Asset-Erkennung mit der Security Command Center API konfigurieren

Mit der Security Command Center API können Sie steuern, ob die Asset-Erkennung für Security Command Center für eine Organisation aktiviert oder deaktiviert ist. In diesem Leitfaden erfahren Sie, wie Sie die aktuellen Konfigurationseinstellungen einer Organisation abrufen und die Asset-Erkennung mithilfe der API aktivieren.

Die Asset-Erkennung ist nur erforderlich, wenn Sie die eingestellte Asset-Funktionalität der Security Command Center API oder die Asset-bezogenen Security Command Center-Befehle der Google Cloud CLI verwenden. Die Asset-Erkennung hat keine Auswirkungen auf die Assets, die auf der Seite Assets angezeigt werden.

Die IAM-Rollen für Security Command Center können auf Organisations-, Ordner- oder Projektebene zugewiesen werden. Die Möglichkeit, Ergebnisse, Assets und Sicherheitsquellen anzusehen, zu bearbeiten, zu erstellen oder zu aktualisieren, hängt von der Ebene ab, auf die Sie Zugriff haben. Weitere Informationen zu Security Command Center-Rollen finden Sie unter Zugriffssteuerung.

Hinweise

Bevor Sie die Asset-Erkennung konfigurieren, müssen Sie sich bei der Security Command Center API authentifizieren.

Konfiguration der Organisationseinstellungen abrufen

Python

from google.cloud import securitycenter

client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"

org_settings_name = client.organization_settings_path(organization_id)

org_settings = client.get_organization_settings(request={"name": org_settings_name})
print(org_settings)

Java

static OrganizationSettings getOrganizationSettings(OrganizationName organizationName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request to get OrganizationSettings for.
    // OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
    GetOrganizationSettingsRequest.Builder request =
        GetOrganizationSettingsRequest.newBuilder()
            .setName(organizationName.toString() + "/organizationSettings");

    // Call the API.
    OrganizationSettings response = client.getOrganizationSettings(request.build());

    System.out.println("Organization Settings:");
    System.out.println(response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// getOrgSettings gets and prints the current organization asset discovery
// settings to w. orgID is the numeric Organization ID.
func getOrgSettings(w io.Writer, orgID string) error {
	// orgID := "12321311"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.GetOrganizationSettingsRequest{
		Name: fmt.Sprintf("organizations/%s/organizationSettings", orgID),
	}
	settings, err := client.GetOrganizationSettings(ctx, req)
	if err != nil {
		return fmt.Errorf("GetOrganizationSettings: %w", err)
	}
	fmt.Fprintf(w, "Retrieved Settings for: %s\n", settings.Name)
	fmt.Fprintf(w, "Asset Discovery on? %v", settings.EnableAssetDiscovery)
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

async function getOrgSettings() {
  //  organizationId is the numeric ID of the organization.
  /*
   * TODO(developer): Uncomment the following lines
   */
  // const organizaionId = "111122222444";
  const orgName = client.organizationPath(organizationId);
  const [settings] = await client.getOrganizationSettings({
    name: `${orgName}/organizationSettings`,
  });

  console.log('Current settings: %j', settings);
}
getOrgSettings();

Asset-Erkennung aktivieren

Der folgende API-Aufruf verwendet eine Feldmaske, sodass nur die Einstellung für die Asset-Erkennung aktiviert oder deaktiviert ist.

Python

from google.cloud import securitycenter
from google.protobuf import field_mask_pb2

# Create the client
client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"
org_settings_name = "organizations/{org_id}/organizationSettings".format(
    org_id=organization_id
)
# Only update the enable_asset_discovery_value (leave others untouched).
field_mask = field_mask_pb2.FieldMask(paths=["enable_asset_discovery"])
# Call the service.
updated = client.update_organization_settings(
    request={
        "organization_settings": {
            "name": org_settings_name,
            "enable_asset_discovery": True,
        },
        "update_mask": field_mask,
    }
)
print(f"Asset Discovery Enabled? {updated.enable_asset_discovery}")

Java

static OrganizationSettings updateOrganizationSettings(OrganizationName organizationName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request to update OrganizationSettings for.
    // OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
    OrganizationSettings organizationSettings =
        OrganizationSettings.newBuilder()
            .setName(organizationName.toString() + "/organizationSettings")
            .setEnableAssetDiscovery(true)
            .build();
    FieldMask updateMask = FieldMask.newBuilder().addPaths("enable_asset_discovery").build();

    UpdateOrganizationSettingsRequest.Builder request =
        UpdateOrganizationSettingsRequest.newBuilder()
            .setOrganizationSettings(organizationSettings)
            .setUpdateMask(updateMask);

    // Call the API.
    OrganizationSettings response = client.updateOrganizationSettings(request.build());

    System.out.println("Organization Settings have been updated:");
    System.out.println(response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"google.golang.org/genproto/protobuf/field_mask"
)

// Turns on asset discovery for orgID and prints out updated settings to w.
// settings. orgID is the numeric Organization ID.
func enableAssetDiscovery(w io.Writer, orgID string) error {
	// orgID := "12321311"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.UpdateOrganizationSettingsRequest{
		OrganizationSettings: &securitycenterpb.OrganizationSettings{
			Name:                 fmt.Sprintf("organizations/%s/organizationSettings", orgID),
			EnableAssetDiscovery: true,
		},
		// Only update the asset discovery setting.
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"enable_asset_discovery"},
		},
	}
	settings, err := client.UpdateOrganizationSettings(ctx, req)
	if err != nil {
		return fmt.Errorf("UpdateOrganizationSettings: %w", err)
	}
	fmt.Fprintf(w, "Updated Settings for: %s\n", settings.Name)
	fmt.Fprintf(w, "Asset discovery on? %v\n", settings.EnableAssetDiscovery)
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

async function updateOrgSettings() {
  //  organizationId is the numeric ID of the organization.
  /*
   * TODO(developer): Uncomment the following lines
   */
  // const organizationId = "111122222444";
  const orgName = client.organizationPath(organizationId);
  const [newSettings] = await client.updateOrganizationSettings({
    organizationSettings: {
      name: `${orgName}/organizationSettings`,
      enableAssetDiscovery: true,
    },
    // Only update the enableAssetDiscovery field.
    updateMask: {paths: ['enable_asset_discovery']},
  });

  console.log('New settings: %j', newSettings);
}
updateOrgSettings();