scc-findings-to-pubsub
说明: 谷歌云平台(GCP)安全命令中心警报启用脚本
(Google Cloud Platform (GCP) Security Command Center Alerts enablement scripts)
(Google Cloud Platform (GCP) Security Command Center Alerts enablement scripts)
文件列表:
.gcloudignore (534, 2021-04-09)
LICENSE (1064, 2021-04-09)
faq.md (434, 2021-04-09)
functions (0, 2021-04-09)
functions\deploy_logger_func.sh (506, 2021-04-09)
functions\logger (0, 2021-04-09)
functions\logger\main.py (1244, 2021-04-09)
functions\logger\requirements.txt (27, 2021-04-09)
img (0, 2021-04-09)
img\alert1b.png (4836, 2021-04-09)
img\banner_light.png (75591, 2021-04-09)
img\scc_notifications.png (1914518, 2021-04-09)
scripts (0, 2021-04-09)
scripts\args.bash (418, 2021-04-09)
scripts\functions.bash (1562, 2021-04-09)
scripts\main.bash (1618, 2021-04-09)
scripts\utils.bash (2010, 2021-04-09)
setup.sh (1636, 2021-04-09)
LICENSE (1064, 2021-04-09)
faq.md (434, 2021-04-09)
functions (0, 2021-04-09)
functions\deploy_logger_func.sh (506, 2021-04-09)
functions\logger (0, 2021-04-09)
functions\logger\main.py (1244, 2021-04-09)
functions\logger\requirements.txt (27, 2021-04-09)
img (0, 2021-04-09)
img\alert1b.png (4836, 2021-04-09)
img\banner_light.png (75591, 2021-04-09)
img\scc_notifications.png (1914518, 2021-04-09)
scripts (0, 2021-04-09)
scripts\args.bash (418, 2021-04-09)
scripts\functions.bash (1562, 2021-04-09)
scripts\main.bash (1618, 2021-04-09)
scripts\utils.bash (2010, 2021-04-09)
setup.sh (1636, 2021-04-09)
SCC Notifications to Alerts
Setup Alerts for Google Cloud Security Command Center Findings
## Features This Security Command Center (SCC) Alerts project extends the default behavior of SCC Findings to add the ability to setup Alerts using Cloud Monitoring. A shortcoming of SCC is the lack of metrics and alerting via Cloud Monitoring since Findings are only visible at the Organization Level. By [exporting findings into PubSub](https://cloud.google.com/security-command-center/docs/how-to-notifications) [1], along with this project’s scripts, you can make notifications available in Cloud Monitoring. With this project’s scripts, you can - Automate the setup and removal of SCC Notifications to PubSub into your project - Log the Findings into your project, making the data available to Cloud Logging & Cloud Monitoring - Remove or reduce any custom scripts to be created and use standard GCP features where available  ## Requirements To run the scripts you will need the following. - **Organization ID** - **Project ID** - where the resources will be installed - **Service Account** - a service account for SCC Notifications to run. Roles will be assigned via setup.sh - The API's below must be enabled for the project - Security Command Center API for the Organization - Cloud Build API - Cloud Functions API - You will need IAM security roles of - Security Center Admin - to setup notifications - Organization Admin - to setup the service account with needed roles ## Installation ### Clone the repository [](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fgschaeffer%2Fscc_alerts&cloudshell_git_branch=main) Clone the repo to Cloud Shell. Optionally, clone to a VM or your local machine if you prefer. ```bash git clone https://github.com/gschaeffer/scc_alerts ``` #### Enable services Enable the services as needed. ```bash # Security Command Center API gcloud services enable securitycenter.googleapis.com # Below is likely already enabled # cloudfunctions.googleapis.com ``` #### Edit variables Edit the script variables in the setup.sh file. You must edit the organization id, project id, and service account values. The remaining variables are optional. ```bash ORG="YOUR_GCP_ORGANIZATION_ID PROJECT_ID="YOUR_PROJECT_ID" SA_ACCOUNT="YOUR_SERVICE_ACCOUNT" ``` #### Run setup First, we install the SCC Notifications to PubSub as described by Google [1 above]. Use the setup.sh command which automates this process. Be sure that your gcloud config is set to your project ID. ```bash gcloud config set core/project YOUR_PROJECT_ID # optionally, confirm the project is set correctly # gcloud config list ./setup.sh apply # if prompted with 'API [securitycenter.googleapis.com] not enabled # on project. Would you like to enable and retry?', select 'y'. ``` This creates only the resources as described in the SCC Notifications doc [1]. At this point you should begin seeing notifications being sent to the PubSub topic as they are identified in SCC. #### Add a Cloud Function Second, to make Findings events available in Cloud Monitoring, install the provided Cloud Function. This will begin sending Findings from PubSub to Cloud Logging & Cloud Monitoring. The install script is in the functions directory. ```bash cd functions/ ./deploy_logger_func.sh ``` This will install a very simple Python function that will be triggered by Findings being added to the PubSub Topic. After installing you should begin seeing log entries in Cloud Logging. These entries are logged into a log named *scc_notifications_log* for easy search. With the Findings in Cloud Logging, all the normal Google Cloud tools & services are available to setup Metrics and Alerts, https://cloud.google.com/monitoring/alerts. If you'd like to work with this data in BigQuery, Cloud Storage, or even another PubSub Topic then you can use Logging Exports https://cloud.google.com/logging/docs/export to push the data to your preference. ##### Slack Message Integration Optionally, a Slack Message integration is available at https://github.com/gschaeffer/scc-slack-messages. #### Cleanup To remove the resources installed use the same setup command with `delete` argument and `gcloud` to remove the cloud function. Change the function name and region variables as needed. ```bash ./setup.sh delete FUNCTION="scc_notification_handler" REGION="us-central1" gcloud functions delete $FUNCTION --region $REGION ```近期下载者:
相关文件:
收藏者: