GCP Security Command Center (SCC)¶
About¶
Asset discovery and inventory
Discover and view assets in near-real time across App Engine, BigQuery, Cloud SQL, Cloud Storage, Compute Engine, Cloud Identity and Access Management, Google Kubernetes Engine, and more. Review historical discovery scans to identify new, modified, or deleted assets.
Threat prevention
Understand the security state of Google Cloud assets. Uncover common web application vulnerabilities such as cross-site scripting or outdated libraries in web applications running on App Engine, GKE, and Compute Engine. Quickly resolve misconfigurations by clicking directly on the impacted resource and following the proscribed steps on how to fix it.
Threat detection
Detect threats using logs running in Google Cloud at scale. Detect some of the most common container attacks, including suspicious binary, suspicious library, and reverse shell.
Product Details¶
Vendor URL: GCP Security Command Center (SCC)
Product Type: SaaS
Product Tier: Tier III
Integration Method: Custom
Integration URL: GCP Security Command Center (SCC)
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 80-90%
Data Label: GCP_CSCC
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| finding.category | extensions.vulns.vulnerabilities.name |
| finding.category | security_result.summary |
| finding.externalUri | security_result.url_back_to_product |
| finding.resourceName | target.resource.name |
| finding.sourceProperties.detectionCategory.ruleName, finding.sourceProperties.detectionCategory.subRuleName | metadata.product_event_type |
| finding.sourceProperties.Explanation | extensions.vulns.vulnerabilities.description |
| finding.sourceProperties.ProjectId, resource.projectDisplayName | extensions.vulns.vulnerabilities.about.hostname |
| finding.sourceProperties.ProjectId, resource.projectDisplayName | principal.hostname |
| finding.sourceProperties.ResourcePath.2, finding.sourceProperties.ResourcePath.1, finding.sourceProperties.ResourcePath.1, finding.sourceProperties.ResourcePath.0 | target.file.full_path |
| finding.sourceProperties.ScannerName | principal.resource.name |
| invalidRoles.0.roles.0 | target.user.group_identifiers |
| invalidRoles.0.user | target.user.userid |
| jsonPayload.affectedResources.0.gcpResourceName, finding.resourceName | target.resource.name |
| jsonPayload.contextUris.mitreUri.url | security_result.threat_id |
| jsonPayload.properties.ipConnection.destIp, finding.sourceProperties.properties.ipConnection.destIp | target.ip |
| jsonPayload.properties.ipConnection.destPort, finding.sourceProperties.properties.ipConnection.destPort | target.port |
| jsonPayload.properties.ipConnection.srcIp, finding.sourceProperties.properties.ipConnection.srcIp | principal.ip |
| jsonPayload.properties.ipConnection.srcPort, finding.sourceProperties.properties.ipConnection.srcPort | principal.port |
| jsonPayload.properties.SeverityLevel, finding.sourceProperties.SeverityLevel | security_result.severity |
Product Event Types¶
| Event | UDM Event Classification | finding.state | alerting enabled |
|---|---|---|---|
| all events | SCAN_UNCATEGORIZED | ||
| INACTIVE | FALSE | ||
| all else | TRUE |
Log Sample¶
{
"notificationConfigName": "orgname",
"finding": {
"name": "orgname",
"parent": "orgname",
"resourceName": "googleproject",
"state": "ACTIVE",
"category": "PUBLIC_IP_ADDRESS",
"externalUri": "uri",
"sourceProperties": {
"Recommendation": "If this is unintended, please go to uri and click \"Edit\". For each interface under the \"Network interfaces\" heading, set \"External IP\" to \"None\", then click \"Done\" and \"Save\". If you would like to learn more about securing access to your infrastructure, see uri",
"ReactivationCount": 0.0,
"ExceptionInstructions": "Add the security mark \"allow_public_ip_address\" to the asset with a value of \"true\" to prevent this finding from being activated again.",
"Explanation": "To reduce the attack surface, avoid assigning public IP addresses to your VMs. Stopped instances may still be flagged with a Public IP finding, e.g. if the network interfaces are configured to assign an ephemeral public IP on start. Ensure the network configurations for stopped instances do not include external access.",
"ScannerName": "COMPUTE_INSTANCE_SCANNER",
"ResourcePath": ["project", "org"],
"compliance_standards": {
"pci": [{
"ids": ["1.2.1"]
}],
"cis": [{
"version": "1.1",
"ids": ["4.9"]
}],
"nist": [{
"ids": ["CA-3", "SC-7"]
}]
},
"VulnerableNetworkInterfaceNames": ["nic0"]
},
"securityMarks": {
"name": "orgname"
},
"eventTime": "2021-09-24T21:11:28.466558Z",
"createTime": "2021-09-24T21:11:28.982Z",
"severity": "HIGH",
"canonicalName": "projectname",
"findingClass": "MISCONFIGURATION"
},
"resource": {
"name": "googleproject",
"project": "projectname",
"projectDisplayName": "projdispname",
"parent": "projectname",
"parentDisplayName": "projdispname",
"type": "google.compute.Instance"
}
}
Sample Parsing¶
metadata.event_timestamp = "2021-09-24T21:11:28.466558Z"
metadata.event_type = "SCAN_UNCATEGORIZED"
metadata.vendor_name = "Google"
metadata.product_name = "Security Command Center"
metadata.ingested_timestamp = "2021-09-24T21:11:34.228837Z"
principal.hostname = "hostname1`="
principal.resource.type = "SCANNER_NAME"
principal.resource.name = "COMPUTE_INSTANCE_SCANNER"
principal.asset.hostname = "hostname1"
target.file.full_path = "orgname"
target.resource.name = "googleproject"
security_result.summary = "PUBLIC_IP_ADDRESS"
security_result.action = "ALLOW"
security_result.severity = "HIGH"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.url_back_to_product = "uri"
security_result.alert_state = "ALERTING"
extensions.vulns.vulnerabilities.about.hostname = "hostname1"
extensions.vulns.vulnerabilities.about.platform = "GCP"
extensions.vulns.vulnerabilities.name = "PUBLIC_IP_ADDRESS"
extensions.vulns.vulnerabilities.description = "To reduce the attack surface, avoid assigning public IP addresses to your VMs. Stopped instances may still be flagged with a Public IP finding, e.g. if the network interfaces are configured to assign an ephemeral public IP on start. Ensure the network configurations for stopped instances do not include external access."
extensions.vulns.vulnerabilities.severity = "HIGH"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon