This page describes how to use the Security Command Center API notifications feature, including the following examples:
- Create a
NotificationConfig
- Get a
NotificationConfig
- Update a
NotificationConfig
- Delete a
NotificationConfig
- List
NotificationConfig
- Receive Pub/Sub notifications
Alternatively, Security Command Center Premium customers can set up Continuous Exports for Pub/Sub in the Security Command Center dashboard.
Before you begin
To use the examples on this page, you need to complete the guide to Set up finding notifications.
To execute the following examples, you need an Identity and Access Management (IAM) role with appropriate permissions:
- Create
NotificationConfig
: Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor
) - Get and List
NotificationConfig
: Security Center Notification Configurations Viewer (roles/securitycenter.notificationConfigViewer
) or Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor
) - Update and Delete
NotificationConfig
: Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor
)
To grant appropriate roles to a principal that accesses a notificationConfig
,
you must have one of the following IAM roles:
- Organization Administrator (
roles/resourcemanager.organizationAdmin
) - Folder IAM Admin (
roles/resourcemanager.folderIamAdmin
) - Project IAM Admin (
roles/resourcemanager.projectIamAdmin
)
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Creating a NotificationConfig
To create a NotificationConfig
, you must have:
- An existing Pub/Sub topic that you want to send notifications to.
- Required IAM roles for the principal that creates the
notificationConfig
.
For more information, see the step to Set up a Pub/Sub topic in the guide to Set up finding notifications.
Before you create a NotificationConfig
, note that each organization
can have a limited number of NotificationConfig
files. For more
information, see Quotas and limits.
The NotificationConfig
includes a filter
field that limits notifications to
useful events. This field accepts all of the filters that are available in the
Security Command Center API findings.list
method.
When you create a NotificationConfig
, you specify a parent for the
NotificationConfig
from the Google Cloud resource hierarchy,
either an organization, a folder, or a project. If you need to retrieve,
update, or delete the NotificationConfig
later, you need to include
the numerical ID of the parent organization, folder, or project when you
reference it.
To create the NotificationConfig
using the language or platform
of your choice:
gcloud
# The numeric ID of the parent organization, folder, or project of
# the NotificationConfig.
# The value that you specify here must match the command flag that you use
# in the gcloud scc notifications create command, either --organizations,
# --folder, or --project.
ORGANIZATION_ID=ORGANIZATION_ID
# FOLDER_ID=FOLDER_ID
# PROJECT_ID=PROJECT_ID
# The topic to which the notifications are published
PUBSUB_TOPIC="projects/PROJECT_ID/topics/TOPIC_ID"
# The description for the NotificationConfig
DESCRIPTION="Notifies for active findings"
# Filters for active findings
FILTER="state=\"ACTIVE\""
# The following command specifies an organization as the parent of the NotificationConfig
gcloud scc notifications create NOTIFICATION_NAME \
--organization="$ORGANIZATION_ID" \
--description="$DESCRIPTION" \
--pubsub-topic=$PUBSUB_TOPIC \
--filter="$FILTER"
Python
Java
Go
Node.js
PHP
Ruby
C#
Notifications are now published to the Pub/Sub topic you specified.
To publish notifications, a service account is created for you in the form of
service-org-ORGANIZATION_ID@gcp-sa-scc-notification.iam.gserviceaccount.com
.
This service account is created when you create your first NotificationConfig
and is automatically granted the securitycenter.notificationServiceAgent
role
on the IAM policy for PUBSUB_TOPIC when creating the notification config.
This service account role is required for notifications to function.
Getting a NotificationConfig
To get a NotificationConfig
, you must have an IAM role
that includes the securitycenter.notification.get
permission.
gcloud
NOTIFICATION="PARENT_TYPE/PARENT_ID/notificationConfigs/NOTIFICATION_NAME"
gcloud scc notifications describe $NOTIFICATION
Replace the following:
- PARENT_TYPE with
organizations
,folders
, orprojects
, depending on which level of the resource hierarchy was specified in the notification configuration. - PARENT_ID with the numeric ID of the parent resource.
- NOTIFICATION_NAME with the name of the
NotificationConfig
.
Python
Java
Go
Node.js
PHP
Ruby
C#
Updating a NotificationConfig
To update a NotificationConfig
, you must have an IAM role
that includes the securitycenter.notification.update
permission.
When you update using a field mask, only the fields you specify are updated. If
you don't use a field mask, all mutable fields in the NotificationConfig
are
replaced by the new values. You can use a field mask to update the
Pub/Sub topic and description.
To complete this example, you must be subscribed to the new topic, and your
notifications service account must have the pubsub.topics.setIamPolicy
permission on the topic.
After you grant the necessary permissions, update the NotificationConfig
description, Pub/Sub topic and filter using the language of your
choice:
gcloud
# The topic to which the notifications are published
PUBSUB_TOPIC="projects/PROJECT_ID/topics/TOPIC_ID"
# The description for the NotificationConfig
DESCRIPTION="DESCRIPTION"
# The type and ID of the parent organization, folder, or project
# and the name of the notification that you want to update
NOTIFICATION="PARENT_TYPE/PARENT_ID/notificationConfigs/NOTIFICATION_NAME"
gcloud scc notifications update $NOTIFICATION
--description "$DESCRIPTION" \
--pubsub-topic $PUBSUB_TOPIC \
--filter $FILTER
Replace the following:
- PROJECT_ID with your project ID.
- TOPIC_ID with your topic ID.
- DESCRIPTION with your notification description.
- PARENT_TYPE with
organizations
,folders
, orprojects
, depending on which level of the resource hierarchy was specified in the notification configuration. - PARENT_ID with the numeric ID of the parent resource.
- NOTIFICATION_NAME with the name of the
NotificationConfig
.
Python
Java
Go
Node.js
PHP
Ruby
C#
Deleting a NotificationConfig
To delete a NotificationConfig
, you must have an IAM role
that includes the securitycenter.notification.delete
permission.
When you delete a NotificationConfig
, the
securitycenter.notificationServiceAgent
role stays on the
Pub/Sub topic. If you aren't using the Pub/Sub topic
in any other NotificationConfig
, remove the role from the topic. For more
information, see access control.
Delete a NotificationConfig
using the language of your choice:
gcloud
# The type and ID of the parent organization, folder, or project
# and the name of the notification that you want to update
NOTIFICATION="PARENT_TYPE/PARENT_ID/notificationConfigs/NOTIFICATION_NAME"
gcloud scc notifications delete $NOTIFICATION
Replace the following:
- PARENT_TYPE with
organizations
,folders
, orprojects
, depending on which level of the resource hierarchy was specified in the notification configuration. - PARENT_ID with the numeric ID of the parent resource.
- NOTIFICATION_NAME with the name of the
NotificationConfig
.
Python
Java
Go
Node.js
PHP
Ruby
C#
Listing NotificationConfigs
To list NotificationConfigs
, you must have an IAM role
that includes the securitycenter.notification.list
permission.
All Security Command Center API lists are paginated. Each response returns a page of
results and a token to return the next page. The default pageSize
is 10. You
can configure page size to a minimum of 1, and a maximum of 1000.
List NotificationConfigs
using the language of your choice:
gcloud
# The numeric ID of the parent organization, folder, or project for
# which to list the notifications.
ORGANIZATION_ID=ORGANIZATION_ID
# FOLDER_ID=FOLDER_ID
# PROJECT_ID=PROJECT_ID
gcloud scc notifications list $ORGANIZATION_ID
Replace ORGANIZATION_ID, FOLDER_ID, or PROJECT_ID with the numeric ID of the organization, folder, or project for which to list the notifications.
Python
Java
Go
Node.js
PHP
Ruby
C#
Receiving Pub/Sub notifications
This section provides a sample notification message and examples that show how
to convert a Pub/Sub message into a NotificationMessage
that
contains a finding.
Notifications are published to Pub/Sub in the JSON
format.
Following is an example of a notification message:
{
"notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/CONFIG_ID",
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"state": "ACTIVE",
"category": "TEST-CATEGORY",
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2019-07-26T07:32:37Z",
"createTime": "2019-07-29T18:45:27.243Z"
}
}
Convert a Pub/Sub message into a NotificationMessage
using
the language of your choice:
gcloud
The gcloud CLI doesn't support converting a Pub/Sub
message into a NotificationMessage
. You can use the gcloud CLI to
get a NotificationMessage
and print the JSON
directly in your terminal:
# The subscription used to receive published messages from a topic
PUBSUB_SUBSCRIPTION="projects/PROJECT_ID/subscriptions/SUBSCRIPTION_ID"
gcloud pubsub subscriptions pull $PUBSUB_SUBSCRIPTION
Replace the following:
- PROJECT_ID with your project ID.
- SUBSCRIPTION_ID with your subscription ID.
Python
Java
Go
Node.js
PHP
What's next
- Learn about Filtering notifications.