Setting up security alerts for Google Security Command Center

Security Alerts are meant for notifying the users about the potential threats underlying in the project based on the findings from Google Security Command Center.

What is Google security command center?

Security Command Center is the canonical security and data risk database for Google Cloud platform. Security Command Center enables you to understand your security and data attack surface by providing asset inventory, discovery, search, and management.

Why do we need security alerts?

  • To reduce human intervention
  • To ensure that the application is not prone to zero day security attacks
  • To be updated with known security threats

How security alerts work?

  • The application will listen to notifications sent from Security Command Center for the configured GCP projects.
  • The notifications received will be stored in BigQuery.
  • The notification will contain the severity and category of the error.
  • An email containing the details as well as the attachment of the notification will be sent to the configured recipients.

Setting up Security Command Center to receive notifications

Run the following command in the Google Cloud Shell.

Organisation id is unique and you can find your organization ID by running the following command in google cloud shell:

gcloud organizations list

Filter is used to filter specific project based on the project number provided.

Navigate to Settings and utilities (to the top right corner) >> Project Settings. You can find your project number by clicking the project settings

Create a new Pub/Sub topic and use that name. Notifications are now published to the Pub/Sub topic you specified.

Now, the variables which are needed to run the command are ready.

Make sure that you have permission at organisation level to run the above command successfully.

Steps to setup the security alert

Extract payload

Handle request from Security Command Center and then extract the payload(alert).

json.loads(base64.b64decode(event[‘data’]).decode(‘utf-8’))

Store in bigquery(optional)

The extracted payload(alert) is stored in bigquery table for future reference. This step is optional.

client: Client = bigquery.Client()
table_reference = client.get_table(f"{dataset_id}.{table_id}")
errors = client.insert_rows(table_reference, json.dumps(alert))

Validate and send the alert

The alert has to be validated before sending notification.

After storing the alert in bigquery table, the alert has to be validated if the severity of the alert is high. You can choose severity level depending upon your needs.

Also, the alert is validated if it belongs to specific categories. In my case, I have 5 custom categories against which the alert is validated. If the alert doesn’t belong to those categories, notification wouldn’t be sent.

After these validations are successful, notification would be sent.

SendGrid is a cloud-based SMTP provider that allows you to send email without having to maintain email servers. You can get the sendgrid_api_key from your sendgrid account.

Thanks for reading this blog:)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store