This page describes how to work with cloud resources for the purposes of improving your security posture, remediating security issues, and responding to threats.
In Security Command Center, some of the actions that you can perform on resources include the following:
Obtain the required permissions
This section lists the IAM roles that you need to work with resources in the console.
Google Cloud console IAM roles
To work with resources in the Google Cloud console, you need the following IAM roles.
Make sure that you have the following role or roles on the organization:
- Security Center Assets Viewer (
roles/securitycenter.assetsViewer
)
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
For more information about Security Command Center roles and permissions, see IAM for organization-level activations.
Security Operations console IAM roles
If you are a Security Command Center Enterprise customer, you can work with resources in the Security Operations console. You need any of the following IAM roles:
- Chronicle SOAR Admin (
roles/chronicle.soarAdmin
) - Chronicle SOAR Threat Manager (
roles/chronicle.soarThreatManager
) - Chronicle SOAR Vulnerability Manager
(
roles/chronicle.soarVulnerabilityManager
)
For information about granting the role to a user, see Map and authorize users using IAM.
The resources page
Resources are listed in the query results of the Assets page in the Google Cloud console and—for Security Command Center Enterprise customers—the Resources page in the Security Operations console.
If Security Command Center is activated at the organization level, you can view resources for your entire organization or you can filter resources by specific projects, resource types, and location.
If Security Command Center is activated at the project level, you can filter resources by resource type and location in the Google Cloud console.
The list of resources is provided by Cloud Asset Inventory. In most cases, Cloud Asset Inventory updates the list within minutes after resources are created, modified, or removed in your Google Cloud environment.
For more information about Cloud Asset Inventory, see Introduction to Cloud Asset Inventory.
Working with resources in the Security Command Center Enterprise consoles
If you are a Security Command Center Enterprise customer, you can work with resources in two consoles:
- Google Cloud console Assets page: available in all service tiers
- Security Operations console Resources page: available in the Enterprise tier only
The Resources page in the Security Operations console is in Preview.
On this page, the steps for working with resources in the two consoles are described side-by-side on separate tabs.
For more information, see Security Command Center Enterprise consoles.
View all resources
For information about how to view your resources, click the tab for the console that you are using.
Google Cloud console
- In the Google Cloud console, go to the Assets page of Security Command Center.
- Select your Google Cloud project or organization.
Security Operations console
In the Security Operations console, go to the Resources page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
Replace CUSTOMER_SUBDOMAIN
with your customer-specific identifier.
For more information about this console, see Security Operations console.
Sort resources
To sort resources, click the column heading for the value that you want to sort by. Columns are sorted by numeric and then alphabetical order.
Search for resources
By default, all resources in the organization are displayed in the resource query results. To search for specific resources in Security Command Center, you can use quick filters or specify custom filters.
Perform a high-level search using quick filters
To perform a high-level search of your resources, you can use quick filters. For example, you can search by project, resource type, or location. For more information, click the tab for the console that you are using.
Google Cloud console
- In the Google Cloud console, go to the Assets page of Security Command Center.
- In the Quick filters panel, select one or more attribute filters to add them to a query.
Security Operations console
-
In the Security Operations console, go to the Resources page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier. - To filter for Google Cloud resources, click Google Cloud resources.
- To filter for Amazon Web Services (AWS) resources, click AWS resources.
- To filter for resources that have specific attribute values,
follow these steps:
- In the Filters panel, click an attribute value and click Show only. The query is updated accordingly.
- To add another attribute value to the query, click the attribute value and click and show only.
- To remove an attribute value from the query, click the attribute value and click Do not show only.
- To copy an attribute value, click the attribute value and click Copy.
Edit resource queries
For information about how to edit resource queries, click the tab for the console that you are using.
Google Cloud console
- In the Google Cloud console, go to the Assets page of Security Command Center.
- Click the Asset query tab.
- Edit the query in any of the following ways:
- On the Query library subtab, select a prebuilt query. Click Apply. The query in the Edit query panel is updated accordingly.
- In the Select table panel, click the resource type that you want to query on. On the Schema subtab, find the attribute that you want to add to query. The attribute is added to the Edit query panel.
- Edit the query directly in the Edit query panel.
- Click Run. The query results are updated accordingly.
Security Operations console
-
In the Security Operations console, go to the Resources page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier. - To filter for Google Cloud resources, click Google Cloud resources.
- To filter for Amazon Web Services (AWS) resources, click AWS resources.
- Click Add filter. The Filters dialog appears. This dialog lets you choose supported resource attributes and values.
- For Filter, select an attribute to filter on.
- Set the filter evaluation option and attribute value. The available
evaluation options differ depending on the attribute that you selected.
- To filter for resources that have a specific attribute value, select Show only. In the Value list, select the attribute value.
- To filter for resources that have an attribute value containing a
specific string, select Contains. In the Value field, enter
the string.
The Contains evaluation option follows the query syntax for the text partial match operator. It converts your search term into one or more tokens, using special characters as delimiters, and requires an entire token to match. To match only a portion of a token, use an asterisk (
*
) as a token prefix match indicator. - To filter for resources based on a timestamp, select Before or After. In the Value field, enter the timestamp.
- To add another filter, follow these steps:
- Click Add filter.
- Set the attribute, evaluation option, and attribute value.
- Set the logical relationship between the filters. For Logical
operator, select
AND
orOR
.
- Click Apply. The query editor is updated and the query results are filtered accordingly.
Inspect resource details
This section describes how you can learn more about the details of a particular resource.
View the high-level details
- Search for the resource.
- In the query results, click the name of the resource. The details panel for the resource opens and displays a summary of its details.
View the full details of a resource
To view all details about a resource, including low-level metadata, follow these steps:
- Search for the resource.
- In the query results, click the name of the resource. The details panel for the resource opens.
- Click the Full metadata tab. All property names and values of the resource are displayed in a tree structure.
- To search for a particular property name or value in the tree, enter the name or value in the filter.
View the findings related to a resource
- Search for the resource.
- In the query results, click the name of the resource. The details panel for the resource opens.
- Click the Findings tab. All findings related to the resource are displayed.
View the changes to a resource
You can compare snapshots of the metadata of a resource to see what has changed.
For information about how to see the changes to a resource over time, click the tab for the console that you are using.
Google Cloud console
- In the Google Cloud console, go to the Assets page of Security Command Center.
- Search for the resource.
- In the list of resources in the results panel, click the name of the resource. The details panel for the resource opens.
- In the details panel for the resource, click the Change history tab.
- On the Change history tab, select both a Start time and an End time.
- In the Select a record to compare list on the left, select a snapshot.
- In the Select a record to compare list on the right, select a snapshot to compare with the first snapshot that you selected. The changes between the two snapshots are highlighted.
Security Operations console
-
In the Security Operations console, go to the Resources page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier. - Search for the resource.
- In the list of resources in the results panel, click the name of the resource. The details panel for the resource opens.
- In the details panel for the resource, click the Change history tab.
- In the Compare list on the left, select a snapshot.
- In the Compare list on the right, select a snapshot to compare with the first snapshot that you selected. The changes between the two snapshots are highlighted.
View the IAM policies associated with a resource
- Search for the resource.
- In the query results, click the name of the resource. The details panel for the resource opens.
- Click the IAM policies tab. The IAM policies associated with the resource are displayed.
View the high-value resource set
You can view the high-value resources that Risk Engine included in the last attack path simulations. You can also view the attack exposure scores that Risk Engine calculated for each resource. For more information, click the tab for the console that you are using.
Google Cloud console
- In the Google Cloud console, go to the Assets page of Security Command Center.
- Click the High value resource set tab.
- Click the subtab for the cloud provider that you want to view:
- To view high-value Google Cloud resources, click Google. To view the details of a resource, click its resource name.
- To view high-value Amazon Web Services (AWS) resources, click AWS.
- To view high-value Microsoft Azure resources, click Azure.
- To view the attack path simulation details for the resource, click the resource's attack exposure score. For information about how to interpret the attack paths, see Attack paths.
Security Operations console
In the Security Operations console, you can view the high-value resource set, but you can't view the attack path simulation details of the resources. To view the attack path simulation details, use the Google Cloud console instead.
To view the high-value resource set in the Security Operations console, follow these steps:
-
In the Security Operations console, go to the Resources page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/resources
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier. - Click the High value resource set tab.
- Click the subtab for the cloud provider that you want to view:
- To view high-value Google Cloud resources, click Google Cloud resources.
- To view high-value Amazon Web Services (AWS) resources, click AWS resources.
- To view the details of a resource, click its resource display name.
Filter resources by their Created or Last updated timestamp
For information about how to filter resources by timestamp, click the tab for the console that you are using.
Google Cloud console
You can filter or sort the resources in the results panel of the Assets page, by their Created and Last updated timestamps.
To a filter based on the Created timestamp, Last updated timestamp, or both, follow these steps:
- In the Google Cloud console, go to the Assets page of Security Command Center.
- At the top of the results panel on the Assets page, place your cursor in the Filter field. A menu of filters opens.
- Scroll to Create time or Update time section and select one
of the time-based filter options. For example,
Update time after
. A filter is added to the Filter field. - In the filter field, type a date in the format
MM/DD/YYYY
and press Enter on your keyboard.
The resources in the results panel are updated to show only the resources that match your filter.
Security Operations console
This feature is not available in the Security Operations console.
Customize the resources page
To control screen space, you can customize some of the elements that appear in the query results.
Hide or display columns
For information about how to hide or display columns in the query results, click the tab for the console that you are using.
Google Cloud console
- At the top of the results panel, click view_column Columns.
- Select the columns that you want to display.
- Clear the selections for columns that you want to hide.
- Click Apply to apply the changes to the query results.
Security Operations console
- At the top of the results panel, click view_column Open column selector. The Manage columns menu opens.
- Select the columns that you want to display.
- Clear the selections for columns that you want to hide.
- Close the menu.
Hide or resize the quick filters panel
To increase the screen space for query results, you can hide or resize panels. For more information, click the tab for the console that you are using.
Google Cloud console
- To hide the Quick filters side panel, click the left arrow first_page.
- To display the Quick filters side panel, click the right arrow last_page.
- To resize the display columns, drag the dividing line left or right.
Security Operations console
- To hide the Filters side panel, click chevron_left Close sidebar.
- To display the Filters side panel, click chevron_right Open sidebar.
What's next
- Annotate resources and findings with security marks.