This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Security Command Center Premium: Step 3 - Cloud Logging

‎09-06-2024 12:47 PM - edited ‎09-11-2024 01:10 PM

GCSCommunity
Staff
1 0 484

Table of Contents

Below you'll find a table of contents for the Cloud Logging journey.

scc-cloud-logging.png

Cloud Logging is a fully managed service that allows you to store, search, analyze, monitor, and alert on logging data and events from Google Cloud and Amazon Web Services. Security Command Center Premium utilizes Cloud Logging to centralize your Google Cloud and Amazon Web Services log data, enabling your teams to analyze and respond to incidents across your entire cloud landscape.

Prerequisites

  • Admin access in Google Cloud.
  • Security Command Center activated at the Organization level.

Actions

scc-cloud-logging-entities.pngSelect Log Types to Enable

If you use Event Threat Detection, you might need to turn on certain logs that Event Threat Detection scans. Although some logs are always on, such as Cloud Logging Admin Activity audit logs, other logs, such as most Data Access audit logs, are off by default and need to be enabled before Event Threat Detection can scan them.

 
Show More
Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Admin access in Google Cloud.
Steps

  1. Follow the linked steps below to find a table of specific log types and their corresponding links to turn on, activate, and share these logs with Event Threat Detection.

Relevant Links

scc-cloud-logging-high-value.png

Define High-Value Assets

Use resource value configurations to create your high-value resource set. Your high-value resource set determines which of your resource instances (referred to as resources) the attack path simulations consider high-value resources.

 
Show More
Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • To get the permissions that you need to view and work with resource value configurations, you need the following IAM roles on your organization:
  • Resource value config editor (roles/securitycenter.resourceValueConfigEditor)
  • Resource value config viewer (roles/securitycenter.resourceValueConfigsViewer)
  • Security Center Settings Editor (roles/securitycenter.settingsEditor)
Steps

  1. Go to the Attack path simulation page in Security Command Center Settings

  2. Select your organization. The Attack path simulation page opens.

  3. Click Create new configuration. The Create resource value configuration panel opens.

  4. In the Name field, specify a name for this resource value configuration.

  5. (Optional) Enter a description of the configuration.

  6. Under Cloud provider, select Google Cloud.

  7. In the Select scope field, click Select and use the project browser to select a project, folder, or the organization. This configuration applies only to resource instances in the specified scope.

  8. In the Select resource type field, click in the field to display the drop-down menu and select a resource type or Any. The configuration applies to instances of the specified resource type or, if you select Any, to instances of all supported resource types. Any is the default.

  9. (Optional) In the Label section, click Add label to specify one or more labels. When a label is specified, the configuration only applies to resources that include the label in their metadata. If you apply a new label to any resources, it can take several hours before the label is available for matching by a configuration.

  10. (Optional) In the Tag section, click Add tag to specify one or more tags. When a tag is specified, the configuration only applies to resources that include the tag in their metadata. If you define a new tag for any resources, it can take several hours before the tag is available for matching by a configuration.

  11. Set the priority value for the matching resources by specifying one of the following options:

    1. (Optional) If you use the Sensitive Data Protection discovery service, enable Security Command Center to automatically set the priority value of supported data resources based on data-sensitivity classifications from Sensitive Data Protection by following these steps:
      1. Click the slider next to Include discovery insights from Sensitive Data Protection.
      2. In the first Assign resource value field, select the priority value to assign to matching resources that contain high-sensitivity data.
      3. In the second Assign resource value field, select the priority value to assign to matching resources that contain medium-sensitivity data.

    2. In the Select resource value field, select a value to assign to the resource instances. This value is relative to the other resource instances in your high-value resource set. The value is used during the calculation of attack exposure scores.

  12. Click Save.

Relevant Links

Next Step: Security Command Center Premium: Step 4 - Outbound Integrations

Previous Step: Security Command Center Premium: Step 2 - Integrated Services

Contributors
Version history
Last update:
‎09-11-2024 01:10 PM
Updated by: