Inspect assets that are monitored by Security Command Center

This page describes how to view, query for, and inspect cloud assets for the purposes of improving your security posture, remediating security issues, and responding to threats.

In Security Command Center, some of the actions that you can perform on assets include the following:

Obtain the required permissions

This section lists the IAM roles that you need to work with assets in the console.

Google Cloud console IAM roles

To work with assets in the Google Cloud console, you need the following IAM roles.

Make sure that you have the following role or roles on the organization:

  • Security Center Assets Viewer (roles/securitycenter.assetsViewer)

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.
  4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

For more information about Security Command Center roles and permissions, see IAM for organization-level activations.

Security Operations console IAM roles

If you are a Security Command Center Enterprise customer, you can work with assets in the Security Operations console. You need any of the following IAM roles:

  • Chronicle SOAR Admin (roles/chronicle.soarAdmin)
  • Chronicle SOAR Threat Manager (roles/chronicle.soarThreatManager)
  • Chronicle SOAR Vulnerability Manager (roles/chronicle.soarVulnerabilityManager)

For information about granting the role to a user, see Map and authorize users using IAM.

List of assets in Security Command Center

Assets are listed in the query results of the Assets page in the Google Cloud console and—for Security Command Center Enterprise customers—the Resources page in the Security Operations console.

If Security Command Center is activated at the organization level, you can view assets for your entire organization or you can filter assets by specific projects, resource types, and location.

If Security Command Center is activated at the project level, you can filter assets by resource type and location in the Google Cloud console.

The list of assets is provided by Cloud Asset Inventory. In most cases, Cloud Asset Inventory updates the list within minutes after assets are created, modified, or removed in your Google Cloud environment.

For more information about Cloud Asset Inventory, see Introduction to Cloud Asset Inventory.

Working with assets in the Security Command Center Enterprise consoles

If you are a Security Command Center Enterprise customer, you can work with assets in two consoles:

  • Google Cloud console Assets page: available in all service tiers
  • Security Operations console Resources page: available in the Enterprise tier only

The Resources page in the Security Operations console is in Preview.

On this page, the steps for working with assets in the two consoles are described side-by-side on separate tabs.

For more information, see Security Command Center Enterprise consoles.

View all assets

For information about how to view your assets, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. Select your Google Cloud project or organization.

Security Operations console

In the Security Operations console, go to the Resources page.

https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources

Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

For more information about this console, see Security Operations console.

Sort assets

To sort assets, click the column heading for the value that you want to sort by. Columns are sorted by numeric and then alphabetical order.

Search for assets

By default, all assets in the organization are displayed in the query results. To search for specific assets in Security Command Center, you can use quick filters or specify custom filters.

Perform a high-level search using quick filters

To perform a high-level search of your assets, you can use quick filters. For example, you can search by project, resource type, or location. For more information, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. In the Quick filters panel, select one or more attribute filters to add them to a query.

Security Operations console

  1. In the Security Operations console, go to the Resources page.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
    

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. To filter for Google Cloud resources, click Google Cloud resources.
  3. To filter for Amazon Web Services (AWS) resources, click AWS resources.
  4. To filter for resources that have specific attribute values, follow these steps:
    1. In the Filters panel, click an attribute value and click Show only. The query is updated accordingly.
    2. To add another attribute value to the query, click the attribute value and click and show only.
    3. To remove an attribute value from the query, click the attribute value and click Do not show only.
  5. To copy an attribute value, click the attribute value and click Copy.

Edit asset queries

For information about how to edit asset queries, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. Click the Asset query tab.
  3. Edit the query in any of the following ways:
    • On the Query library subtab, select a prebuilt query. Click Apply. The query in the Edit query panel is updated accordingly.
    • In the Select table panel, click the asset type that you want to query on. On the Schema subtab, find the attribute that you want to add to query. The attribute is added to the Edit query panel.
    • Edit the query directly in the Edit query panel.
  4. Click Run. The query results are updated accordingly.

Security Operations console

  1. In the Security Operations console, go to the Resources page.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
    

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. To filter for Google Cloud resources, click Google Cloud resources.
  3. To filter for Amazon Web Services (AWS) resources, click AWS resources.
  4. Click Add filter. The Filters dialog appears. This dialog lets you choose supported resource attributes and values.
  5. For Filter, select an attribute to filter on.
  6. Set the filter evaluation option and attribute value. The available evaluation options differ depending on the attribute that you selected.
    • To filter for resources that have a specific attribute value, select Show only. In the Value list, select the attribute value.
    • To filter for resources that have an attribute value containing a specific string, select Contains. In the Value field, enter the string.

      The Contains evaluation option follows the query syntax for the text partial match operator. It converts your search term into one or more tokens, using special characters as delimiters, and requires an entire token to match. To match only a portion of a token, use an asterisk (*) as a token prefix match indicator.

    • To filter for resources based on a timestamp, select Before or After. In the Value field, enter the timestamp.
  7. To add another filter, follow these steps:
    1. Click Add filter.
    2. Set the attribute, evaluation option, and attribute value.
    3. Set the logical relationship between the filters. For Logical operator, select AND or OR.
  8. Click Apply. The query editor is updated and the query results are filtered accordingly.

Inspect asset details

This section describes how you can learn more about the details of a particular asset.

View the high-level details

  1. Search for the asset.
  2. In the query results, click the name of the asset. The details panel for the asset opens and displays a summary of its details.

View the full details of an asset

To view all details about an asset, including low-level metadata, follow these steps:

  1. Search for the asset.
  2. In the query results, click the name of the asset. The details panel for the asset opens.
  3. Click the Full metadata tab. All property names and values of the asset are displayed in a tree structure.
  4. To search for a particular property name or value in the tree, enter the name or value in the filter.
  1. Search for the asset.
  2. In the query results, click the name of the asset. The details panel for the asset opens.
  3. Click the Findings tab. All findings related to the asset are displayed.

View the changes to an asset

You can compare snapshots of the metadata of an asset to see what has changed.

For information about how to see the changes to an asset over time, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. Search for the asset.
  3. In the list of assets in the results panel, click the name of the asset. The details panel for the asset opens.
  4. In the details panel for the asset, click the Change history tab.
  5. On the Change history tab, select both a Start time and an End time.
  6. In the Select a record to compare list on the left, select a snapshot.
  7. In the Select a record to compare list on the right, select a snapshot to compare with the first snapshot that you selected. The changes between the two snapshots are highlighted.

Security Operations console

  1. In the Security Operations console, go to the Resources page.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
    

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. Search for the asset.
  3. In the list of assets in the results panel, click the name of the asset. The details panel for the asset opens.
  4. In the details panel for the asset, click the Change history tab.
  5. In the Compare list on the left, select a snapshot.
  6. In the Compare list on the right, select a snapshot to compare with the first snapshot that you selected. The changes between the two snapshots are highlighted.

View the IAM policies associated with an asset

  1. Search for the asset.
  2. In the query results, click the name of the asset. The details panel for the asset opens.
  3. Click the IAM policies tab. The IAM policies associated with the asset are displayed.

View the high-value resource set

You can view the high-value resources that Risk Engine included in the last attack path simulations. You can also view the attack exposure scores that Risk Engine calculated for each resource. For more information, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. Click the High value resource set tab.
  3. Click the subtab for the cloud provider that you want to view:
    • To view high-value Google Cloud resources, click Google. To view the details of a resource, click its resource name.
    • To view high-value Amazon Web Services (AWS) resources, click AWS.
    • To view high-value Microsoft Azure resources, click Azure.
  4. To view the attack path simulation details for the resource, click the resource's attack exposure score. For information about how to interpret the attack paths, see Attack paths.

Security Operations console

In the Security Operations console, you can view the high-value resource set, but you can't view the attack path simulation details of the resources. To view the attack path simulation details, use the Google Cloud console instead.

To view the high-value resource set in the Security Operations console, follow these steps:

  1. In the Security Operations console, go to the Resources page.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
    

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. Click the High value resource set tab.
  3. Click the subtab for the cloud provider that you want to view:
    • To view high-value Google Cloud resources, click Google Cloud resources.
    • To view high-value Amazon Web Services (AWS) resources, click AWS resources.
  4. To view the details of a resource, click its resource display name.

Filter assets by their Created or Last updated timestamp

For information about how to filter assets by timestamp, click the tab for the console that you are using.

Google Cloud console

You can filter or sort the assets in the results panel of the Assets page, by their Created and Last updated timestamps.

To a filter based on the Created timestamp, Last updated timestamp, or both, follow these steps:

  1. In the Google Cloud console, go to the Assets page of Security Command Center.

    Go to Assets

  2. At the top of the results panel on the Assets page, place your cursor in the Filter field. A menu of filters opens.
  3. Scroll to Create time or Update time section and select one of the time-based filter options. For example, Update time after. A filter is added to the Filter field.
  4. In the filter field, type a date in the format MM/DD/YYYY and press Enter on your keyboard.

The assets in the results panel are updated to show only the assets that match your filter.

Security Operations console

This feature is not available in the Security Operations console.

Customize the asset query results page

To control screen space, you can customize some of the elements that appear in the query results.

Hide or display columns

For information about how to hide or display columns in the query results, click the tab for the console that you are using.

Google Cloud console

  1. At the top of the results panel, click view_column Columns.
  2. Select the columns that you want to display.
  3. Clear the selections for columns that you want to hide.
  4. Click Apply to apply the changes to the query results.

Security Operations console

  1. At the top of the results panel, click view_column Open column selector. The Manage columns menu opens.
  2. Select the columns that you want to display.
  3. Clear the selections for columns that you want to hide.
  4. Close the menu.

Hide or resize the quick filters panel

To increase the screen space for query results, you can hide or resize panels. For more information, click the tab for the console that you are using.

Google Cloud console

  • To hide the Quick filters side panel, click the left arrow first_page.
  • To display the Quick filters side panel, click the right arrow last_page.
  • To resize the display columns, drag the dividing line left or right.

Security Operations console

  • To hide the Filters side panel, click chevron_left Close sidebar.
  • To display the Filters side panel, click chevron_right Open sidebar.

What's next