      "resource_type": "firewall",
      "rule_index": 1,
      "source": "FORSETI",
      "resource_data": "{\"allowed\": [{\"IPProtocol\": \"ah\"}, {\"IPProtocol\": \"esp\"}, {\"IPProtocol\": \"icmp\"}, {\"IPProtocol\": \"sctp\"}, {\"IPProtocol\": \"tcp\"}, {\"IPProtocol\": \"udp\"}], \"direction\": \"INGRESS\", \"name\": \"gke-range-cluster-890sad\", \"network\": \"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/default\", \"priority\": 1000, \"sourceRanges\": [\"10.48.0.0/14\"], \"targetTags\": [\"gke-firing-range-cluster-73d1fcce-node\"]}",
      "rule_name": "disallow_all_ports",
      "violation_data": "{\"policy_names\": [\"gke-range-cluster-890sad\"], \"recommended_actions\": {\"DELETE_FIREWALL_RULES\": [\"gke-range-cluster-890sad\"]}}"
    },
    "securityMarks": {
      "name": "organizations/organization-id/sources/source-id/findings/finding-id/securityMarks",
      "marks": {
        "priority": "p1"
      }
    },
    "eventTime": "2019-09-22T22:03:58Z",
    "createTime": "2019-08-14T02:19:58.218Z"
  }
}

Cloud Data Loss Prevention

此 Cloud DLP 示例使用以下过滤条件:

category = \"CREDIT_CARD_NUMBER\" AND state = \"ACTIVE\"

如需详细了解事件威胁检测创建的发现结果类型,请参阅查看漏洞和威胁页面。

Cloud DLP 的 Pub/Sub 消息已过滤发现结果通知将如下所示:

{
   "notificationConfigName": "organizations/organization-id/notificationConfigs/dlp-data-discovery-active-findings",
   "finding": {
     "name": "organizations/organization-id/sources/source-id/findings/finding-id",
     "parent": "organizations/organization-id/sources/source-id",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/project-id",
     "state": "ACTIVE",
     "category": "CREDIT_CARD_NUMBER",
     "externalUri": "https://console.cloud.google.com/dlp/projects/project-id/dlpJobs/i-7536622736814356939;source\u003d5",
     "sourceProperties": {
       "COUNT": 2.0,
       "JOB_NAME": "projects/project-id/dlpJobs/i-7536622736814356939",
       "FULL_SCAN": false
     },
     "securityMarks": {
       "name": "organizations/organization-id/sources/source-id/findings/finding-id/securityMarks",
       "marks": {
         "priority": "p1",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-16T23:21:19.650Z",
     "createTime": "2019-04-22T23:18:17.731Z"
   }
 }