forked from GoogleCloudPlatform/professional-services
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscc-finding-config.yaml
63 lines (59 loc) · 3.33 KB
/
scc-finding-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Creates findings in Cloud Security Command Center. You'll have to use the API
# to create a source first (its identifier looks like organizations/123/sources/456),
# see here for an example: https://cloud.google.com/security-command-center/docs/how-to-api-create-manage-security-sources#creating_a_source
#
# This simple example sends findings from serial port access turned on. To create a
# a sample setup:
# - Create a Pub/Sub topic (eg. custom-scc-findings)
# - In Cloud Monitoring, create a Pub/Sub notification channel targeting the topic you created
# - In Cloud Logging, search with filter:
# protoPayload.methodName="v1.compute.instances.setMetadata"
# protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys="serial-port-enable"
# - Click Create alert button above the results
# - Create an alert policy named "SERIAL_PORT_ACCESS_TURNED_ON", with 5 minute intervals,
# using the notification channel you created
# - Configure Pubsub2Inbox function with this configuration configured with your settings
# and trigger it on the Pub/Sub topic you created
# - Provide access rights for the created Service Account to post from the SCC source https://cloud.google.com/security-command-center/docs/how-to-api-create-manage-security-sources#set-cloud-iam-policies
# Change member in the python script to the service account:
# service_account_mail = "custom-scc-findings@<PROJECT_ID>.iam.gserviceaccount.com"
# binding.members.append("serviceAccount:{}".format(service_account_mail))
#
# (tip: you can also locally test the function with python3 main.py --config examples/scc-finding-config.yaml test/fixtures/monitoring-alert.json)
#
retryPeriod: 3 day ago
processors:
- genericjson
# See tests/fixtures/monitoring-alert.json for example of what an alert from Cloud Monitoring
# looks like.
outputs:
- type: scc
source: organizations/1234567/sources/98765654
finding_id: "{{ data.incident.url|hash_string('md5') }}"
vars: # Additional variables to register in Jinja, useful for lookup dicts
severity:
SERIAL_PORT_ACCESS_TURNED_ON: "MEDIUM"
finding: #
resourceName: "//resourcemanager.googleapis.com/projects/{{ data.incident.scoping_project_number }}"
state: "{% if data.incident.state == 'open' %}ACTIVE{% else %}INACTIVE{% endif %}"
category: "{{ data.incident.policy_name }}"
externalUri: "{{ data.incident.url }}"
sourceProperties: "{% set props = {'type': data.incident.resource.type} %}{{ props|merge_dict(data.incident.resource.labels)|json_encode }}"
eventTime: "{{ ''|utc_strftime('%Y-%m-%dT%H:%M:%SZ') }}"
createTime: "{{ ''|utc_strftime('%Y-%m-%dT%H:%M:%SZ') }}"
severity: "{{ severity[data.incident.policy_name] }}"
findingClass: "VULNERABILITY"