>

Managing Security Health Analytics findings

は、

This page provides a list of reference guides and techniques for managing Security Health Analytics findings using Cloud Security Command Center (Cloud SCC).

Filtering findings in Cloud Security Command Center

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using Cloud SCC with the available filters, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, security mark, and more.

To view a complete list of Security Health Analytics scanners and findings, expand the following section.

Viewing Security Health Analytics findings by project

To view Security Health Analytics findings by project:

  1. Go to the Cloud SCC Findings page in the GCP Console.
    Go to the Findings page
  2. In the Filter box, enter source_properties.projectId: [PROJECT_ID], where [PROJECT_ID] is the unique project ID for the project that you want to see vulnerabilities for.

Viewing Security Health Analytics findings by finding type

To view Security Health Analytics findings by category:

  1. Go to the Cloud SCC Findings page in the GCP Console.
    Go to the Findings page
  2. In the Filter box, enter category: [CATEGORY], where [CATEGORY] is one of the Security Health Analytics finding types listed later on this page.

Viewing findings by asset type

To view Security Health Analytics findings for a specific asset type:

  1. Go to the Cloud SCCFindings page in the GCP Console.
    Go to the Findings page
  2. In the Filter box, enter source_properties.ScannerName: [SCANNER_TYPE], where [SCANNER_TYPE] is one of the Security Health Analytics scanner types listed later on this page.

Viewing Security Health Analytics findings by severity

To view Security Health Analytics findings by severity:

  1. Go to the Cloud SCC Findings page in the GCP Console.
    Go to the Findings page
  2. In the Filter box, enter source_properties.SeverityLevel: [SEVERITY], where [SEVERITY] is one of the following values: HIGH, MEDIUM, LOW.

Viewing findings by severity and project

To view the highest severity Security Health Analytics findings:

  1. Go to the Cloud SCC Findings page in the Google Cloud Platform Console (GCP Console). Go to the Findings page
  2. In the Filter box, enter source_properties.SeverityLevel:HIGH. You can also use SeverityLevel values of MEDIUM and LOW.

You can apply additional filters, like reviewing vulnerabilities for a specific project ID. For example: source_properties.projectId: myprodproject.

For more information about finding types, see Viewing vulnerabilities and threats. Cloud SCC also provides many built-in properties, including custom properties like security marks.

After you filter your selection to the vulnerabilities that are important to you, you can select the vulnerability in Cloud SCC to view detailed information about the finding. This includes a description of the vulnerability and the risk, and recommendations for remediation.

Marking assets and findings with security marks

You can add custom properties to findings and assets in Cloud SCC by using security marks. Security marks enable you to identify high-priority areas of interest like production projects, tag findings with bug and incident tracking numbers, and more.

Whitelisting Security Health Analytics findings using security marks

You can whitelist assets in Security Health Analytics so that a scanner doesn't create a security finding for the asset. When you whitelist an asset, the finding is marked as resolved when the next scan runs. This could be helpful when you don't want to review security findings for projects that are isolated or fall within acceptable business parameters.

To whitelist an asset, add a security mark allow_[FINDING_TYPE] for a specific finding type. For example, for the finding type SSL_NOT_ENFORCED, use the security mark allow_ssh_not_enforced:true.

For a complete list of finding types, see the Security Health Analytics scanner list included earlier on this page. To learn more about security marks and techniques for using them, see Using Cloud SCC security marks.

Querying active finding count by category

You can use gcloud command-line tool to query a count of all active findings, grouped by finding category. Do do this, you query Cloud SCC to get the Security Health Analytics source ID. Then you use the source ID to querty the active findings count.

Step 1: Get the source ID

Use the following gcloud tool command to get the Security Health Analytics source ID:

gcloud alpha scc sources describe organizations/{YOUR_ORGANIZATION_ID} \
 --source-display-name='Security Health Analytics'

The command should display output like the following:

description: Scans for deviations from a GCP security baseline.
displayName: Security Health Analytics
name: organizations/[YOUR_ORGANIZATION_ID]/sources/[SHA_SOURCE_ID]

Note the [SHA_SOURCE_ID] to use in the next step.

Step 2: Get the active findings count

Use the [SHA_SOURCE_ID] you noted in the previous step to filter findings from Security Health Analytics. The following gcloud tool command returns a count of findings by category:

gcloud alpha scc findings group organizations/[YOUR_ORGANIZATION_ID]/sources/[SHA_SOURCE_ID] \
 --group-by=category --page-size=[PAGE_SIZE]

You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization:

groupByResults:
- count: '1'
  properties:
    category: 2SV_NOT_ENFORCED
- count: '3'
  properties:
    category: ADMIN_SERVICE_ACCOUNT
- count: '2'
  properties:
    category: API_KEY_APIS_UNRESTRICTED
- count: '1'
  properties:
    category: API_KEY_APPS_UNRESTRICTED
- count: '2'
  properties:
    category: API_KEY_EXISTS
- count: '10'
  properties:
    category: AUDIT_CONFIG_NOT_MONITORED
- count: '10'
  properties:
    category: AUDIT_LOGGING_DISABLED
- count: '1'
  properties:
    category: AUTO_UPGRADE_DISABLED
- count: '10'
  properties:
    category: BUCKET_IAM_NOT_MONITORED
- count: '10'
  properties:
    category: BUCKET_LOGGING_DISABLED
nextPageToken: [TOKEN]
      readTime: '2019-08-05T21:56:13.862Z'
      totalSize: 50

Programmatically manage findings

Using the gcloud command-line tool with the Cloud SCC SDK enables you to automate anything you can do in the Cloud SCC dashboard. You can also remediate many findings using the gcloud tool. For more information, review the documentation for the resource types described in each finding:

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

Cloud Security Command Center
ご不明な点がありましたら、Google のサポートページをご覧ください。