Using Security Health Analytics

This page explains how to manage Security Health Analytics findings using Security Command Center.

Security Health Analytics is a built-in service in Security Command Center. To view Security Health Analytics findings, it must be enabled in Security Command Center Services settings.

The following video shows the steps to set up Security Health Analytics and provides information about how to use the dashboard. Learn more about viewing and managing Security Health Analytics findings in text later on this page.

Findings from Security Health Analytics detectors are searchable in the Security Command Center dashboard and using the Security Command Center API.

Scans start approximately one hour after Security Command Center is enabled and run in two modes: batch mode, which automatically runs scans twice each day, 12 hours apart; and real-time mode, which runs scans against asset configuration changes. Security Health Analytics detectors that do not support real-time scanning mode are listed in Security Command Center Latency Overview.

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, security sources, and security marks depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Features by pricing tier

Security Health Analytics provides managed vulnerability assessment scanning that automatically detects the highest severity vulnerabilities and misconfigurations for your Google Cloud assets.

In Security Command Center's Standard tier, Security Health Analytics only includes a basic group of high-severity detectors. The Premium tier includes all Security Health Analytics detectors and adds compliance reporting for industry best practices and benchmarks.

Switching tiers

Most Security Health Analytics detectors are available only in Security Command Center Premium. If you are a Premium customer and plan to switch to the Standard tier, it is recommended that you resolve all findings before changing your subscription.

Findings generated by Premium detectors can't be automatically resolved in the Standard tier because, after downgrading or at the end of a Premium trial, Security Health Analytics no longer runs Premium detectors in your organization. These findings won't be updated and remain active. To manually mark findings inactive, go to the Findings tab in the Security Command Center dashboard.

Enable and disable detectors

The following Security Health Analytics detectors are not enabled by default:

  • BUCKET_CMEK_DISABLED
  • DATASET_CMEK_DISABLED
  • DISK_CMEK_DISABLED
  • DISK_CSEK_DISABLED
  • NODEPOOL_BOOT_CMEK_DISABLED
  • PUBSUB_CMEK_DISABLED
  • SQL_CMEK_DISABLED
  • SQL_NO_ROOT_PASSWORD
  • SQL_WEAK_ROOT_PASSWORD

To turn on a detector, also known as a module, run the modules enable gcloud alpha command in the gcloud command-line tool.

  gcloud alpha scc settings services modules enable \
    --organization=ORGANIZATION_ID \
    --service=SECURITY_HEALTH_ANALYTICS \
    --module=DETECTOR_NAME

Replace the following:

  • ORGANIZATION_ID: your organization ID
  • DETECTOR_NAME: the name of the detector you want to enable

To disable a detector, run the modules disable command.

  gcloud alpha scc settings services modules disable \
    --organization=ORGANIZATION_ID \
    --service=SECURITY_HEALTH_ANALYTICS \
    --module=DETECTOR_NAME

Replace the following:

  • ORGANIZATION_ID: your organization ID
  • DETECTOR_NAME: the name of the detector you want to disable

Disabling detectors can impact the state of active findings. When a detector is disabled, existing findings are marked as inactive.

Security Health Analytics or specific detectors can also be disabled for specific folders or projects. If Security Health Analytics or detectors are turned off for folders and projects, any existing findings attached to assets in those resources are marked as inactive.

Filtering findings in Security Command Center

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using Security Command Center with the available filters, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, security mark, and more.

To view a complete list of Security Health Analytics detectors and findings, see the Security Health Analytics findings page.

Viewing Security Health Analytics findings by project

To view Security Health Analytics findings by project, do the following:

  1. Go to Security Command Center in the Cloud Console.

    Go to Security Command Center

  2. To display Security Health Analytics findings, click the Vulnerabilities tab.

  3. Under Projects Filter, click Add a project to the Projects Filter ().

  4. In the search dialog that appears, select the project that you want to display findings for.

The Vulnerabilities tab displays a list of findings for the project that you selected.

Viewing Security Health Analytics findings by finding type

To view Security Health Analytics findings by category, do the following:

  1. Go to Security Command Center in the Cloud Console.

    Go to Security Command Center

  2. To display Security Health Analytics findings, click the Vulnerabilities tab.

  3. In the Category column, select the finding type that you want to display findings for.

The Findings tab loads and displays a list of findings that match the type you selected.

Viewing findings by asset type

To view Security Health Analytics findings for a specific asset type, do the following:

  1. Go to the Security Command Center Findings page in the Cloud Console.

    Go to Findings

  2. Next to View by, click Source Type, and then select Security Health Analytics.

  3. In the Filter box, enter resourceName: ASSET_TYPE. For example, to display Security Health Analytics findings for all projects, enter resourceName: projects.

The list of findings updates to display all findings for the asset type that you specified.

Viewing Security Health Analytics findings by severity

To view Security Health Analytics findings by severity, do the following:

  1. Go to Security Command Center in the Cloud Console.

    Go to Security Command Center

  2. To display Security Health Analytics findings, click the Vulnerabilities tab.

  3. To sort findings by severity, click the Severity column header. Finding values are HIGH, MEDIUM, LOW.

For more information about finding types, see Vulnerabilities findings. Security Command Center also provides many built-in properties, including custom properties like security marks.

After you filter by the vulnerabilities that are important to you, you can view detailed information about the finding by selecting the vulnerability in Security Command Center. This information includes a description of the vulnerability and the risk, and recommendations for remediation.

Mute findings

To control the volume of findings in Security Command Center, you can manually or programmatically mute individual findings or create mute rules that automatically mute current and future findings based on filters you define.

Muted findings are hidden and silenced, but continue to be logged for audit and compliance purposes. You can view muted findings or unmute them at any time. To learn more, see Mute findings in Security Command Center.

Marking assets and findings with security marks

You can add custom properties to findings and assets in Security Command Center by using security marks. Security marks enable you to identify high-priority areas of interest like production projects, tag findings with bug and incident tracking numbers, and more.

Add assets to allowlists

Muting findings is the recommended, and most effective, approach for controlling finding volume. Muting findings is recommended when you don't want to review security findings for assets that are isolated or fall within acceptable business parameters.

Alternatively, you can add dedicated security marks to assets so that detectors don't create security findings for those assets.

When dedicated marks are applied to assets, the assets are added to an allowlist in Security Health Analytics and findings for those assets are marked as resolved when the next batch scan runs.

Dedicated security marks must be applied directly to assets, not findings, as described in How allowlists work later on this page. If you apply a mark to a finding, the underlying asset can still generate findings.

How allowlists work

Each Security Health Analytics detector has a dedicated mark type for allowlists, in the form of allow_FINDING_TYPE:true. Adding this dedicated mark to an asset lets you exclude the asset from the detection policy. For example, to exclude the finding type SSL_NOT_ENFORCED, set the security mark, allow_ssl_not_enforced:true, on the related Cloud SQL instance. The specified detector won't create findings for marked assets.

For a complete list of finding types, see the Security Health Analytics detectors list included earlier on this page. To learn more about security marks and techniques for using them, see Using security marks.

Asset types

This section describes how security marks work for different assets.

  • Allowlist assets: When you add a dedicated mark to an asset, like a Cloud Storage bucket or firewall, the associated finding is marked as resolved when the next batch scan runs. The detector will not generate new findings or update existing findings for the asset until the mark is removed.

  • Allowlist projects: When you add a mark to a project resource, findings for which the project itself is the scanned, or target, resource are resolved. However, assets contained within the project, such as virtual machines or crypto keys, can still generate findings.

  • Allowlist folders: When you add a mark to a folder resource, findings for which the folder itself is the scanned, or target, resource are resolved. However, assets contained within the folder, including projects, can still generate findings.

  • Detectors that support multiple assets: If a detector supports more than one asset type, you must apply the dedicated mark to each asset. For instance, the detector, KMS_PUBLIC_KEY, supports two Cloud Key Management Service assets: CryptoKey and KeyRing. If you apply the mark allow_kms_public_key:true to the CryptoKey asset, KMS_PUBLIC_KEY findings for that asset are resolved but can still be generated for the KeyRing asset.

Security marks are only updated during batch scans, not real-time scans. So, if a dedicated security mark is removed, and the asset has a vulnerability, it could take up to 24 hours before the mark is deleted and a finding is written.

Special-case detector: Customer Supplied Encryption Keys

The DISK_CSEK_DISABLED detector isn't on by default. To use this detector, you must mark the assets for which you want to use self-managed encryption keys.

To enable the DISK_CSEK_DISABLED detector for specific assets, apply the security mark enforce_customer_supplied_disk_encryption_keys to the asset with a value of true.

Viewing active finding count by finding type

You can use the Cloud Console or gcloud command-line tool commands to view active finding counts by finding type.

Console

The Security Health Analytics dashboard enables you to view a count of active findings for each finding type.

To view Security Health Analytics findings by finding type, do the following:

  1. Go to Security Command Center in the Cloud Console.

    Go to Security Command Center

  2. To display Security Health Analytics findings, click the Vulnerabilities tab.

  3. To sort findings by the number of active findings for each finding type, click the Active column header.

gcloud

To use the gcloud tool to get a count of all active findings, you query Security Command Center to get the Security Health Analytics source ID. Then you use the source ID to query the active findings count.

Step 1: Get the source ID

To complete this step, you need your organization ID. To get your organization ID, run gcloud organizations list and note the number next to the organization name.

To get the Security Health Analytics source ID, run:

gcloud scc sources describe organizations/ORGANIZATION_ID \
  --source-display-name='Security Health Analytics'

If you haven't already enabled the Security Command Center API, you are prompted to enable it. When the Security Command Center API is enabled, run the previous command again. The command should display output like the following:

description: Scans for deviations from a GCP security baseline.
displayName: Security Health Analytics
name: organizations/ORGANIZATION_ID/sources/SOURCE_ID

Note the SOURCE_ID to use in the next step.

Step 2: Get the active findings count

Use the SOURCE_ID you noted in the previous step to filter findings from Security Health Analytics. The following gcloud tool command returns a count of findings by category:

gcloud scc findings group organizations/ORGANIZATION_ID/sources/SOURCE_ID \
 --group-by=category --page-size=PAGE_SIZE

You can set the page-size to any value up to 1000. The command should display output like the following, with results from your particular organization:

groupByResults:
- count: '1'
  properties:
    category: MFA_NOT_ENFORCED
- count: '3'
  properties:
    category: ADMIN_SERVICE_ACCOUNT
- count: '2'
  properties:
    category: API_KEY_APIS_UNRESTRICTED
- count: '1'
  properties:
    category: API_KEY_APPS_UNRESTRICTED
- count: '2'
  properties:
    category: API_KEY_EXISTS
- count: '10'
  properties:
    category: AUDIT_CONFIG_NOT_MONITORED
- count: '10'
  properties:
    category: AUDIT_LOGGING_DISABLED
- count: '1'
  properties:
    category: AUTO_UPGRADE_DISABLED
- count: '10'
  properties:
    category: BUCKET_IAM_NOT_MONITORED
- count: '10'
  properties:
    category: BUCKET_LOGGING_DISABLED
nextPageToken: TOKEN
      readTime: '2019-08-05T21:56:13.862Z'
      totalSize: 50

Programmatically manage findings

Using the gcloud command-line tool with the Security Command Center SDK enables you to automate anything you can do in the Security Command Center dashboard. You can also remediate many findings using the gcloud tool. For more information, review the documentation for the resource types described in each finding:

What's next