本頁面列出範例篩選器,可用於 Security Command Center API 通知功能,以及匯出至 Pub/Sub 或 BigQuery 的訊息。您可以依任何發現項目欄位篩選通知,包括:
parent
state
resource_name
category
source_properties
(僅限 v1 API)security_marks
您也可以在篩選字串中使用標準運算子:
AND
:納入包含一組所有值的欄位OR
包含一組值中的其中一個值的欄位-
排除含有特定值的欄位用來將一組值分組的半形括號,例如:
(category = \"BUCKET_LOGGING_DISABLED\" OR category = \"CLUSTER_LOGGING_DISABLED\") AND state = \"ACTIVE\"
設定來源篩選器
每個 Security Command Center 發現項目都包含安全性來源供應商的來源 ID。舉例來說,安全性狀態分析的發現項目會包含安全性狀態分析專屬的來源 ID。來源 ID 會用於 NotificationConfig
篩選器,指定要傳送至通知 Pub/Sub 主題或 BigQuery 資料集的供應商發現項目。
步驟 1:取得來源 ID
使用 Google Cloud 控制台或 Google Cloud CLI 取得供應商的來源 ID。
控制台
- 在 Google Cloud 控制台中,前往 Security Command Center 的「發現項目」頁面。
前往「發現項目」頁面 - 選取要建立通知篩選器的機構。「Findings」(發現項目) 頁面隨即開啟。
- 在「快速篩選器」面板中,向下捲動至「來源顯示名稱」部分,然後選取要用來篩選通知結果的供應商名稱。
- 在「Findings query results」(發現項目查詢結果) 面板的「Category」(類別) 欄中,按一下其中一個發現項目的名稱,即可顯示發現項目詳細資料面板。
- 在調查結果詳細資料面板中,按一下「JSON」JSON分頁標籤。系統會顯示調查結果的完整 JSON。
在 JSON 中,複製
parent
屬性的值。例如:"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID"
ID 的表示方式如下:
ORGANIZATION_ID
:父項來源供應商的機構 ID。SOURCE_ID
:父項來源供應商的 ID。
gcloud
如要擷取來源 ID,請執行下列指令:
gcloud scc sources describe ORGANIZATION_ID --source-display-name="SOURCE_NAME"
更改下列內容:
ORGANIZATION_ID
:您的機構 ID。SOURCE_NAME
:要取得來源 ID 的服務名稱。使用任何發現項目提供者的名稱,包括 Security Command Center 的內建服務、安全性健康分析、Web Security Scanner、Event Threat Detection 和 Container Threat Detection。
gcloud CLI 指令的輸出內容如下所示,其中包含來源 ID:
{
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"displayName": "example-source",
"description": "A source that creates findings."
}
接著,使用機構 ID 和來源 ID 建立通知篩選器。
步驟 2:建立篩選器
如要建立通知篩選器,請建立新的 NotificationConfig
。
您可以在 NotificationConfig
檔案中新增篩選器,加入或排除特定來源:
篩選結果,只傳送來自指定來源的通知:
state = \"ACTIVE\" AND parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"
篩選發現項目,只傳送來自指定來源以外所有來源的通知:
state = \"ACTIVE\" AND -parent = \"organizations/$ORGANIZATION_ID/sources/$SOURCE_ID\"
如需更多可使用的篩選條件範例,請參閱「使用 Security Command Center API 列出安全性發現項目」。
使用 Pub/Sub 主題時,依類別和狀態篩選發現項目
以下各節提供範例,說明如何為特定來源和尋找類型建立篩選器,以及篩選器傳送至 Pub/Sub 主題的通知訊息。
如果您使用 BigQuery 資料集而非 Pub/Sub 主題,請參閱「將發現項目匯出至 BigQuery 進行分析」,瞭解發現項目和相關欄位。
安全性狀態分析
這個安全狀態分析範例使用下列篩選條件:
category = \"OPEN_FIREWALL\" AND state = \"ACTIVE\"
如要進一步瞭解安全狀態分析建立的發現項目類型,請參閱「安全狀態分析發現項目」頁面。
安全性狀態分析篩選發現項目通知的 Pub/Sub 訊息如下所示:
{
"notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/security-health-analytics-active-findings",
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/global/firewalls/,
"state": "ACTIVE",
"category": "OPEN_FIREWALL",
"externalUri": "https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
"sourceProperties": {
"ReactivationCount": 0.0,
"Allowed": "[{\"ipProtocol\":\"icmp\"}]",
"WhitelistInstructions": "Add the security mark \"allow_open_firewall_rule\" to the asset with a value of \"true\" to prevent this finding from being activated again.",
"Recommendation": "Restrict the firewall rules at: https://console.cloud.google.com/networking/firewalls/details/default-allow-icmp?project\u003PROJECT_ID",
"AllowedIpRange": "All",
"ActivationTrigger": "Allows all IP addresses",
"SourceRange": "[\"0.0.0.0/0\"]",
"ScanRunId": "2019-04-06T08:50:58.832-07:00",
"SeverityLevel": "High",
"ProjectId": "PROJECT_ID",
"AssetCreationTime": "2019-03-28t17:58:54.409-07:00",
"ScannerName": "FIREWALL_SCANNER",
"Explanation": "Firewall rules that allow connections from all IP addresses or on all ports may expose resources to attackers."
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
"marks": {
"sccquery152cd5aa66ea4bc8a672d8186a125580": "true",
"sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
}
},
"eventTime": "2019-09-22T21:26:57.189Z",
"createTime": "2019-03-29T15:51:26.435Z"
}
}
異常偵測
這個異常偵測通知範例使用下列篩選條件:
category = \"resource_involved_in_coin_mining\" AND state = \"ACTIVE\"
如要進一步瞭解異常偵測功能建立的發現類型,請參閱「查看安全性弱點和威脅」頁面。
異常偵測篩選發現項目通知的 Pub/Sub 訊息如下所示:
{
"notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/cloud-anomaly-detection-active-findings",
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"state": "ACTIVE",
"category": "resource_involved_in_coin_mining",
"sourceProperties": {
"vm_ips": "35.231.191.191",
"end_time_usec": "1569003180000000",
"abuse_target_ips": "54.38.176.231",
"end_datetime_UTC": "2019-09-20 18:13:00 UTC",
"urls": "swap2.luckypool.io, bitcash.luckypool.io",
"vm_host_and_zone_names": "ubuntu-1804-tp100-gminer:us-east1-b",
"finding_type": "Abuse originating from a resource in your organization.",
"start_time_usec": "1569002700000000",
"action_taken": "Notification sent",
"summary_message": "We have recently detected activity on your Google Cloud Platform/APIs project that violates our Terms of Service or Acceptable Use Policy.",
"start_datetime_UTC": "2019-09-20 18:05:00 UTC"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
"marks": {
"teste123": "true",
"sccquery94c23b35ea0b4f8388268415a0dc6c1b": "true"
}
},
"eventTime": "2019-09-20T18:59:00Z",
"createTime": "2019-05-16T14:16:35.674Z"
}
}
Event Threat Detection
這個 Event Threat Detection 範例使用下列篩選器:
category = \"Persistence: Iam Anomalous Grant\" AND state = \"ACTIVE\"
如要進一步瞭解 Event Threat Detection 建立的發現項目類型,請參閱「查看安全性弱點和威脅」頁面。
Event Threat Detection 篩選後發現的 Pub/Sub 訊息通知如下所示:
{
"notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/event-threat-detection-active-findings",
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"state": "ACTIVE",
"category": "Persistence: IAM Anomalous Grant",
"sourceProperties": {
"sourceId": {
"organizationNumber": "ORGANIZATION_ID",
"customerOrganizationNumber": "ORGANIZATION_ID"
},
"detectionCategory": {
"technique": "persistence",
"indicator": "audit_log",
"ruleName": "iam_anomalous_grant",
"subRuleName": "external_member_added_to_policy"
},
"detectionPriority": "HIGH",
"evidence": [{
"sourceLogId": {
"timestamp": {
"seconds": "1601066317",
"nanos": 4.63E8
},
"insertId": "INSERT_ID"
}
}],
"properties": {
"sensitiveRoleGrant": {
"principalEmail": "PRINCIPAL_EMAIL@gmail.com",
"bindingDeltas": [{
"action": "ADD",
"role": "roles/owner",
"member": "user:USER_EMAIL@gmail.com"
}, {
"action": "REMOVE",
"role": "roles/viewer",
"member": "user:USER_EMAIL@gmail.com"
}],
"members": ["USER_EMAIL@gmail.com"]
}
},
"findingId": "FINDING_ID"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2020-09-25T20:38:39.441Z",
"createTime": "2020-09-25T20:38:40.667Z"
}
}
Sensitive Data Protection
這個 Sensitive Data Protection 範例使用下列篩選器:
category = \"CREDIT_CARD_NUMBER\" AND state = \"ACTIVE\"
如要進一步瞭解 Event Threat Detection 建立的發現項目類型,請參閱「查看安全性弱點和威脅」頁面。
Sensitive Data Protection 篩選後發現項目通知的 Pub/Sub 訊息如下所示:
{
"notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/dlp-data-discovery-active-findings",
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"state": "ACTIVE",
"category": "CREDIT_CARD_NUMBER",
"externalUri": "https://console.cloud.google.com/dlp/projects/PROJECT_ID/dlpJobs/i-7536622736814356939;source\u003d5",
"sourceProperties": {
"COUNT": 2.0,
"JOB_NAME": "projects/PROJECT_ID/dlpJobs/i-7536622736814356939",
"FULL_SCAN": false
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks",
"marks": {
"priority": "p1",
"sccquerya3cf2270123f4e91b84a3e613d2cac67": "true"
}
},
"eventTime": "2019-09-16T23:21:19.650Z",
"createTime": "2019-04-22T23:18:17.731Z"
}
}