Crea módulos personalizados de Event Threat Detection

Código de muestra para la creación de módulos personalizados de Event Threat Detection.

Muestra de código

Go

Para autenticarte en Security Command Center, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 


import (
	"context"
	"fmt"
	"io"
	"regexp"

	securitycentermanagement "cloud.google.com/go/securitycentermanagement/apiv1"
	securitycentermanagementpb "cloud.google.com/go/securitycentermanagement/apiv1/securitycentermanagementpb"
	"github.com/google/uuid"
	"google.golang.org/protobuf/types/known/structpb"
)

// createEventThreatDetectionCustomModule creates a custom module for Event Threat Detection.
func createEventThreatDetectionCustomModule(w io.Writer, parent string) error {
	// parent: Use any one of the following options:
	// - organizations/{organization_id}/locations/{location_id}
	// - folders/{folder_id}/locations/{location_id}
	// - projects/{project_id}/locations/{location_id}

	ctx := context.Background()
	client, err := securitycentermanagement.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycentermanagement.NewClient: %w", err)
	}
	defer client.Close()

	uniqueSuffix := uuid.New().String()

	// Remove invalid characters (anything that isn't alphanumeric or an underscore)
	re := regexp.MustCompile(`[^a-zA-Z0-9_]`)
	uniqueSuffix = re.ReplaceAllString(uniqueSuffix, "_")

	// Create unique display name
	displayName := fmt.Sprintf("go_sample_etd_custom_module_%s", uniqueSuffix)

	// Define the metadata and other config parameters as a map
	configMap := map[string]interface{}{
		"metadata": map[string]interface{}{
			"severity": "MEDIUM",
			//Replace with the desired description.
			"description":    "Sample custom module for testing purpose. Please do not delete.",
			"recommendation": "na",
		},
		"ips": []interface{}{"0.0.0.0"},
	}

	// Convert the map to a Struct
	configStruct, err := structpb.NewStruct(configMap)
	if err != nil {
		return fmt.Errorf("structpb.NewStruct: %w", err)
	}

	// Define the Event Threat Detection custom module configuration
	customModule := &securitycentermanagementpb.EventThreatDetectionCustomModule{
		Config: configStruct,
		//Replace with desired Display Name.
		DisplayName:     displayName,
		EnablementState: securitycentermanagementpb.EventThreatDetectionCustomModule_ENABLED,
		Type:            "CONFIGURABLE_BAD_IP",
	}

	req := &securitycentermanagementpb.CreateEventThreatDetectionCustomModuleRequest{
		Parent:                           parent,
		EventThreatDetectionCustomModule: customModule,
	}

	module, err := client.CreateEventThreatDetectionCustomModule(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create EventThreatDetectionCustomModule: %w", err)
	}

	fmt.Fprintf(w, "Created EventThreatDetectionCustomModule: %s\n", module.Name)
	return nil
}

Java

Para autenticarte en Security Command Center, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

import com.google.cloud.securitycentermanagement.v1.CreateEventThreatDetectionCustomModuleRequest;
import com.google.cloud.securitycentermanagement.v1.EventThreatDetectionCustomModule;
import com.google.cloud.securitycentermanagement.v1.EventThreatDetectionCustomModule.EnablementState;
import com.google.cloud.securitycentermanagement.v1.SecurityCenterManagementClient;
import com.google.protobuf.ListValue;
import com.google.protobuf.Struct;
import com.google.protobuf.Value;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

public class CreateEventThreatDetectionCustomModule {

  public static void main(String[] args) throws IOException {
    // https://cloud.google.com/security-command-center/docs/reference/security-center-management/rest/v1/organizations.locations.eventThreatDetectionCustomModules/create
    // TODO: Developer should replace project_id with a real project ID before running this code
    String projectId = "project_id";

    String customModuleDisplayName = "custom_module_display_name";

    createEventThreatDetectionCustomModule(projectId, customModuleDisplayName);
  }

  public static EventThreatDetectionCustomModule createEventThreatDetectionCustomModule(
      String projectId, String customModuleDisplayName) throws IOException {

    // Initialize client that will be used to send requests. This client only needs
    // to be created
    // once, and can be reused for multiple requests.
    try (SecurityCenterManagementClient client = SecurityCenterManagementClient.create()) {

      String parent = String.format("projects/%s/locations/global", projectId);

      // define the metadata and other config parameters severity, description,
      // recommendation and ips below
      Map<String, Value> metadata = new HashMap<>();
      metadata.put("severity", Value.newBuilder().setStringValue("MEDIUM").build());
      metadata.put(
          "description", Value.newBuilder().setStringValue("add your description here").build());
      metadata.put(
          "recommendation",
          Value.newBuilder().setStringValue("add your recommendation here").build());
      List<Value> ips = Arrays.asList(Value.newBuilder().setStringValue("0.0.0.0").build());

      Value metadataVal =
          Value.newBuilder()
              .setStructValue(Struct.newBuilder().putAllFields(metadata).build())
              .build();
      Value ipsValue =
          Value.newBuilder().setListValue(ListValue.newBuilder().addAllValues(ips).build()).build();

      Struct configStruct =
          Struct.newBuilder().putFields("metadata", metadataVal).putFields("ips", ipsValue).build();

      // define the Event Threat Detection custom module configuration, update the EnablementState
      // below
      EventThreatDetectionCustomModule eventThreatDetectionCustomModule =
          EventThreatDetectionCustomModule.newBuilder()
              .setConfig(configStruct)
              .setDisplayName(customModuleDisplayName)
              .setEnablementState(EnablementState.ENABLED)
              .setType("CONFIGURABLE_BAD_IP")
              .build();

      CreateEventThreatDetectionCustomModuleRequest request =
          CreateEventThreatDetectionCustomModuleRequest.newBuilder()
              .setParent(parent)
              .setEventThreatDetectionCustomModule(eventThreatDetectionCustomModule)
              .build();

      EventThreatDetectionCustomModule response =
          client.createEventThreatDetectionCustomModule(request);

      return response;
    }
  }
}

Node.js

Para autenticarte en Security Command Center, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

// Imports the Google cloud client library.
const {SecurityCenterManagementClient} =
  require('@google-cloud/securitycentermanagement').v1;

// Create a Security Center Management client
const client = new SecurityCenterManagementClient();

/**
 *  Required. The name of the parent resource of the create event threat detection module. Its
 *  format is "organizations/[organization_id]/locations/[location_id]",
 *  "folders/[folder_id]/locations/[location_id]", or
 *  "projects/[project_id]/locations/[location_id]".
 */
//TODO(developer): Update the following references for your own environment before running the sample.
// const organizationId = 'YOUR_ORGANIZATION_ID';
// const location = 'LOCATION_ID';
const parent = `organizations/${organizationId}/locations/${location}`;

// define the event threat detection custom module configuration, update the EnablementState
// below
const eventThreatDetectionCustomModule = {
  displayName: customModuleDisplayName,
  enablementState: 'ENABLED',
  type: 'CONFIGURABLE_BAD_IP',
  config: prepareConfigDetails(),
};

// Build the request.
const createEventThreatDetectionCustomModuleRequest = {
  parent: parent,
  eventThreatDetectionCustomModule: eventThreatDetectionCustomModule,
};

async function createEventThreatDetectionCustomModule() {
  // Call the API.
  const [response] = await client.createEventThreatDetectionCustomModule(
    createEventThreatDetectionCustomModuleRequest
  );
  console.log('EventThreatDetectionCustomModule created : %j', response);
}

function prepareConfigDetails() {
  // define the metadata and other config parameters severity, description,
  // recommendation and ips below
  const config = {
    fields: {
      metadata: {
        structValue: {
          fields: {
            severity: {stringValue: 'LOW'},
            description: {stringValue: 'Flagged by Cymbal as malicious'},
            recommendation: {
              stringValue: 'Contact the owner of the relevant project.',
            },
          },
        },
      },
      ips: {
        listValue: {
          values: [{stringValue: '192.0.2.1'}, {stringValue: '192.0.2.0/24'}],
        },
      },
    },
  };
  return config;
}

createEventThreatDetectionCustomModule();

¿Qué sigue?

Para buscar y filtrar muestras de código para otros productos de Google Cloud , consulta el navegador de muestras deGoogle Cloud .