Managing Security Health Analytics vulnerability findings

This page provides a list of reference guides and techniques for managing Security Health Analytics vulnerability findings using Cloud Security Command Center (Cloud SCC).

Filtering findings in Cloud Security Command Center

A large organization could have many vulnerability findings across their deployment to review, triage, and track. By using Cloud SCC with the available filters, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, security mark, and more.

Example: Filtering findings by severity and project

To view the highest severity Security Health Analytics findings:

  1. Go to the Cloud SCC Findings page in the Google Cloud Platform Console (GCP Console). Go to the Findings page
  2. In the Filter box, enter source_properties.SeverityLevel:HIGH. You can also use SeverityLevel values of MEDIUM and LOW.

You can apply additional filters, like reviewing vulnerabilities for a specific project ID. For example: source_properties.projectId: myprodproject.

For more information about filtering findings, see Viewing vulnerabilities and threats. Cloud SCC also provides many built in-properties, including custom properties like security marks.

After you filter your selection to the vulnerabilities that are important to you, you can select the vulnerability in Cloud SCC to view detailed information about the finding. This includes a description of the vulnerability and the risk, and recommendations for remediation.

Marking assets and findings with security marks

You can add custom properties to findings and assets in Cloud SCC by using security marks. Security marks enable you to identify high-priority areas of interest like production projects, tag findings with bug and incident tracking numbers, and more.

Whitelisting Security Health Analytics findings using security marks

You can whitelist assets in Security Health Analytics so that a scanner doesn't create a security finding for the asset. When you whitelist an asset, the finding is marked as resolved when the next scan runs. This could be helpful when you don't want to review security findings for projects that are isolated or fall within acceptable business parameters.

To whitelist an asset, add a security mark allow_[FINDING_TYPE] for a specific finding type. For example, for the finding type SSL_NOT_ENFORCED, use the security mark allow_ssh_not_enforced:true.

For a full list of finding types, see Viewing vulnerabilities and threats.

To learn more about Security Marks and techniques for using them, see Using Cloud SCC security marks.

Programmatically Manage Findings

Using the gcloud command-line tool with the Cloud SCC SDK enables you to automate anything you can do in the Cloud SCC dashboard. You can also remediate many findings using the gcloud tool. For more information, review the documentation for the resource types described in each finding:

Esta página foi útil? Conte sua opinião sobre:

Enviar comentários sobre…

Cloud Security Command Center
Precisa de ajuda? Acesse nossa página de suporte.