diff --git a/blog-service/2025-07-14-apps.md b/blog-service/2025-07-14-apps.md new file mode 100644 index 0000000000..285d2581da --- /dev/null +++ b/blog-service/2025-07-14-apps.md @@ -0,0 +1,12 @@ +--- +title: Google Cloud Security Command Center (Apps) +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - apps + - cloud-security-command-center +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +We're excited to introduce the new Google Cloud Security Command Center app for Sumo Logic. This app enables you to analyze, monitor, and respond effectively to security issues, helping you to improve cloud security, reduce risk, and maintain compliance. [Learn more](/docs/integrations/google/cloud-security-command-center/). diff --git a/cid-redirects.json b/cid-redirects.json index 53db74be50..f367fb2ec1 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2901,6 +2901,7 @@ "/cid/21036": "/docs/integrations/google/cloud-vertex-ai", "/cid/21037": "/docs/integrations/google/cloud-vpn", "/cid/21039": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source", + "/cid/21041": "/docs/integrations/google/cloud-security-command-center", "/cid/21097": "/docs/integrations/saas-cloud/confluent-cloud", "/cid/21040": "/docs/manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-service-providers", "/cid/21038": "/docs/integrations/containers-orchestration/vmware-tanzu-application-service", diff --git a/docs/integrations/google/cloud-security-command-center.md b/docs/integrations/google/cloud-security-command-center.md new file mode 100644 index 0000000000..a405e9a5fc --- /dev/null +++ b/docs/integrations/google/cloud-security-command-center.md @@ -0,0 +1,537 @@ +--- +id: cloud-security-command-center +title: Google Cloud Security Command Center +sidebar_label: Google Cloud Security Command Center +description: The Sumo Logic app for Google Cloud Security Command Center helps you to monitor, investigate, and respond effectively to security issues, helping you to improve cloud security, reduce risk, and maintain compliance. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +thumbnail icon + +The Sumo Logic app for Google Cloud Security Command Center (SCC) provides real-time visibility into cloud risks, including misconfigurations, threats, and vulnerabilities in Google Cloud environments. It features pre-configured dashboards that highlight high-priority security findings, such as privileged account issues, API misuse, software vulnerabilities, severity breakdowns, resource and project-level filtering, and detailed summaries to streamline triage and remediation workflows. This enables you to monitor, investigate, and respond effectively to improve cloud security, reduce risk, and maintain compliance. + +:::info +This app includes [built-in monitors](#google-cloud-security-command-center-alerts). For details on creating custom monitors, refer to the [Create monitors for Google Cloud Security Command Center app](#create-monitors-for-google-cloud-security-command-center-app). +::: + +## Log types + +This app uses the [Findings](https://cloud.google.com/security-command-center/docs/finding-classes) generated by [Security Command Center](https://cloud.google.com/security-command-center/docs/security-command-center-overview) (SCC). + +### Sample log message + +
+Misconfigurations + +```json +{ + "message": { + "data": { + "notificationConfigName": "projects/175089404040/locations/global/notificationConfigs/Sumo-export", + "finding": { + "name": "organizations/175089404094/sources/1750894040375988750/locations/global/findings/1750894040375598723", + "canonicalName": "projects/175089404040/sources/1750894040375988750/locations/global/findings/1750894040375598723", + "parent": "organizations/175089404094/sources/1750894040375988750/locations/global", + "resourceName": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west3-a/clusters/k8sng-79-gke1-32-otc-dev-v4-a2a460d400a0", + "state": "ACTIVE", + "category": "GKE_PRIVILEGE_ESCALATION", + "externalUri": "https://provides-homeland.gl.at.ply.gg/kubernetes/security/dashboard?project=prod-backend-infra", + "securityMarks": { + "name": "organizations/175089404094/sources/1750894040375988750/locations/global/findings/1750894040375598723/securityMarks" + }, + "eventTime": "2025-06-25T16:27:20-070003055Z", + "createTime": "2025-06-25T16:27:20.375Z", + "severity": "MEDIUM", + "mute": "UNDEFINED", + "findingClass": "MISCONFIGURATION", + "muteUpdateTime": "2025-06-25T16:27:20Z", + "parentDisplayName": "GKE Security Posture", + "description": "A container can be explicitly configured to allow privilege escalation on execution. This permits a process created within the container by executing a set-user-id, set-group-id, or file capability executable to gain the privileges specified by the executable. The lack of preventive security control increases the risk of container escape.", + "nextSteps": "**Apply the following steps to your affected workloads:**\n1. Open the manifest for each affected workload.\n2. Set the following restricted fields to one of the allowed values:\n\n**Restricted Fields**\n- spec.containers[*].securityContext.allowPrivilegeEscalation\n- spec.initContainers[*].securityContext.allowPrivilegeEscalation\n- spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation\n\n**Allowed Values**\n- false\n", + "kubernetes": { + "objects": [ + { + "kind": "StatefulSet", + "ns": "demo-nginx-docker", + "name": "nginx" + } + ] + }, + "muteInfo": { + "staticMute": { + "state": "UNDEFINED", + "applyTime": "2025-06-25T16:27:20Z" + } + } + }, + "resource": { + "name": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west3-a/clusters/k8sng-79-gke1-32-otc-dev-v4-a2a460d400a0", + "displayName": "k8sng-79-gke1-32-otc-dev-v4-a2a460d400a0", + "type": "google.container.Cluster", + "cloudProvider": "GOOGLE_CLOUD_PLATFORM", + "service": "container.googleapis.com", + "location": "europe-west3-a", + "gcpMetadata": { + "project": "//cloudresourcemanager.googleapis.com/projects/175089404040", + "projectDisplayName": "prod-backend-infra", + "parent": "//cloudresourcemanager.googleapis.com/projects/175089404040", + "parentDisplayName": "prod-backend-infra", + "folders": [ + { + "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/175089404055", + "resourceFolderDisplayName": "Product Team" + } + ], + "organization": "organizations/175089404094" + }, + "resourcePath": { + "nodes": [ + { + "nodeType": "GCP_PROJECT", + "id": "projects/175089404040", + "displayName": "prod-backend-infra" + }, + { + "nodeType": "GCP_FOLDER", + "id": "folders/175089404055", + "displayName": "Product Team" + }, + { + "nodeType": "GCP_ORGANIZATION", + "id": "organizations/175089404094" + } + ] + }, + "resourcePathString": "organizations/175089404094/folders/175089404055/projects/175089404040" + } + }, + "messageId": "17508940403752739", + "message_id": "17508940403752739", + "publishTime": "2025-06-25T16:27:20.375Z", + "publish_time": "2025-06-25T16:27:20.375Z" + }, + "subscription": "projects/prod-backend-infra/subscriptions/scc" +} +``` +
+ +
+Threat + +```json +{ + "message": { + "data": { + "notificationConfigName": "projects/175089404040/locations/global/notificationConfigs/Sumo-export", + "finding": { + "name": "organizations/175089404094/sources/1750894040330370653/locations/global/findings/bb7f1949a4044d38a5b1dd7e47676113", + "canonicalName": "projects/175089404040/sources/1750894040330370653/locations/global/findings/bb7f1949a4044d38a5b1dd7e47676113", + "parent": "organizations/175089404094/sources/1750894040330370653/locations/global", + "resourceName": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west2-a/clusters/devclust-gke-otc-rel-v4-ac141583d8a4", + "state": "ACTIVE", + "category": "Persistence: New API Method", + "sourceProperties": { + "sourceId": { + "projectNumber": "175089404040", + "customerOrganizationNumber": "175089404094" + }, + "detectionCategory": { + "technique": "persistence", + "indicator": "audit_log", + "ruleName": "anomalous_behavior", + "subRuleName": "new_api_method" + }, + "detectionPriority": "LOW", + "affectedResources": [ + { + "gcpResourceName": "//k8s.io/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/container-watcher-status-reporter" + }, + { + "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/175089404040" + } + ], + "evidence": [ + { + "sourceLogId": { + "projectId": "prod-backend-infra", + "resourceContainer": "projects/prod-backend-infra", + "timestamp": { + "seconds": 1750894040, + "nanos": 5.33346E8 + }, + "insertId": "c4bc72fe-2e35-4c1d-a188-fcc812ab3822", + "logId": "cloudaudit.googleapis.com/activity" + } + } + ], + "properties": { + "newApiMethod": { + "newApiMethod": { + "serviceName": "k8s.io", + "methodName": "io.k8s.authorization.rbac.v1.roles.delete" + }, + "principalEmail": "service-project-175089404040@gcp-sa-ktd-hpsa.iam.gserviceaccount.com", + "callerIp": "147.45.44.104", + "callerUserAgent": "Google-KTD-Control", + "resourceContainer": "projects/175089404040" + } + }, + "findingId": "bb7f1949a4044d38a5b1dd7e47676113", + "contextUris": { + "mitreUri": { + "displayName": "MITRE Link", + "url": "https://rofl13.no-ip.biz/tactics/TA0003/" + }, + "cloudLoggingQueryUri": [ + { + "displayName": "Cloud Logging Query Link", + "url": "https://rofl13.no-ip.biz/logs/query;query=timestamp%3D%222025-06-25T16:27:20-070046Z%22%0AinsertId%3D%22c4bc72fe-2e35-4c1d-a188-fcc812ab3822%22?project=prod-backend-infra" + } + ], + "relatedFindingUri": { + + } + } + }, + "securityMarks": { + "name": "organizations/175089404094/sources/1750894040330370653/locations/global/findings/bb7f1949a4044d38a5b1dd7e47676113/securityMarks" + }, + "eventTime": "2025-06-25T16:27:20-070057Z", + "createTime": "2025-06-25T16:27:20.329Z", + "severity": "CRITICAL", + "mute": "UNDEFINED", + "findingClass": "THREAT", + "muteUpdateTime": "2025-06-25T16:27:20Z", + "mitreAttack": { + "primaryTactic": "PERSISTENCE" + }, + "access": { + "principalEmail": "service-project-175089404040@gcp-sa-ktd-hpsa.iam.gserviceaccount.com", + "callerIp": "147.45.44.104", + "callerIpGeo": { + + }, + "userAgent": "Google-KTD-Control", + "serviceName": "k8s.io", + "methodName": "io.k8s.authorization.rbac.v1.roles.delete" + }, + "parentDisplayName": "Event Threat Detection", + "logEntries": [ + { + "cloudLoggingEntry": { + "insertId": "c4bc72fe-2e35-4c1d-a188-fcc812ab3822", + "logId": "cloudaudit.googleapis.com/activity", + "resourceContainer": "projects/prod-backend-infra", + "timestamp": "2025-06-25T16:27:20-070046Z" + } + } + ], + "muteInfo": { + "staticMute": { + "state": "UNDEFINED", + "applyTime": "2025-06-25T16:27:20Z" + } + } + }, + "resource": { + "name": "//container.googleapis.com/projects/prod-backend-infra/locations/europe-west2-a/clusters/devclust-gke-otc-rel-v4-ac141583d8a4", + "displayName": "devclust-gke-otc-rel-v4-ac141583d8a4", + "type": "google.container.Cluster", + "cloudProvider": "GOOGLE_CLOUD_PLATFORM", + "service": "container.googleapis.com", + "location": "europe-west2-a", + "gcpMetadata": { + "project": "//cloudresourcemanager.googleapis.com/projects/175089404040", + "projectDisplayName": "prod-backend-infra", + "parent": "//cloudresourcemanager.googleapis.com/projects/175089404040", + "parentDisplayName": "prod-backend-infra", + "folders": [ + { + "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/175089404055", + "resourceFolderDisplayName": "Product Team" + } + ], + "organization": "organizations/175089404094" + }, + "resourcePath": { + "nodes": [ + { + "nodeType": "GCP_PROJECT", + "id": "projects/175089404040", + "displayName": "prod-backend-infra" + }, + { + "nodeType": "GCP_FOLDER", + "id": "folders/175089404055", + "displayName": "Product Team" + }, + { + "nodeType": "GCP_ORGANIZATION", + "id": "organizations/175089404094" + } + ] + }, + "resourcePathString": "organizations/175089404094/folders/175089404055/projects/175089404040" + } + }, + "messageId": "17508940403301574", + "message_id": "17508940403301574", + "publishTime": "2025-06-25T16:27:20.329Z", + "publish_time": "2025-06-25T16:27:20.329Z" + }, + "subscription": "projects/prod-backend-infra/subscriptions/scc" +} +``` +
+ +
+Vulnerability + +```json +{ + "message": { + "data": { + "notificationConfigName": "projects/175089404040/locations/global/notificationConfigs/Sumo-export", + "finding": { + "name": "organizations/175089404094/sources/1750894040384815997/locations/global/findings/20ffcd76a0dd9628d7fe8d27c1b55c19", + "canonicalName": "projects/175089404040/sources/1750894040384815997/locations/global/findings/20ffcd76a0dd9628d7fe8d27c1b55c19", + "parent": "organizations/175089404094/sources/1750894040384815997/locations/global", + "resourceName": "//compute.googleapis.com/projects/prod-backend-infra/zones/us-central1-a/instances/dgarbacz-linux", + "state": "ACTIVE", + "category": "SOFTWARE_VULNERABILITY", + "securityMarks": { + "name": "organizations/175089404094/sources/1750894040384815997/locations/global/findings/20ffcd76a0dd9628d7fe8d27c1b55c19/securityMarks" + }, + "eventTime": "2025-06-25T16:27:20-070077141Z", + "createTime": "2025-06-25T16:27:20.384Z", + "severity": "HIGH", + "mute": "UNDEFINED", + "findingClass": "VULNERABILITY", + "vulnerability": { + "cve": { + "id": "CVE-2023-33953", + "references": [ + { + "source": "More Info", + "uri": "https://world-training.gl.at.ply.gg/tracker/CVE-2023-33953" + }, + { + "source": "More Info", + "uri": "https://world-training.gl.at.ply.gg/vuln/detail/CVE-2023-33953" + }, + { + "source": "More Info", + "uri": "https://world-training.gl.at.ply.gg/security/cve/CVE-2023-33953" + } + ], + "cvssv3": { + "baseScore": 7.5, + "attackVector": "ATTACK_VECTOR_NETWORK", + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "userInteraction": "USER_INTERACTION_NONE", + "scope": "SCOPE_UNCHANGED", + "confidentialityImpact": "IMPACT_NONE", + "integrityImpact": "IMPACT_NONE", + "availabilityImpact": "IMPACT_HIGH" + }, + "upstreamFixAvailable": true, + "impact": "MEDIUM", + "exploitationActivity": "NO_KNOWN", + "exploitReleaseDate": "2025-06-25T16:27:20Z", + "firstExploitationDate": "2025-06-25T16:27:20Z" + }, + "offendingPackage": { + "packageName": "grpcio", + "cpeUri": "cpe:/a:ghsa:pip", + "packageType": "PYPI", + "packageVersion": "1.54.0" + }, + "fixedPackage": { + "packageName": "grpcio", + "cpeUri": "cpe:/a:ghsa:pip", + "packageType": "PYPI", + "packageVersion": "1.54.3" + }, + "securityBulletin": { + "submissionTime": "2025-06-25T16:27:20Z" + } + }, + "muteUpdateTime": "2025-06-25T16:27:20Z", + "parentDisplayName": "Vulnerability Assessment", + "description": "gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:\n\n- Unbounded memory buffering in the HPACK parser\n- Unbounded CPU consumption in the HPACK parser\n\nThe unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.\n\nThe unbounded memory buffering bugs:\n\n- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4-gigabyte string before rejecting it as longer than 8 or 16kb.\n- HPACK varints have an encoding quirk whereby an infinite number of 0\u2019s can be added at the start of an integer. gRPC\u2019s hpack parser needed to read all of them before concluding a parse.\n- gRPC\u2019s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc\u2026", + "files": [ + { + "diskPath": { + "partitionUuid": "72d18f0c-ddaf-4b73-b512-56102153f78f", + "relativePath": "usr/lib/google-cloud-sdk/platform/bundledpythonunix/lib/python3.9/site-packages/grpcio-1.54.0.dist-info/METADATA" + } + } + ], + "muteInfo": { + "staticMute": { + "state": "UNDEFINED", + "applyTime": "2025-06-25T16:27:20Z" + } + } + }, + "resource": { + "name": "//compute.googleapis.com/projects/prod-backend-infra/zones/us-central1-a/instances/dgarbacz-linux", + "displayName": "dgarbacz-linux", + "type": "google.compute.Instance", + "cloudProvider": "GOOGLE_CLOUD_PLATFORM", + "service": "compute.googleapis.com", + "location": "us-central1-a", + "gcpMetadata": { + "project": "//cloudresourcemanager.googleapis.com/projects/175089404040", + "projectDisplayName": "prod-backend-infra", + "parent": "//cloudresourcemanager.googleapis.com/projects/175089404040", + "parentDisplayName": "prod-backend-infra", + "folders": [ + { + "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/175089404055", + "resourceFolderDisplayName": "Product Team" + } + ], + "organization": "organizations/175089404094" + }, + "resourcePath": { + "nodes": [ + { + "nodeType": "GCP_PROJECT", + "id": "projects/175089404040", + "displayName": "prod-backend-infra" + }, + { + "nodeType": "GCP_FOLDER", + "id": "folders/175089404055", + "displayName": "Product Team" + }, + { + "nodeType": "GCP_ORGANIZATION", + "id": "organizations/175089404094" + } + ] + }, + "resourcePathString": "organizations/175089404094/folders/175089404055/projects/175089404040" + } + }, + "messageId": "17508940403846729", + "message_id": "17508940403846729", + "publishTime": "2025-06-25T16:27:20.384Z", + "publish_time": "2025-06-25T16:27:20.384Z" + }, + "subscription": "projects/prod-backend-infra/subscriptions/scc" +} +``` +
+ +### Sample log queries + +```sql title="Misconfiguration" +_sourceCategory=Labs/googleCloudSCC MISCONFIGURATION +| json field=_raw "message.data.finding.name", "message.data.resource", "message.data.finding.resourceName", "message.data.finding.parentDisplayName", "message.data.finding.sourceProperties.Explanation", "message.data.finding.sourceProperties.ExceptionInstructions", "message.data.finding.sourceProperties.Recommendation", "message.data.resource.displayName", "message.data.resource.type", "message.data.finding.description", "message.data.finding.findingClass", "message.data.finding.mute", "message.data.finding.severity", "message.data.finding.state", "message.data.finding.category" as findingName, resource,resourceName, ParentDisplayName, explanation, ExceptionInstructions, Recommendation, displayName, type, description, findingClass, mute, severity, state, category nodrop +| parse regex field = findingName "organizations\/(?\d+)\/sources\/\d+\/locations\/global\/findings\/(?[a-f0-9]+)" +| dedup 1 by finding_id +| json field=resource "service", "displayName", "location", "type", "gcpMetadata.projectDisplayName", "gcpMetadata.folders[0].resourceFolderDisplayName" as service, resource_name, location, type, project_name, folder_name +| where findingClass = "MISCONFIGURATION" +| count by finding_id,description, category, severity,findingClass, resource_name, location, folder_name, project_name, state +``` + +```sql title="Threat" +sourceCategory=Labs/googleCloudSCC THREAT +| json field=_raw "message.data.finding.name", "message.data.resource", "message.data.finding.resourceName", "message.data.finding.parentDisplayName", "message.data.finding.sourceProperties.Explanation", "message.data.finding.sourceProperties.ExceptionInstructions", "message.data.finding.sourceProperties.Recommendation", "message.data.resource.displayName", "message.data.resource.type", "message.data.finding.description", "message.data.finding.findingClass", "message.data.finding.mute", "message.data.finding.severity", "message.data.finding.state", "message.data.finding.category" as findingName, resource,resourceName, ParentDisplayName, explanation, ExceptionInstructions, Recommendation, displayName, type, description, findingClass, mute, severity, state, category nodrop +| parse regex field = findingName "organizations\/(?\d+)\/sources\/\d+\/locations\/global\/findings\/(?[a-f0-9]+)" +| dedup 1 by finding_id +| json field=resource "service", "displayName", "location", "type", "gcpMetadata.projectDisplayName", "gcpMetadata.folders[0].resourceFolderDisplayName" as service, resource_name, location, type, project_name, folder_name +| where findingClass = "THREAT" +| count by finding_id, category, severity,findingClass, resource_name, location, folder_name, project_name, state +``` + +```sql title="Vulnerability" +_sourceCategory=Labs/googleCloudSCC VULNERABILITY +| json field=_raw "message.data.finding.name", "message.data.resource", "message.data.finding.resourceName", "message.data.finding.parentDisplayName", "message.data.finding.sourceProperties.Explanation", "message.data.finding.sourceProperties.ExceptionInstructions", "message.data.finding.sourceProperties.Recommendation", "message.data.resource.displayName", "message.data.resource.type", "message.data.finding.description", "message.data.finding.findingClass", "message.data.finding.mute", "message.data.finding.severity", "message.data.finding.state", "message.data.finding.category" as findingName, resource,resourceName, ParentDisplayName, explanation, ExceptionInstructions, Recommendation, displayName, type, description, findingClass, mute, severity, state, category nodrop +| parse regex field = findingName "organizations\/(?\d+)\/sources\/\d+\/locations\/global\/findings\/(?[a-f0-9]+)" +| dedup 1 by finding_id +| json field=resource "service", "displayName", "location", "type", "gcpMetadata.projectDisplayName", "gcpMetadata.folders[0].resourceFolderDisplayName" as service, resource_name, location, type, project_name, folder_name +| where findingClass = "VULNERABILITY" +| count by finding_id,description, category, severity,findingClass, resource_name, location, folder_name, project_name, state +``` + +## Configure the data collection from Google Cloud Security Command Center + +This section describes the Sumo Logic pipeline for collecting the data from Google Cloud Security Command Center (SCC). + +### Integrating the Google Cloud Security Command Center app + +Follow the steps below to integrate the Google Cloud Security Command Center (SCC) app: + +1. Enable the [Security Command Center (SCC)](https://cloud.google.com/security-command-center/docs/activate-scc-overview) at the GCP console. +1. In Sumo Logic, [configure the Google Cloud Platform source](https://help.sumologic.com/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/#configure-agoogle-cloud-platform-source). +1. In the GCP console, configure a Pub/Sub Topic for [GCP](https://help.sumologic.com/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/#configure-a-pubsub-topicfor-gcp). This topic will be used to send SCC findings from GCP to Sumo Logic. +1. In the SCC blade of the GCP console, click **Continuous Exports**.
Google Cloud Storage dashboards +1. In the GCP console, export the findings from SCC to the [Pub/Sub Topic](https://cloud.google.com/security-command-center/docs/how-to-export-data?_gl=1*1dt4zsw*_ga*ODU1MTc4OTQ1LjE3Mzg3ODM5NzI.*_ga_WH2QY8WWF5*czE3NDY2Mzc3MzQkbzMkZzEkdDE3NDY2MzgxNDUkajYwJGwwJGgw#configure-pubsub-exports) created above. + +### Testing the integration + +1. Refer to this [link](https://cloud.google.com/security-command-center/docs/how-to-export-data?_gl=1*1nrezew*_ga*ODU1MTc4OTQ1LjE3Mzg3ODM5NzI.*_ga_WH2QY8WWF5*czE3NDY3MjYwNjEkbzUkZzEkdDE3NDY3MjY2OTQkajMzJGwwJGgw#test_continuous_exports) to test the continuous exports created above.
Google Cloud Storage dashboards +1. *Live Tail* at Sumo Logic to see the findings from SCC. + +## Installing the Google Cloud Security Command Center app + +Now that you have set up the collection for Google Cloud Security Command Center (SCC), install the Sumo Logic app to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. + +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; + + + +## Viewing Google Cloud Security Command Center dashboards + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Misconfigurations + +The **Google Cloud - Security Command Center - Misconfigurations** dashboard provides you with a comprehensive view of misconfigurations across Google Cloud. It shows the total number of misconfigurations by severity, category, project, and resource type, helping identify high-risk issues like over-privileged accounts or insecure Kubernetes settings. You can quickly identify high-risk issues like over-privileged accounts or insecure Kubernetes settings and pinpoint the most affected resources. The dashboard supports rapid investigation and proactive remediation, enhancing overall cloud security posture. + +*Google Cloud - Security Command Center - Misconfigurations dashboard + +### Threats + +The **Google Cloud - Security Command Center - Threats** dashboard provides you with real-time visibility into threats in the Google Cloud environments. It displays threat counts by severity and type, identifies affected projects and resources, and offers detailed findings for incident investigation. The dashboard aids in prioritizing responses, detecting suspicious activity early, and improving overall cloud threat detection and response. + +Google Cloud - Security Command Center - Threats dashboard + +### Vulnerabilities + +The **Google Cloud - Security Command Center - Vulnerabilities** dashboard provides you with insights into known vulnerabilities across cloud resources for effective risk assessment and remediation. The dashboard displays the total count of vulnerabilities detected, categorized by severity and type (for example, GKE Security Bulletin, Software, OS), helping prioritize critical and high-severity issues. Analysts can drill into project-specific data and detailed findings like CVEs or SQL injection risks, making this dashboard key to reducing exposure and maintaining a secure cloud environment. + +Google Cloud - Security Command Center - Vulnerabilities dashboard + +## Create monitors for Google Cloud Security Command Center app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Google Cloud Security Command Center alerts + +| Name | Description | Alert Condition | Trigger Type | +|:--|:--|:--|:--| +| `Critical Misconfigurations` | This alert is triggered when critical misconfiguration findings, such as insecure default settings or overly permissive roles, are detected, indicating security vulnerabilities or compliance violations. It helps security analysts quickly identify and address high-risk configuration issues. | Count > 0 | Critical | +| `Critical Threats` | This alert is triggered when critical threat detections are logged in the environment, indicating potential active attacks or malicious behavior. It serves as an early warning system for high-severity incidents requiring immediate investigation and response. | Count > 0 | Critical | +| `Critical Vulnerabilities` | This alert is triggered when critical vulnerabilities, such as unpatched software or exposed components, are detected that pose a significant risk to cloud infrastructure. It allows analysts to prioritize remediation efforts on the most impactful security weaknesses. | Count > 0 | Critical | + +## Upgrade/Downgrade the Google Cloud Security Command Center app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Google Cloud Security Command Center app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + diff --git a/docs/integrations/google/index.md b/docs/integrations/google/index.md index 3153f8ae5e..7b9f65fc45 100644 --- a/docs/integrations/google/index.md +++ b/docs/integrations/google/index.md @@ -208,6 +208,12 @@ This guide has documentation for all of the apps that Sumo Logic provides for Go

A guide to the Sumo Logic app for Google Cloud Run.

+
+
+ Thumbnail icon

Google Cloud Security Command Center

 +

A guide to the Sumo Logic app for Google Cloud Security Command Center.

+
+
Thumbnail icon

Google Cloud Spanner

 diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index e88c97f79f..3951cac71d 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -252,7 +252,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [GitHub](https://github.com/) | App: [GitHub](/docs/integrations/app-development/github/)
Automation integration: [GitHub](/docs/platform-services/automation-service/app-central/integrations/github/)
Cloud SIEM integration: [Github](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/193c791a-bb10-4742-a429-1256535f888b.md#vendors-github)
Community app: [Sumo Logic for GitHub Actions](https://github.com/SumoLogic/sumologic-content/tree/master/GitHub/GitHub_Actions) | | Thumbnail icon | [GitLab](https://about.gitlab.com/) | App: [GitLab](/docs/integrations/app-development/gitlab/)
Automation integration: [GitLab](/docs/platform-services/automation-service/app-central/integrations/gitlab/) | | Thumbnail icon | [Gmail](https://www.google.com/gmail/about/) | App: [Gmail Trace Logs](/docs/integrations/saas-cloud/gmail-tracelogs)
Automation integrations:
- [Gmail](/docs/platform-services/automation-service/app-central/integrations/gmail/)
- [Gmail Multiple Mailbox](/docs/platform-services/automation-service/app-central/integrations/gmail-multiple-mailbox/)
Collector: [Gmail Trace Logs Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/gmail-tracelogs-source) | -| Thumbnail icon | [Google](https://about.google/) | Apps:
- [Google App Engine](/docs/integrations/google/app-engine/)
- [Google BigQuery](/docs/integrations/google/bigquery/)
- [Google Cloud AlloyDB for PostgreSQL](/docs/integrations/google/cloud-alloydb-for-postgresql/)
- [Google Cloud API Gateway](/docs/integrations/google/cloud-api-gateway/)
- [Google Cloud APIs](/docs/integrations/google/cloud-apis/)
- [Google Cloud Armor](/docs/integrations/google/cloud-armor/)
- [Google Cloud Audit](/docs/integrations/google/cloud-audit)
- [Google Cloud Auto Scaler](/docs/integrations/google/cloud-auto-scaler)
- [Google Cloud Backup for GKE](/docs/integrations/google/cloud-backup-for-gke/)
- [Google Cloud BigQuery BI Engine](/docs/integrations/google/cloud-bigquery-bi-engine/)
- [Google Cloud Bigtable](/docs/integrations/google/cloud-bigtable/)
- [Google Cloud Certificate Authority Service](/docs/integrations/google/cloud-certificate-authority-service/)
- [Google Cloud Certificate Manager](/docs/integrations/google/cloud-certificate-manager/)
- [Google Cloud Composer](/docs/integrations/google/cloud-composer/)
- [Google Compute Engine](/docs/integrations/google/compute-engine/)
- [Google Cloud Dataflow](/docs/integrations/google/cloud-dataflow/)
- [Google Cloud Dataproc](/docs/integrations/google/cloud-dataproc/)
- [Google Cloud Dataproc Metastore](/docs/integrations/google/cloud-dataproc-metastore/)
- [Google Cloud Datastore](/docs/integrations/google/cloud-datastore/)
- [Google Cloud Datastream](/docs/integrations/google/cloud-datastream/)
- [Google Cloud Deploy](/docs/integrations/google/cloud-deploy/)
- [Google Cloud Filestore](/docs/integrations/google/cloud-filestore/)
- [Google Cloud Firebase](/docs/integrations/google/cloud-firebase/)
- [Google Cloud Firestore](/docs/integrations/google/cloud-firestore/)
- [Google Cloud Firewall](/docs/integrations/google/cloud-firewall/)
- [Google Cloud Fleet Engine](/docs/integrations/google/cloud-fleet-engine/)
- [Google Cloud Functions](/docs/integrations/google/cloud-functions/)
- [Google Cloud Interconnect](/docs/integrations/google/cloud-interconnect/)
- [Google Cloud Load Balancing](/docs/integrations/google/cloud-load-balancing/)
- [Google Cloud Logging](/docs/integrations/google/cloud-logging/)
- [Google Cloud Memorystore for Redis](/docs/integrations/google/cloud-memorystore-for-redis/)
- [Google Cloud Net App Cloud Volumes Service](/docs/integrations/google/cloud-net-app-cloud-volumes-service/)
- [Google Cloud Network Topology](/docs/integrations/google/cloud-network-topology/)
- [Google Cloud Pub Sub](/docs/integrations/google/cloud-pub-sub/)
- [Google Cloud Router](/docs/integrations/google/cloud-router/)
- [Google Cloud Run](/docs/integrations/google/cloud-run/)
- [Google Cloud Spanner](/docs/integrations/google/cloud-spanner/)
- [Google Cloud SQL](/docs/integrations/google/cloud-sql/)
- [Google Cloud Storage](/docs/integrations/google/cloud-storage/)
- [Google Cloud Tasks](/docs/integrations/google/cloud-tasks/)
- [Google Cloud TPU](/docs/integrations/google/cloud-tpu/)
- [Google Cloud Trace](/docs/integrations/google/cloud-trace/)
- [Google Cloud Traffic Director](/docs/integrations/google/cloud-traffic-director/)
- [Google Cloud Vertex AI](/docs/integrations/google/cloud-vertex-ai/)
- [Google Cloud VPC](/docs/integrations/google/cloud-vpc/)
- [Google Cloud VPN](/docs/integrations/google/cloud-vpn/)
- [Google Kubernetes Engine (GKE)](/docs/integrations/google/kubernetes-engine/)
Automation integrations:
- [Chronicle](/docs/platform-services/automation-service/app-central/integrations/chronicle/)
- [Google Chat](/docs/platform-services/automation-service/app-central/integrations/google-chat/)
- [Google Safe Browsing](/docs/platform-services/automation-service/app-central/integrations/google-safe-browsing/)
- [Mandiant Advantage Threat intelligence](/docs/platform-services/automation-service/app-central/integrations/mandiant-advantage-threat-intelligence/)
Cloud SIEM integration: [Google](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/45601247-66a5-4c9c-b3af-c422f5b4cbeb.md)
Collectors:
- [Google BigQuery Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-bigquery-source/)
- [GCP Metrics Source](/docs/send-data/hosted-collectors/google-source/gcp-metrics-source/)
- [Google Cloud Platform (GCP) Source](/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/)
- [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source/)
Community app: [Sumo Logic for GCP Balancer Metrics](https://github.com/SumoLogic/sumologic-content/tree/master/GCP/Load_Balancer_Metrics) | +| Thumbnail icon | [Google](https://about.google/) | Apps:
- [Google App Engine](/docs/integrations/google/app-engine/)
- [Google BigQuery](/docs/integrations/google/bigquery/)
- [Google Cloud AlloyDB for PostgreSQL](/docs/integrations/google/cloud-alloydb-for-postgresql/)
- [Google Cloud API Gateway](/docs/integrations/google/cloud-api-gateway/)
- [Google Cloud APIs](/docs/integrations/google/cloud-apis/)
- [Google Cloud Armor](/docs/integrations/google/cloud-armor/)
- [Google Cloud Audit](/docs/integrations/google/cloud-audit)
- [Google Cloud Auto Scaler](/docs/integrations/google/cloud-auto-scaler)
- [Google Cloud Backup for GKE](/docs/integrations/google/cloud-backup-for-gke/)
- [Google Cloud BigQuery BI Engine](/docs/integrations/google/cloud-bigquery-bi-engine/)
- [Google Cloud Bigtable](/docs/integrations/google/cloud-bigtable/)
- [Google Cloud Certificate Authority Service](/docs/integrations/google/cloud-certificate-authority-service/)
- [Google Cloud Certificate Manager](/docs/integrations/google/cloud-certificate-manager/)
- [Google Cloud Composer](/docs/integrations/google/cloud-composer/)
- [Google Compute Engine](/docs/integrations/google/compute-engine/)
- [Google Cloud Dataflow](/docs/integrations/google/cloud-dataflow/)
- [Google Cloud Dataproc](/docs/integrations/google/cloud-dataproc/)
- [Google Cloud Dataproc Metastore](/docs/integrations/google/cloud-dataproc-metastore/)
- [Google Cloud Datastore](/docs/integrations/google/cloud-datastore/)
- [Google Cloud Datastream](/docs/integrations/google/cloud-datastream/)
- [Google Cloud Deploy](/docs/integrations/google/cloud-deploy/)
- [Google Cloud Filestore](/docs/integrations/google/cloud-filestore/)
- [Google Cloud Firebase](/docs/integrations/google/cloud-firebase/)
- [Google Cloud Firestore](/docs/integrations/google/cloud-firestore/)
- [Google Cloud Firewall](/docs/integrations/google/cloud-firewall/)
- [Google Cloud Fleet Engine](/docs/integrations/google/cloud-fleet-engine/)
- [Google Cloud Functions](/docs/integrations/google/cloud-functions/)
- [Google Cloud Interconnect](/docs/integrations/google/cloud-interconnect/)
- [Google Cloud Load Balancing](/docs/integrations/google/cloud-load-balancing/)
- [Google Cloud Logging](/docs/integrations/google/cloud-logging/)
- [Google Cloud Memorystore for Redis](/docs/integrations/google/cloud-memorystore-for-redis/)
- [Google Cloud Net App Cloud Volumes Service](/docs/integrations/google/cloud-net-app-cloud-volumes-service/)
- [Google Cloud Network Topology](/docs/integrations/google/cloud-network-topology/)
- [Google Cloud Pub Sub](/docs/integrations/google/cloud-pub-sub/)
- [Google Cloud Router](/docs/integrations/google/cloud-router/)
- [Google Cloud Run](/docs/integrations/google/cloud-run/)
- [Google Cloud Security Command Center](/docs/integrations/google/cloud-security-command-center/)
- [Google Cloud Spanner](/docs/integrations/google/cloud-spanner/)
- [Google Cloud SQL](/docs/integrations/google/cloud-sql/)
- [Google Cloud Storage](/docs/integrations/google/cloud-storage/)
- [Google Cloud Tasks](/docs/integrations/google/cloud-tasks/)
- [Google Cloud TPU](/docs/integrations/google/cloud-tpu/)
- [Google Cloud Trace](/docs/integrations/google/cloud-trace/)
- [Google Cloud Traffic Director](/docs/integrations/google/cloud-traffic-director/)
- [Google Cloud Vertex AI](/docs/integrations/google/cloud-vertex-ai/)
- [Google Cloud VPC](/docs/integrations/google/cloud-vpc/)
- [Google Cloud VPN](/docs/integrations/google/cloud-vpn/)
- [Google Kubernetes Engine (GKE)](/docs/integrations/google/kubernetes-engine/)
Automation integrations:
- [Chronicle](/docs/platform-services/automation-service/app-central/integrations/chronicle/)
- [Google Chat](/docs/platform-services/automation-service/app-central/integrations/google-chat/)
- [Google Safe Browsing](/docs/platform-services/automation-service/app-central/integrations/google-safe-browsing/)
- [Mandiant Advantage Threat intelligence](/docs/platform-services/automation-service/app-central/integrations/mandiant-advantage-threat-intelligence/)
Cloud SIEM integration: [Google](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/45601247-66a5-4c9c-b3af-c422f5b4cbeb.md)
Collectors:
- [Google BigQuery Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-bigquery-source/)
- [GCP Metrics Source](/docs/send-data/hosted-collectors/google-source/gcp-metrics-source/)
- [Google Cloud Platform (GCP) Source](/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/)
- [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source/)
Community app: [Sumo Logic for GCP Balancer Metrics](https://github.com/SumoLogic/sumologic-content/tree/master/GCP/Load_Balancer_Metrics) | | Thumbnail icon | [Google Workspace](https://workspace.google.com/) | App: [Google Workspace](/docs/integrations/google/workspace/install-app-dashboards/)
Automation integrations:
- [Google Alert Center](/docs/platform-services/automation-service/app-central/integrations/google-alert-center/)
- [Google Admin](/docs/platform-services/automation-service/app-central/integrations/google-admin/)
- [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/)
- [Google Workspace IDP](/docs/platform-services/automation-service/app-central/integrations/google-workspace-idp/)
Collector: [Google Workspace AlertCenter Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-alertcenter/)
- [Google Workspace Apps Audit Source](/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source/)
- [Google Workspace User Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-source/) | | Thumbnail icon | [Grafana](https://grafana.com/) | Webhook: [Grafana OnCall](/docs/integrations/webhooks/grafana-oncall/) | | Thumbnail icon | [Gremlin](https://www.gremlin.com/) | Webhook: [Gremlin](/docs/integrations/webhooks/gremlin/) | diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zimperium-mtd-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zimperium-mtd-source.md index a7c131d2f2..a62e8cc747 100644 --- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zimperium-mtd-source.md +++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zimperium-mtd-source.md @@ -10,7 +10,7 @@ description: Learn how to collect the device logs from the Zimperium API and sen import useBaseUrl from '@docusaurus/useBaseUrl'; -logo +logo Zimperium is a cybersecurity company specializing in mobile threat defense. It uses machine learning and on-device detection to deliver real-time protection against mobile device, network, phishing, and app threats. Designed for enterprises, its solutions safeguard sensitive data and ensure mobile security and integrity without compromising user experience or privacy in an increasingly mobile-first world. diff --git a/sidebars.ts b/sidebars.ts index d77b3a256c..c01cf5b0fd 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2286,6 +2286,7 @@ integrations: [ 'integrations/google/cloud-pub-sub', 'integrations/google/cloud-router', 'integrations/google/cloud-run', + 'integrations/google/cloud-security-command-center', 'integrations/google/cloud-spanner', 'integrations/google/cloud-tasks', 'integrations/google/cloud-tpu', diff --git a/static/img/integrations/google/google-cloud-security-command-center.png b/static/img/integrations/google/google-cloud-security-command-center.png new file mode 100644 index 0000000000..4a50ef45ac Binary files /dev/null and b/static/img/integrations/google/google-cloud-security-command-center.png differ