>

Installing the Query Builder app

This page provides the Query Builder example of the Cloud Security Command Center (Cloud SCC) application package. The Query Builder app enables you to create and schedule advanced, multi-step queries on Cloud SCC data using a web application interface. When these queries run, the results can be sent to a Cloud Pub/Sub topic where they can be consumed by other apps. You can also configure Query Builder to add Cloud SCC security marks to results.

For example, you could schedule a query to periodically look for network firewalls with port 22 allowed, and use Query Builder to mark the results in Cloud SCC and notify your security team so they can take appropriate action.

This guide was written for tools version 3.3.0. If you're using a different version, please see the README file included with the tools version you downloaded. As of May 22, 2019, the most recent release version is 4.0.1.

Before you begin

Before you start this guide, you must complete the prerequisites and installation setup in Setting up Cloud SCC tools.

To install and run the Query Builder package, you will also need the following:

  • An active GCP Organization
  • An active Cloud Billing account
  • The following Cloud Identity and Access Management (Cloud IAM) roles at the organization level:
    • Project Creator - roles/resourcemanager.projectCreator
    • Billing Account User - roles/billing.user
    • Organization Role Administrator - roles/iam.organizationRoleAdmin
    • Viewer - roles/viewer
    • Service Usage Admin - roles/serviceusage.serviceUsageAdmin
    • API Keys Admin - roles/serviceusage.apiKeysAdmin
    • Kubernetes Engine Admin - roles/container.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
    • Service Account Key Admin - roles/iam.serviceAccountKeyAdmin
    • Service Account User - roles/iam.serviceAccountUser
    • Storage Admin - roles/storage.admin
    • Storage Object Admin - roles/storage.objectAdmin
    • Pub/Sub Admin - roles/pubsub.admin
    • Project IAM Admin - roles/resourcemanager.projectIamAdmin
    • Cloud SQL Admin - roles/cloudsql.admin
    • DNS Administrator - roles/dns.admin
    • Compute Admin - roles/compute.admin
    • IAP-secured Web App User - roles/iap.httpsResourceAccessor

Setting up environment variables

  1. Go to the Google Cloud Platform Console.
    Go to the GCP Console page
  2. Click Activate Cloud Shell.
  3. Run the following commands to set environment variables. Use the tools release version you downloaded during setup. This guide was written for tools version 3.3.0. For other tools versions, see the README included with the files you downloaded.

    # Release version you downloaded during setup
    export VERSION=[RELEASE_VERSION]
    
    # Directory to unzip the installation files
    export WORKING_DIR=${HOME}/scc-tools-install
    
    # Organzation ID where the script will run
    export ORGANIZATION_ID=[YOUR_ORG_ID]
    
    # Project ID to be created
    export QUERY_BUILDER_PROJECT_ID=[YOUR_QUERY_BUILDER_PROJECT_ID]
    
    # A valid billing account ID
    export BILLING=[YOUR_BILLING_ACCOUNT_ID]
    
  4. On the Cloud Shell menu bar, click Upload file on the More devshell settings menu.

  5. Upload the scc-query-builder-${VERSION}.zip file you downloaded during the installation setup.

  6. Unzip the file you uploaded earlier by running:

    unzip -qo scc-query-builder-${VERSION}.zip -d ${WORKING_DIR}
    
  7. Go to the installation working directory:

    cd ${WORKING_DIR}
    

Installing the Query Builder app package

In any of the following sections, you can simulate executions of the commands by using the option --simulation.

Step 1: Creating the project

Create the project and enable billing by running:

  1. Create the project:

     gcloud projects create ${QUERY_BUILDER_PROJECT_ID} \
       --organization ${ORGANIZATION_ID}
    
  2. Enable billing:

     gcloud beta billing projects link ${QUERY_BUILDER_PROJECT_ID} \
       --billing-account ${BILLING}
    

Step 2: Enabling APIs

To enable the required Google APIs in the Notifier project, run:

gcloud services enable \
  cloudapis.googleapis.com \
  cloudbuild.googleapis.com \
  clouddebugger.googleapis.com \
  cloudtrace.googleapis.com \
  compute.googleapis.com \
  container.googleapis.com \
  containerregistry.googleapis.com \
  dns.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  oslogin.googleapis.com \
  replicapool.googleapis.com \
  replicapoolupdater.googleapis.com \
  resourceviews.googleapis.com \
  servicemanagement.googleapis.com \
  serviceusage.googleapis.com \
  sourcerepo.googleapis.com \
  --project ${QUERY_BUILDER_PROJECT_ID}

gcloud services enable \
  sql-component.googleapis.com \
  sqladmin.googleapis.com \
  stackdriver.googleapis.com \
  storage-api.googleapis.com \
  pubsub.googleapis.com \
  storage-component.googleapis.com \
  securitycenter.googleapis.com \
  iamcredentials.googleapis.com \
  cloudresourcemanager.googleapis.com \
  iam.googleapis.com \
  --project ${QUERY_BUILDER_PROJECT_ID}

Step 3: Creating the Cloud SCC client service account

This step requires the following Cloud IAM roles:

  • Organization Administrator - roles/resourcemanager.organizationAdmin
  • Security Center Admin - roles/securitycenter.admin
  • Service Account Admin - roles/iam.serviceAccountAdmin
  • Service Account Key Admin - roles/iam.serviceAccountKeyAdmin

You will use these roles to create a service account with the following organizational-level role:

  • Security Center Sources Viewer - roles/securitycenter.sourcesViewer
  • Security Center Findings Viewer - roles/securitycenter.findingsViewer
  • Security Center Assets Viewer - roles/securitycenter.assetsViewer
  • Security Center Finding Marks Writer - roles/securitycenter.findingSecurityMarksWriter
  • Security Center Asset Marks Writer - roles/securitycenter.assetSecurityMarksWriter

Create the service account that will be used to deploy the application, download the key file, and grant the necessary roles by running:

  1. Create the Service Account:

    gcloud iam service-accounts create scc-query-builder  \
     --display-name "SCC Query Builder SA"  \
     --project ${QUERY_BUILDER_PROJECT_ID}
    
  2. Download the service account key file:

    (cd setup; \
     gcloud iam service-accounts keys create \
     service_accounts/scc-query-builder-${QUERY_BUILDER_PROJECT_ID}-service-account.json \
     --iam-account scc-query-builder@${QUERY_BUILDER_PROJECT_ID}.iam.gserviceaccount.com)
    
  3. Export the absolute path to the service account key file:

    export SCC_SA_FILE=[PATH_TO_SERVICE_ACCOUNT_FILE]
    
  4. Grant the Organization Level roles:

    gcloud beta organizations add-iam-policy-binding ${ORGANIZATION_ID} \
     --member="serviceAccount:scc-query-builder@${QUERY_BUILDER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role='roles/securitycenter.assetsViewer'
    
    gcloud beta organizations add-iam-policy-binding ${ORGANIZATION_ID} \
    --member="serviceAccount:scc-query-builder@${QUERY_BUILDER_PROJECT_ID}.iam.gserviceaccount.com" \
    --role='roles/securitycenter.findingsViewer'
    
    gcloud beta organizations add-iam-policy-binding ${ORGANIZATION_ID} \
     --member="serviceAccount:scc-query-builder@${QUERY_BUILDER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role='roles/securitycenter.sourcesViewer'
    
    gcloud beta organizations add-iam-policy-binding ${ORGANIZATION_ID} \
     --member="serviceAccount:scc-query-builder@${QUERY_BUILDER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role='roles/securitycenter.findingSecurityMarksWriter'
    
    gcloud beta organizations add-iam-policy-binding ${ORGANIZATION_ID} \
     --member="serviceAccount:scc-query-builder@${QUERY_BUILDER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role='roles/securitycenter.assetSecurityMarksWriter'
    

Step 4: Creating an API key

Before you run the Query Builder app setup, Create an API key and restrict it to the Cloud SCC application, then export its value to an environment variable:

  1. Go to the APIs & Services > Credentials page in the GCP Console.
    Go to the Credentials page
  2. On the Create credentials drop-down list, click API key.
  3. On the API key created dialog that appears, copy your API key.
  4. Export the API key as an environment variable by running:

    export API_KEY=[YOUR_API_KEY]
    

Step 5: Creating the database service account

Create a service account to access the Cloud SQL database and download a key by running:

(cd setup; \
pipenv run python3 create_service_account.py \
--name sql-service-account \
--project_id ${QUERY_BUILDER_PROJECT_ID} \
--roles_file roles/querybuilder-database.txt \
--output_file service_accounts/sql-${QUERY_BUILDER_PROJECT_ID}-service-account.json \
--no-simulation)

Step 6: Creating the scheduler service account

Create a service account to access the Query Builder scheduler component and download a key by running:

(cd setup; \
pipenv run python3 create_service_account.py \
--name scheduler-service-account \
--project_id ${QUERY_BUILDER_PROJECT_ID} \
--roles_file roles/querybuilder-scheduler.txt \
--output_file service_accounts/scheduler-${QUERY_BUILDER_PROJECT_ID}-service-account.json \
--no-simulation)

Step 7: Creating the notification publisher service account

Create a service account to publish query results to Cloud Pub/Sub topics, download a key, and grant the service account the necessary role:

  1. Create the service account and download the key:

    (cd setup; \
    pipenv run python3 create_service_account.py \
      --name notification-service-account \
      --project_id ${QUERY_BUILDER_PROJECT_ID} \
      --roles_file roles/querybuilder-notification.txt \
      --output_file service_accounts/notification-${QUERY_BUILDER_PROJECT_ID}-service-account.json \
      --no-simulation)
    
  2. To send messages to a topic in another project, grant the service account the Pub/Sub Publisher role on that project:

    gcloud beta organizations add-iam-policy-binding ${ORGANIZATION_ID} \
     --member="serviceAccount:publisher@${QUERY_BUILDER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role='roles/pubsub.publisher'
    

Step 8: Configuring the application domain and certificates

For users to access the Query Builder app, the app needs an internet domain or sub-domain properly configured in a DNS. If you already have a domain, you can use it, or you can register a domain name through Google Domains or another domain registrar of your choice. Follow your organization's guidelines and get help from your organization's Network Administrators if needed.

After you have a domain to use for Query Builder, follow the steps below to configure the DNS with Cloud DNS:

  1. Create a DNS zone by running:

    # the domain that you created or informed by your Network Administrator
    export QUERY_BUILDER_DOMAIN=[YOUR_QUERY_BUILDER_DOMAIN]
    
    # the DNS zone name that will be created on Google Cloud DNS. (do not change)
    export DNS_ZONE=[QUERY_BUILDER_DNS_ZONE]
    
    (cd setup;
    pipenv run python3 create_dns_zone.py \
    --custom_domain ${QUERY_BUILDER_DOMAIN} \
    --dns_zone ${DNS_ZONE} \
    --dns_project_id ${QUERY_BUILDER_PROJECT_ID} \
    --no-simulation)
    
  2. Change the nameserver to configure your domain to use Cloud DNS servers by running:

    gcloud dns managed-zones describe "${DNS_ZONE}" \
      --project ${QUERY_BUILDER_PROJECT_ID}
    


    Output example:

    creationTime: '2018-01-31T12:13:44.346Z'
    description: ' A zone'
    dnsName: example.com.
    id: '529777864777155386'
    kind: dns#managedZone
    name: examplecom
    nameServers:
    - ns-cloud-c1.googledomains.com.
    - ns-cloud-c2.googledomains.com.
    - ns-cloud-c3.googledomains.com.
    - ns-cloud-c4.googledomains.com.
    
  3. Update the nameserver record for your domain using the nameServers listed by the previous command, or send that list to your organization's Network Administrators. For information about how to update the nameserver record, see your domain registrar's documentation.

    • Because of the distributed nature of DNS, nameserver changes can take time to propagate to all servers. This is usually complete within a few minutes, but can take up to 24 hours to be fully propagated throughout the internet.
  4. Create a new A record on your DNS zone using the static IP for the Query Builder web app by running:

    gcloud compute addresses create querybuilder-web-static-ip \
    --global --project ${QUERY_BUILDER_PROJECT_ID}
    
    export IP=$(gcloud compute addresses describe querybuilder-web-static-ip \
    --global --format 'value(address)' --project ${QUERY_BUILDER_PROJECT_ID})
    
    (cd setup; \
    pipenv run python3 create_records_on_zone.py \
    --dns_zone ${DNS_ZONE} \
    --dns_project_id ${QUERY_BUILDER_PROJECT_ID} \
    --record_name ${QUERY_BUILDER_DOMAIN} \
    --ttl 90 \
    --value ${IP} \
    --record_type A \
    --no-simulation)
    

Step 9: Generating SSL certificates

To deploy Query Builder in a domain, you will need an SSL certificate. If your Network Administrators provided you with the domain/subdomain, ask them for the SSL certificates. If you already have SSL certificates, upload them to Cloud Shell to be used during Query Builder deploy.

If you don't have SSL certificates, follow the steps below to generate them for your registered domain. The script accepts more than one prefix, so you can generate SSL certificates for the primary domain and multiple sub-domains by in a comma-separated list.

To complete this step, you will need a DNS Zone, DNS domain, and e-mail. During execution, you might need to answer some questions and enter a password to generate the SSH public and private key files if you don't have them already.

  1. Set up environment variables:

    # the project created to install the application
    export QUERY_BUILDER_PROJECT_ID=[YOUR_QUERY_BUILDER_PROJECT_ID]
    
    # the domain that you got from your registrar
    export QUERY_BUILDER_DOMAIN=[YOUR_QUERY_BUILDER_DOMAIN]
    
    # the zone that will be created on your Cloud DNS. It can be chosen a region name that fits better for you
    export DNS_ZONE=[YOUR_DNS_ZONE_ID]
    
    # used to warn you when the certificate is close to expiration
    export EMAIL=[YOUR_EMAIL]
    
  2. Generate the SSL certificate by running the command below. Note that the --main_domain argument supports only your main domain. If you want to generate SSL certificates for your sub-domains, use the --prefix_sub_domains argument:

    (cd setup;
    pipenv run python3 ssl_generate.py \
    --main_domain ${QUERY_BUILDER_DOMAIN} \
    --dns_zone ${DNS_ZONE} \
    --dns_project_id ${QUERY_BUILDER_PROJECT_ID} \
    --email ${EMAIL} \
    --no-simulation)
    


    This script will generate SSL certificates and return the path for a .zip file named certs-${QUERY_BUILDER_DOMAIN}.zip that contains the certificates.

  3. Unzip the SSL certificates file by running:

    unzip certs-${QUERY_BUILDER_DOMAIN}.zip
    


    This creates a folder named certs that contains privkey1.pem and cert1.pem. You will need these to deploy Query Builder.

Deploying the Query Builder app package

Step 1: Installing Python dependencies

(cd scc-query-builder/setup; \
pipenv --python 3.5.3 ; \
pipenv install --ignore-pipfile)

Step 2: Creating the application's configuration file

The Query Builder app uses a JSON configuration file to parameterize the application during the deployment process.

  1. Use the command below to set a configuration file:

    (cd scc-query-builder/setup; \
    pipenv run python3 create_query_builder_sample.py \
     --output-file=parameters_file.json)
    
  2. Change configuration attributes to appropriate values for your installation by editing parameters_file.json in the ./scc-query-builder/setup folder:

    • root
      • organization_id: Your GCP Organization ID.
      • organization_display_name: Your GCP Organization display name.
    • query_builder
      • project_id: The Query Builder Project ID you created.
      • compute_zone: A Compute Engine zone to create the Google Kubernetes Engine cluster from the list of Regions and Zones.
      • custom_domain: The Query Builder domain.
    • dns
      • zone_name: The Cloud DNS Zone name you created.
    • scc
      • service_account: Full path to the client service account file created above to access Cloud SCC API.
      • developer_key: The API key created above to authorize the use of the Cloud SCC API.
    • scheduler
    • notification
    • cloud_sql
      • instance_name: The Cloud SQL instance name to be created. It must be a unique name not used before, because previous deleted instances take some time to be permanently deleted.
      • database_name: The database name to be created.
      • user_name: The database user to be created.
      • user_password: The database password to be created.
      • service_account: Full path to database service account file created above to access Cloud SQL.
    • ssl_certificates
      • cert_key: Full path to the cert.pem file for your domain.
      • private_key: Full path to the privkey.pem file for your domain.

Step 3: Executing the deployment

To create the remaining infrastructure, including networking, GKE Cluster, Cloud SQL instance, and Cloud Pub/Sub topics, and deploy the application, run:

# the project created to install the application
export QUERY_BUILDER_PROJECT_ID=[YOUR_QUERY_BUILDER_PROJECT_ID]

# make sure your gcloud is set to your Query Builder Project
gcloud config set project ${QUERY_BUILDER_PROJECT_ID}

(cd scc-query-builder/setup; \
pipenv run python3 run_query_builder_setup.py \
--input-file=parameters_file.json \
--no-simulation)

Configuring Cloud IAP

After you deploy the infrastructure and application, you need to configure Cloud Identity-Aware Proxy (Cloud IAP so that only authorized users can access the application.

  1. Go to the OAuth consent screen page page in the GCP Console.
    Go to the OAuth consent screen page
  2. On the project selector drop-down list, select the project in which you created the Query Builder app.
  3. Complete the following fields:
    • Support email: an email address for user support that will be displayed on the consent screen.
    • Application name: the application name displayed on the consent screen, such as "Query Builder".
    • Authorized domains: the domain where the application is hosted. This should be the domain you used or created above. Press Enter after you complete this field to save it correctly.
  4. When you're finished entering details, click Save.

Step 2: Creating the OAuth client ID

  1. Go to the Credentials page page in the GCP Console.
    Go to the Credentials page
  2. On the Create credentials drop-down list, select OAuth client ID.
  3. On the Create OAuth client ID page that appears, enter the following details:

    • Application type: select Web application.
    • Name: enter the name of this Client ID, such as "Query Builder Cloud IAP Client ID".
    • Authorized redirect URIs: enter a URL to redirect the user to after they have authenticated. The URL should be in the following format where [QUERY_BUILDER_DOMAIN] is the domain you used or created above.

      https://[QUERY_BUILDER_DOMAIN]/_gcp_gatekeeper/authenticate`.
      


      Press Enter after you complete this field to save it correctly.

  4. When you're finished entering details, click Create.

  5. On the OAuth client dialog that appears, copy the client ID and client secret. You'll need these values in the next steps.

Step 3: Turning on Cloud IAP

  1. Change the following configuration attributes to appropriate values for your installation by editing parameters_file.json in the ./scc-query-builder/setup folder:
    • oauth
      • client_id: the client ID you copied when you created the OAuth client ID above.
      • client_secret: the client secret you copied when you created the OAuth client ID above.
  2. Turn configure and turn on Cloud IAP by running:

    (cd scc-query-builder/setup; \
    pipenv run python3 run_query_builder_iap_setup.py --input-file=parameters_file.json \
    --no-simulation)
    

    Step 4: Accessing the Query Builder application

To access the Query Builder app, a user must have the following Cloud IAM role at the project level:

  • IAP-secured Web App User - roles/iap.httpsResourceAccessor

To access the application, use the URL https://[QUERY_BUILDER_DOMAIN]. For more information about how to use the app, see Using Query Builder below.

If you have deployed the Notifier app, you can optionally link it to Query Builder. To link the apps, review the notification publisher service account section above and then run the following:

# the project created to install the Query Builder application
export QUERY_BUILDER_PROJECT_ID=[YOUR_QUERY_BUILDER_PROJECT_ID]

# the project id where Notifier application was deployed
export NOTIFIER_PROJECT_ID=[YOUR_NOTIFIER_PROJECT_ID]

# App Engine endpoint namespace (do not change)
export NOTIFIER_PROJECT_ENDPOINT=notifier

(cd setup; \
export NOTIFIER_PUBSUB_PATH=https://${NOTIFIER_PROJECT_ENDPOINT}-pubsub-dot-${NOTIFIER_PROJECT_ID}; \
export NOTIFIER_PUSH_ENDPOINT=${NOTIFIER_PUBSUB_PATH}.appspot.com/_ah/push-handlers/receive_message; \
pipenv run python3 add_subscription.py \
--topic_name notification \
--topic_project ${QUERY_BUILDER_PROJECT_ID} \
--subscription_project ${NOTIFIER_PROJECT_ID} \
--subscription_name publish-to-notifier \
--push_endpoint ${NOTIFIER_PUSH_ENDPOINT})

Cleanup

You can optionally choose to deactivate your environment and uninstall Query Builder. If you want to do this, use the script below to:

  • Stop the following resources created in the installation:
    • Cloud SQL instance
  • Delete the following resources created in the installation:
    • GKE Cluster
    • Static IP
    • Network and Subnetwork
    • Backend Services
    • Target Proxies
    • Forwarding Rules
    • Health Checks
    • URL Map
  1. Edit the parameters_file.json file you used during Query Builder setup to run the cleanup script. This file is in the ./scc-query-builder/setup folder.

    (cd scc-query-builder/setup; \
    pipenv run python3 run_query_builder_cleanup.py --input-file=parameters_file.json \
    --no-simulation)
    
  2. Delete the project where you installed Query Builder by running:

    export QUERY_BUILDER_PROJECT_ID=[YOUR_QUERY_BUILDER_PROJECT_ID]
    
    gcloud projects delete ${QUERY_BUILDER_PROJECT_ID}
    

Using Query Builder

Your can use the Query Builder app to create, update, and delete multi-step queries for Assets and Findings. Registered queries can be used to perform searches using the Cloud SCC API. Results from executed queries are updated with security marks. You can also run periodic searches with scheduled queries and receive notifications of the results.

Query list

The query list page displays a list of saved queries. This page enables you to perform the following actions:

  • To filter the queries that are displayed by name, description, or owner, click Search.
  • To run, view, or delete a query, click More next to the query.
  • To create a new query, click Create button on the lower right side.
  • To turn notifications for a query on or off, click the toggle next to the query.

To display more information about a query, click the arrow next to the query to expand the details panel. Query details include:

  • Last execution date: the last time the query was executed, triggered by a user or by the scheduler.
  • Last execution result: the total of Assets and/or Findings that satisfied the query as of the last execution.
  • Last updated: the last time the query information was updated.
  • Next Execution date: the next time a scheduled query will be executed.
  • Mark: a (key, value) pair used by Cloud SCC to filter the results that were marked in the last query execution. You can copy this value into the "Filter by" field on the Cloud SCC Assets or Findings tabs.

Create or edit a query

A query is a series of consecutive steps in which each step is a call to the Cloud SCC API search assets or search findings methods. A query includes the following values:

  • Name (required)
  • A description (required)
  • An optional topic to be used for notifications. The formats accepted are:
    • Publishing to a topic from another project: projects/[PROJECT_ID]/topics/[TOPIC_NAME]
    • Publishing to a topic from the current Query Builder project: [TOPIC_NAME]
  • A toggle to turn notifications on or off
  • A toggle to turn scheduling on or off. When scheduling is turned on, a detailed scheduling configuration section is displayed.

Scheduling Configuration

Queries can be scheduled by hour, day, or week. For each schedule, you can select the frequency and an offset for the start of execution. To display the next three future executions, click Show Next Executions.

Kind field

The kind field specifies the kind of resource you want to query: ASSET or FINDING.

Compare duration field

The Compare duration field is only available for assets. When Compare duration is set, the asset is updated to indicate whether it was added, removed, or remained present during the Compare duration period of time that precedes the Read time. If no value is defined for Read time, Compare duration uses the current time.

For more information, see the organizations.assets.list Cloud SCC API documentation.

A duration is a string in the format {number}w+{number}d+{number}h+{number}m+{number}s where each value corresponds to the following:

  • w: weeks
  • d: days
  • h: hours
  • m: minutes
  • s: seconds

Example formats:

  • 2w - 2 weeks
  • 24h+30m - 24 hours and 30 minutes
  • 48h - 48 hours
  • 30m - 30 minutes
  • 30m+45s - 30 minutes and 45 seconds

Read time field

The Read time field is the exact time the search will be executed. It can use a specific date/time or a value in the format w/d/h/m/s to search before the current time.

For more information, see the following Cloud SCC API documentation:

When you complete the Read time section, you'll select if you want to read from a specific timestamp or at a specified time in the future:

  • Timestamp enables you to select:
    • Date + time in ISO format
    • Time zone
  • From_now enables you to specify a string in the format {number}w+{number}d+{number}h+{number}m+{number}s

Filter

Filter accepts an expression based on the attributes, properties, and security marks of the Cloud SCC assets and findings.

For more information, see the following Cloud SCC API documentation:

Threshold

Threshold is a required value that defines a size condition that the query result will be evaluated against. The threshold is a pair of the following operators and an integer value:

  • Less than
  • Less or equal
  • Equal
  • Not equal
  • Greater or equal
  • Greater than

Multi-step queries

You can combine multiple calls to the Cloud SCC API by adding steps to a query. When you add steps, you need to define:

  • outJoin: the field that should be read from the result of the first query.
  • inJoin: the field on the second query that will use the values from the first query.

The inJoin and outJoin fields must be a valid <field> as described in the Cloud SCC API documentation for organizations.assets.list query paramaters and organizations.sources.findings.list query parameters.

The outJoin field must be a valid field on the first step, and the inJoin field must be a valid field on the second step. For example, as illustrated below, if you select an outJoin from the assets name field to link with aninJoin from the findings resourceName field, the query gets findings in step 2 based on the assets returned in step 1.

Query Builder OutJoin and InJoin fields

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.