Inspect resources related to findings

This page describes how to work with cloud resources for the purposes of improving your security posture, remediating security issues, and responding to threats.

In Security Command Center, some of the actions that you can perform on resources include the following:

  • View resources
  • Query resources
  • Inspect resource details
  • Review findings related to a resource

Obtain the required permissions

This section lists the IAM roles that you need to work with resources in the console.

Google Cloud console IAM roles

To work with resources in the Google Cloud console, you need the following IAM roles.

Make sure that you have the following role or roles on the organization:

  • Security Center Assets Viewer (roles/securitycenter.assetsViewer)

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.

  3. In the Principal column, find the row that has your email address.

    If your email address isn't in that column, then you do not have any roles.

  4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.
  4. In the New principals field, enter your email address.
  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

For more information about Security Command Center roles and permissions, see IAM for organization-level activations.

Security Operations console IAM roles

If you are a Security Command Center Enterprise customer, you can work with resources in the Security Operations console. You need any of the following IAM roles:

  • Chronicle SOAR Admin (roles/chronicle.soarAdmin)
  • Chronicle SOAR Threat Manager (roles/chronicle.soarThreatManager)
  • Chronicle SOAR Vulnerability Manager (roles/chronicle.soarVulnerabilityManager)

For information about granting the role to a user, see Map and authorize users using IAM.

The resources page

Resources are listed in the query results of the Assets page in the Google Cloud console and—for Security Command Center Enterprise customers—the Resources page in the Security Operations console.

If Security Command Center is activated at the organization level, you can view resources for your entire organization or you can filter resources by specific projects, resource types, and location.

If Security Command Center is activated at the project level, you can filter resources by resource type and location in the Google Cloud console.

The list of resources is provided by Cloud Asset Inventory. In most cases, Cloud Asset Inventory updates the list within minutes after resources are created, modified, or removed in your Google Cloud environment.

For more information about Cloud Asset Inventory, see Introduction to Cloud Asset Inventory.

Working with resources in the Security Command Center Enterprise consoles

If you are a Security Command Center Enterprise customer, you can work with resources in two consoles:

  • Google Cloud console Assets page: available in all service tiers
  • Security Operations console Resources page: available in the Enterprise tier only

The Resources page in the Security Operations console is in Preview.

On this page, the steps for working with resources in the two consoles are described side-by-side on separate tabs.

For more information, see Security Command Center Enterprise consoles.

View resources

For information about how to view your resources, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. Select your Google Cloud project or organization.

Security Operations console

In the Security Operations console, go to the Resources page. 

https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources

Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

This feature is in Preview and is available to Security Command Center Enterprise customers only.

For more information about this console, see Security Operations console.

Sort resources

To sort resources, click the column heading for the value that you want to sort by. Columns are sorted by numeric and then alphabetical order.

Filter resources

This section describes how to run common queries to review your resources in Security Command Center.

By default, all resources in the selected project, folder, or organization are displayed in the query results. You can filter the results to specific resources by using quick filters or by specifying more customized filters. For more information, click the tab for the console that you are using.

Google Cloud console

To filter results by resource type, project ID, or location, use the Quick filters panel.

To view the high-value resources that Risk Engine included in the last attack path simulations, click the High value resource set tab. You can also view the attack exposure scores that Risk Engine calculated for each resource.

To apply prebuilt filters to review resource data, click the Asset query tab.

Security Operations console

On the Google Cloud resources tab, in the Filters panel, you can filter the results by resource type, project ID, or location.

The High value resource set tab lets you view the high-value resources that Risk Engine included in the last attack path simulations as well as the attack exposure scores that Risk Engine calculated for each resource.

This feature is in Preview and is available to Security Command Center Enterprise customers only.

Filter resources

In quick filters, you can filter by project ID, resource type, and location.

For information about how to use quick filters, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. In the Quick filters panel, select one or more attribute filters to add them to a query.

Security Operations console

  1. In the Security Operations console, go to the Resources page. 
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. To filter for resources that have specific attribute values, follow these steps:
    1. In the Filters panel, click an attribute value and click Show only. The query is updated accordingly.
    2. To add another attribute value to the query, click the attribute value and click and show only.
    3. To remove an attribute value from the query, click the attribute value and click Do not show only.
  3. To copy an attribute value, click the attribute value and click Copy.

This feature is in Preview and is available to Security Command Center Enterprise customers only.

Edit resource queries

For information about how to edit resource queries, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. Click the Asset query tab.
  3. Edit the query in any of the following ways:
    • On the Query library subtab, select a prebuilt query. Click Apply. The query in the Edit query panel is updated accordingly.
    • In the Select table panel, click the resource type that you want to query on. On the Schema subtab, find the attribute that you want to add to query. The attribute is added to the Edit query panel.
    • Edit the query directly in the Edit query panel.
  4. Click Run. The query results are updated accordingly.

Security Operations console

  1. In the Security Operations console, go to the Resources page. 
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. Click Add filter. The Filters dialog appears. This dialog lets you choose supported resource attributes and values.
  3. For Filter, select an attribute to filter on.
  4. Set the filter evaluation option and attribute value. The available evaluation options differ depending on the attribute that you selected.
    • To filter for resources that have a specific attribute value, select Show only. In the Value list, select the attribute value.
    • To filter for resources that have an attribute value containing a specific string, select Contains. In the Value field, enter the string.
    • To filter for resources based on a timestamp, select Before or After. In the Value field, enter the timestamp.
  5. To add another filter, follow these steps:
    1. Click Add filter.
    2. Set the attribute, evaluation option, and attribute value.
    3. Set the logical relationship between the filters. For Logical operator, select AND or OR.
  6. Click Apply. The query editor is updated and the query results are filtered accordingly.

This feature is in Preview and is available to Security Command Center Enterprise customers only.

View the changes to a resource

You can compare snapshots of the metadata of a resource to see what has changed.

For information about how to see the changes to a resource over time, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. Locate the resource that you need to review by scrolling or by applying the appropriate filters to the listed resources.
  3. In the list of resources in the results panel, click the name of the resource. The details panel for the resource opens.
  4. In the details panel for the resource, click the Change history tab.
  5. On the Change history tab, select both a Start time and an End time.
  6. In the Select a record to compare list on the left, select a snapshot.
  7. In the Select a record to compare list on the right, select a snapshot to compare with the first snapshot that you selected. The changes between the two snapshots are highlighted.

Security Operations console

  1. In the Security Operations console, go to the Resources page. 
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. Locate the resource that you need to review by scrolling or by applying the appropriate filters to the listed resources.
  3. In the list of resources in the results panel, click the name of the resource. The details panel for the resource opens.
  4. In the details panel for the resource, click the Change history tab.
  5. In the Compare list on the left, select a snapshot.
  6. In the Compare list on the right, select a snapshot to compare with the first snapshot that you selected. The changes between the two snapshots are highlighted.

This feature is in Preview and is available to Security Command Center Enterprise customers only.

Filter resources by their Created or Last updated timestamp

For information about how to filter resources by timestamp, click the tab for the console that you are using.

Google Cloud console

You can filter or sort the resources in the results panel of the Assets page, by their Created and Last updated timestamps.

To a filter based on the Created timestamp, Last updated timestamp, or both, follow these steps:

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. At the top of the results panel on the Assets page, place your cursor in the Filter field. A menu of filters opens.
  3. Scroll to Create time or Update time section and select one of the time-based filter options. For example, Update time after. A filter is added to the Filter field.
  4. In the filter field, type a date in the format MM/DD/YYYY and press Enter on your keyboard.

The resources in the results panel are updated to show only the resources that match your filter.

Security Operations console

This feature is not available in the Security Operations console.

Customize the Assets page in the Google Cloud console

To control the screen space, you can customize some of the elements that appear on the Assets page.

Hide or display columns

You can hide any column except for Display name. To hide column, follow these steps:

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. At the top of the results panel on the right side, click the Column display options icon, .

  3. In the menu that appears, you can display or hide a column by selecting or deselecting the checkbox next to the column name.

Hide or resize the Quick filters panel

To control the screen space for the Assets page, you can change the following options:

  • Hide the Quick filters side panel by clicking the left arrow, .
  • Resize the display columns by dragging the dividing line left or right.

What's next