>

Using Security Health Analytics

This page provides a list of reference guides and techniques for managing Security Health Analytics findings using Security Command Center (Security Command Center).

Filtering findings in Security Command Center

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using Security Command Center with the available filters, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, security mark, and more.

To view a complete list of Security Health Analytics scanners and findings, see the Security Health Analytics findings page.

Viewing Security Health Analytics findings by project

To view Security Health Analytics findings by project:

  1. Go to the Security Command Center in the Cloud Console.
    Go to the Security Command Center
  2. To display Security Health Analytics findings, click the Vulnerabilities tab.
  3. In the Projects Filter box, click Add a Project to the projects filter, and then select the project that you want to display findings for.

The Vulnerabilities tab displays a list of findings for the project that you selected.

Viewing Security Health Analytics findings by finding type

To view Security Health Analytics findings by category:

  1. Go to the Security Command Center in the Cloud Console.
    Go to the Security Command Center
  2. To display Security Health Analytics findings, click the Vulnerabilities tab.
  3. In the Finding Type column, select the finding type that you want to display findings for.

The Findings tab loads and displays a list of findings that match the type you selected.

Viewing findings by asset type

To view Security Health Analytics findings for a specific asset type:

  1. Go to the Security Command Center Assets page in the Cloud Console.
    Go to the Findings page
  2. Next to View by, click Source Type, and then select Security Health Analytics.
  3. In the Filter box, enter resourceName: asset-type. For example, to display Security Health Analytics findings for all projects, enter resourceName: projects.

The list of findings updates to display all findings for the asset type that you specified.

Viewing Security Health Analytics findings by severity

To view Security Health Analytics findings by severity:

  1. Go to the Security Command Center in the Cloud Console.
    Go to the Security Command Center
  2. To display Security Health Analytics findings, click the Vulnerabilities tab.
  3. Click the Severity column header to sort findings by the following values: HIGH, MEDIUM, LOW.

For more information about finding types, see Viewing vulnerabilities and threats. Security Command Center also provides many built-in properties, including custom properties like security marks.

After you filter by the vulnerabilities that are important to you, you can view detailed information about the finding by selecting the vulnerability in Security Command Center. This includes a description of the vulnerability and the risk, and recommendations for remediation.

Marking assets and findings with security marks

You can add custom properties to findings and assets in Security Command Center by using security marks. Security marks enable you to identify high-priority areas of interest like production projects, tag findings with bug and incident tracking numbers, and more.

Whitelisting Security Health Analytics findings using security marks

You can whitelist assets in Security Health Analytics so that a scanner doesn't create a security finding for the asset. When you whitelist an asset, the finding is marked as resolved when the next scan runs. This can be helpful when you don't want to review security findings for projects that are isolated or fall within acceptable business parameters.

To whitelist an asset, add a security mark allow_finding-type for a specific finding type. For example, for the finding type SSL_NOT_ENFORCED, use the security mark allow_ssl_not_enforced:true.

For a complete list of finding types, see the Security Health Analytics scanner list included earlier on this page. To learn more about security marks and techniques for using them, see Using Security Command Center security marks.

Viewing active finding count by finding type

You can use the Cloud Console or gcloud command-line tool commands to view active finding counts by finding type.

Console

The Security Health Analytics dashboard enables you to view a count of active findings for each finding type.

To view Security Health Analytics findings by by finding type:

  1. Go to the Security Command Center in the Cloud Console.
    Go to the Security Command Center
  2. To display Security Health Analytics findings, click the Vulnerabilities tab.
  3. Click the Active column header to sort findings by the number of active findings for each finding type.

gcloud

To use the gcloud tool to get a count of all active findings, you query Security Command Center to get the Security Health Analytics source ID. Then you use the source ID to query the active findings count.

Step 1: Get the source ID

To complete this step, you will need your organization ID. To get your organization ID, run gcloud organizations list and note the number next to the organization name.

To get the Security Health Analytics source ID, run:

gcloud alpha scc sources describe organizations/your-organization-id
--source-display-name='Security Health Analytics'

If you haven't already enabled the Security Command Center API, you will be prompted to enable it. When the Security Command Center API is enabled, run the previous command again. The command should display output like the following:

description: Scans for deviations from a GCP security baseline.
displayName: Security Health Analytics
name: organizations/your-organization-id/sources/source-id

Note the source-id to use in the next step.

Step 2: Get the active findings count

Use the source-id you noted in the previous step to filter findings from Security Health Analytics. The following gcloud tool command returns a count of findings by category:

gcloud alpha scc findings group organizations/your-organization-id/sources/source-id \
 --group-by=category --page-size=page-size

You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization:

groupByResults:
- count: '1'
  properties:
    category: 2SV_NOT_ENFORCED
- count: '3'
  properties:
    category: ADMIN_SERVICE_ACCOUNT
- count: '2'
  properties:
    category: API_KEY_APIS_UNRESTRICTED
- count: '1'
  properties:
    category: API_KEY_APPS_UNRESTRICTED
- count: '2'
  properties:
    category: API_KEY_EXISTS
- count: '10'
  properties:
    category: AUDIT_CONFIG_NOT_MONITORED
- count: '10'
  properties:
    category: AUDIT_LOGGING_DISABLED
- count: '1'
  properties:
    category: AUTO_UPGRADE_DISABLED
- count: '10'
  properties:
    category: BUCKET_IAM_NOT_MONITORED
- count: '10'
  properties:
    category: BUCKET_LOGGING_DISABLED
nextPageToken: token
      readTime: '2019-08-05T21:56:13.862Z'
      totalSize: 50

Programmatically manage findings

Using the gcloud command-line tool with the Security Command Center SDK enables you to automate anything you can do in the Security Command Center dashboard. You can also remediate many findings using the gcloud tool. For more information, review the documentation for the resource types described in each finding:

What's next

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

Cloud Security Command Center
ご不明な点がありましたら、Google のサポートページをご覧ください。