forked from GoogleCloudPlatform/pubsub2inbox
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscc-cloud-ids.yaml
63 lines (58 loc) · 2.95 KB
/
scc-cloud-ids.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Creates findings from Cloud IDS in Cloud Security Command Center. You'll have to use the API
# to create a source first (its identifier looks like organizations/123/sources/456),
# see here for an example: https://cloud.google.com/security-command-center/docs/how-to-api-create-manage-security-sources#creating_a_source
#
# You'll also need the scc_writer permission (if deploying via Terraform). This includes the
# compute.networkViewer role, which is required to turn the network names into IDs for SCC.
#
# Create a Pub/Sub topic and use a log sink with a filter like:
# logName:"ids.googleapis.com%2Fthreat"
#
retryPeriod: 3 day ago
processors:
- genericjson
outputs:
- type: scc
source: organizations/382949788687/sources/5355536199717451283
finding_id: "{{ data.insertId|hash_string('md5') }}"
finding: #
resourceName: |
//compute.googleapis.com/{{ (data.jsonPayload.network|get_gcp_resource("compute", "compute")).selfLinkWithId|replace("https://www.googleapis.com/compute/v1/", "") }}
state: "ACTIVE"
description: |
{{ data.jsonPayload.name }}
{{ data.jsonPayload.details }}
category: "{{ data.jsonPayload.category|replace('-', '_')|upper }}"
externalUri: "https://console.cloud.google.com/logs/query;cursorTimestamp={{ data.timestamp }};query=timestamp%3D%22{{ data.timestamp }}%22%0AinsertId%3D%22{{ data.insertId }}%22"
indicator:
ipAddresses:
- "{{ data.jsonPayload.source_ip_address }}"
- "{{ data.jsonPayload.destination_ip_address }}"
sourceProperties:
application: "{{ data.jsonPayload.application }}"
direction: "{{ data.jsonPayload.direction }}"
ipProtocol: "{{ data.jsonPayload.ip_protocol }}"
destinationIpAddress: "{{ data.jsonPayload.destination_ip_address }}"
destinationPort: "{{ data.jsonPayload.destination_port }}"
sourceIpAddress: "{{ data.jsonPayload.source_ip_address }}"
sourcePort: "{{ data.jsonPayload.source_port }}"
vulnerability: |
{% if data.jsonPayload.cves is iterable %}{% set cve = {"id":data.jsonPayload.cves[0]} %}{{ {"cve":cve}|json_encode }}{% endif %}
eventTime: "{{ data.jsonPayload.alert_time }}"
createTime: "{{ ''|utc_strftime('%Y-%m-%dT%H:%M:%SZ') }}"
severity: "{{ data.jsonPayload.alert_severity }}"
findingClass: "{{ data.jsonPayload.type|upper }}"