篩選通知

本頁面列出範例篩選器,可用於 Security Command Center API 通知功能,以及匯出至 Pub/SubBigQuery 的訊息。您可以依任何發現項目欄位篩選通知,包括:

  • parent
  • state
  • resource_name
  • category
  • source_properties (僅限 v1 API)
  • security_marks

您也可以在篩選字串中使用標準運算子:

  • AND:納入包含一組所有值的欄位
  • OR 包含一組值中的其中一個值的欄位
  • - 排除含有特定值的欄位
  • 用來將一組值分組的半形括號,例如:

    (category = \"BUCKET_LOGGING_DISABLED\" OR category = \"CLUSTER_LOGGING_DISABLED\") AND state = \"ACTIVE\"

設定來源篩選器

每個 Security Command Center 發現項目都包含安全性來源供應商的來源 ID。舉例來說,安全性狀態分析的發現項目會包含安全性狀態分析專屬的來源 ID。來源 ID 會用於 NotificationConfig 篩選器,指定要傳送至通知 Pub/Sub 主題或 BigQuery 資料集的供應商發現項目。

步驟 1:取得來源 ID

使用 Google Cloud 控制台或 Google Cloud CLI 取得供應商的來源 ID。

控制台

  1. 在 Google Cloud 控制台中,前往 Security Command Center 的「發現項目」頁面。
    前往「發現項目」頁面
  2. 選取要建立通知篩選器的機構。「Findings」(發現項目) 頁面隨即開啟。
  3. 在「快速篩選器」面板中,向下捲動至「來源顯示名稱」部分,然後選取要用來篩選通知結果的供應商名稱。
  4. 在「Findings query results」(發現項目查詢結果) 面板的「Category」(類別) 欄中,按一下其中一個發現項目的名稱,即可顯示發現項目詳細資料面板。
  5. 在調查結果詳細資料面板中,按一下「JSON」JSON分頁標籤。系統會顯示調查結果的完整 JSON。
  6. 在 JSON 中,複製 parent 屬性的值。例如:

    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID"

    ID 的表示方式如下:

    • ORGANIZATION_ID:父項來源供應商的機構 ID。
    • SOURCE_ID:父項來源供應商的 ID。

gcloud

如要擷取來源 ID,請執行下列指令:

  gcloud scc sources describe ORGANIZATION_ID --source-display-name="SOURCE_NAME"

更改下列內容:

  • ORGANIZATION_ID:您的機構 ID。
  • SOURCE_NAME:要取得來源 ID 的服務名稱。使用任何發現項目提供者的名稱,包括 Security Command Center 的內建服務、安全性健康分析、Web Security Scanner、Event Threat Detection 和 Container Threat Detection。

gcloud CLI 指令的輸出內容如下所示,其中包含來源 ID:

 {
   "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
   "displayName": "example-source",
   "description": "A source that creates findings."
 }

接著,使用機構 ID 和來源 ID 建立通知篩選器。

步驟 2:建立篩選器

如要建立通知篩選器,請建立新的 NotificationConfig

您可以在 NotificationConfig 檔案中新增篩選器,加入或排除特定來源:

  • 篩選結果,只傳送來自指定來源的通知:

      state = \"ACTIVE\" AND parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"
    
  • 篩選發現項目,只傳送來自指定來源以外所有來源的通知:

      state = \"ACTIVE\" AND -parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"
    

如需更多可使用的篩選條件範例,請參閱「使用 Security Command Center API 列出安全性發現項目」。

使用 Pub/Sub 主題時,依類別和狀態篩選發現項目

以下各節提供範例,說明如何為特定來源和尋找類型建立篩選器,以及篩選器傳送至 Pub/Sub 主題的通知訊息。

如果您使用 BigQuery 資料集而非 Pub/Sub 主題,請參閱「將發現項目匯出至 BigQuery 進行分析」,瞭解發現項目和相關欄位。

安全性狀態分析

這個安全狀態分析範例使用下列篩選條件:

category = \"OPEN_FIREWALL\" AND state = \"ACTIVE\"

如要進一步瞭解安全狀態分析建立的發現項目類型,請參閱「安全狀態分析發現項目」頁面。

安全性狀態分析篩選發現項目通知的 Pub/Sub 訊息如下所示:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/security-health-analytics-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/global/firewalls/,
     "state": "ACTIVE",
     "category": "OPEN_FIREWALL",
     "externalUri": "https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
     "sourceProperties": {
       "ReactivationCount": 0.0,
       "Allowed": "[{\"ipProtocol\":\"icmp\"}]",
       "WhitelistInstructions": "Add the security mark \"allow_open_firewall_rule\" to the asset with a value of \"true\" to prevent this finding from being activated again.",
       "Recommendation": "Restrict the firewall rules at: https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
       "AllowedIpRange": "All",
       "ActivationTrigger": "Allows all IP addresses",
       "SourceRange": "[\"0.0.0.0/0\"]",
       "ScanRunId": "2019-04-06T08:50:58.832-07:00",
       "SeverityLevel": "High",
       "ProjectId": "PROJECT_ID",
       "AssetCreationTime": "2019-03-28t17:58:54.409-07:00",
       "ScannerName": "FIREWALL_SCANNER",
       "Explanation": "Firewall rules that allow connections from all IP addresses or on all ports may expose resources to attackers."
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "sccquery152cd5aa66ea4bc8a672d8186a125580": "true",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-22T21:26:57.189Z",
     "createTime": "2019-03-29T15:51:26.435Z"
   }
 }

異常偵測

這個異常偵測通知範例使用下列篩選條件:

category = \"resource_involved_in_coin_mining\" AND state = \"ACTIVE\"

如要進一步瞭解異常偵測功能建立的發現類型,請參閱「查看安全性弱點和威脅」頁面。

異常偵測篩選發現項目通知的 Pub/Sub 訊息如下所示:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/cloud-anomaly-detection-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
     "state": "ACTIVE",
     "category": "resource_involved_in_coin_mining",
     "sourceProperties": {
       "vm_ips": "35.231.191.191",
       "end_time_usec": "1569003180000000",
       "abuse_target_ips": "54.38.176.231",
       "end_datetime_UTC": "2019-09-20 18:13:00 UTC",
       "urls": "swap2.luckypool.io, bitcash.luckypool.io",
       "vm_host_and_zone_names": "ubuntu-1804-tp100-gminer:us-east1-b",
       "finding_type": "Abuse originating from a resource in your organization.",
       "start_time_usec": "1569002700000000",
       "action_taken": "Notification sent",
       "summary_message": "We have recently detected activity on your Google Cloud Platform/APIs project that violates our Terms of Service or Acceptable Use Policy.",
       "start_datetime_UTC": "2019-09-20 18:05:00 UTC"
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "teste123": "true",
         "sccquery94c23b35ea0b4f8388268415a0dc6c1b": "true"
       }
     },
     "eventTime": "2019-09-20T18:59:00Z",
     "createTime": "2019-05-16T14:16:35.674Z"
   }
 }

Event Threat Detection

這個 Event Threat Detection 範例使用下列篩選器:

category = \"Persistence: Iam Anomalous Grant\" AND state = \"ACTIVE\"

如要進一步瞭解 Event Threat Detection 建立的發現項目類型,請參閱「查看安全性弱點和威脅」頁面。

Event Threat Detection 篩選後發現的 Pub/Sub 訊息通知如下所示:

{
  "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/event-threat-detection-active-findings",
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
    "state": "ACTIVE",
    "category": "Persistence: IAM Anomalous Grant",
    "sourceProperties": {
      "sourceId": {
        "organizationNumber": "ORGANIZATION_ID",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "iam_anomalous_grant",
        "subRuleName": "external_member_added_to_policy"
      },
      "detectionPriority": "HIGH",
      "evidence": [{
        "sourceLogId": {
          "timestamp": {
            "seconds": "1601066317",
            "nanos": 4.63E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "sensitiveRoleGrant": {
          "principalEmail": "PRINCIPAL_EMAIL@gmail.com",
          "bindingDeltas": [{
            "action": "ADD",
            "role": "roles/owner",
            "member": "user:USER_EMAIL@gmail.com"
          }, {
            "action": "REMOVE",
            "role": "roles/viewer",
            "member": "user:USER_EMAIL@gmail.com"
          }],
          "members": ["USER_EMAIL@gmail.com"]
        }
      },
      "findingId": "FINDING_ID"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2020-09-25T20:38:39.441Z",
    "createTime": "2020-09-25T20:38:40.667Z"
  }
}

Sensitive Data Protection

這個 Sensitive Data Protection 範例使用下列篩選器:

category = \"CREDIT_CARD_NUMBER\" AND state = \"ACTIVE\"

如要進一步瞭解 Event Threat Detection 建立的發現項目類型,請參閱「查看安全性弱點和威脅」頁面。

Sensitive Data Protection 篩選後發現項目通知的 Pub/Sub 訊息如下所示:

{
   "notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/dlp-data-discovery-active-findings",
   "finding": {
     "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
     "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
     "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
     "state": "ACTIVE",
     "category": "CREDIT_CARD_NUMBER",
     "externalUri": "https://console.cloud.google.com/dlp/projects/PROJECT_ID/dlpJobs/i-7536622736814356939;source\u003d5",
     "sourceProperties": {
       "COUNT": 2.0,
       "JOB_NAME": "projects/PROJECT_ID/dlpJobs/i-7536622736814356939",
       "FULL_SCAN": false
     },
     "securityMarks": {
       "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
       "marks": {
         "priority": "p1",
         "sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
       }
     },
     "eventTime": "2019-09-16T23:21:19.650Z",
     "createTime": "2019-04-22T23:18:17.731Z"
   }
 }

後續步驟