Google Security Command Center

With the ilert Google Security Command Center integration, you can create alerts in ilert based on Google Security Command Center findings.

In ilert: Create a Google Security Command Center alert source

Go to Alert sources --> Alert sources and click on Create new alert source
Search for Google Security Command Center in the search field, click on the Google Security Command Center tile and click on Next.
Give your alert source a name, optionally assign teams and click Next.
Select an escalation policy by creating a new one or assigning an existing one.
Select you Alert grouping preference and click Continue setup. You may click Do not group alerts for now and change it later.
The next page show additional settings such as customer alert templates or notification prioritiy. Click on Finish setup for now.
On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.

In Google Security Command Center: Sending notifications via Google Cloud Functions

Enable finding notifications for Pub/Sub with the following guide: https://cloud.google.com/security-command-center/docs/how-to-notifications#create-notification-config
Create following function example in Google Cloud Functions. Make sure to replace [WEBHOOK_URL]with the Url generated in this step.

import (
	"context"
	"log"
	"net/http"
	"github.com/go-resty/resty/v2"
)

type PubSubMessage struct {
	Data []byte `json:"data"`
}

func WebhookPubSub(ctx context.Context, m PubSubMessage) {

	// Send the webhook request with the Pub/Sub message as the content
	webhookURL := "[WEBHOOK_URL]"

	client := resty.New()
	resp, err := client.R().
		SetHeader("Content-Type", "application/json").
		SetBody(m.Data).
		Post(webhookURL)
	if err != nil {
		log.Printf("Error creating webhook request: %v", err)
		return
	}

	// Check the webhook response
	if resp.StatusCode() != http.StatusAccepted {
		log.Printf("Webhook request failed with status code: %d", resp.StatusCode())
		return
	}
}

Deploy the Google Cloud Function by running the following command in the terminal: gcloud functions deploy WebhookPubSub --runtime go116 --trigger-topic YOUR_PUBSUB_TOPIC Replace YOUR_PUBSUB_TOPIC with the actual Pub/Sub topic name that you want the Cloud Function to be triggered by.

FAQ

Will alerts in ilert be resolved automatically?

Yes, as soon as the state of an alert in Google Security Command Center is RESOLVED, the associated alert in ilert is resolved.

PreviousGoogle Cloud Monitoring (formerly Stackdriver) Integration NextGrafana Integration

Last updated 10 months ago

In ilert: Create a Google Security Command Center alert source

Go to Alert sources --> Alert sources and click on Create new alert source

Search for Google Security Command Center in the search field, click on the Google Security Command Center tile and click on Next.

Give your alert source a name, optionally assign teams and click Next.

Select an escalation policy by creating a new one or assigning an existing one.

Select you Alert grouping preference and click Continue setup. You may click Do not group alerts for now and change it later.

The next page show additional settings such as customer alert templates or notification prioritiy. Click on Finish setup for now.

On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.

In Google Security Command Center: Sending notifications via Google Cloud Functions

Enable finding notifications for Pub/Sub with the following guide: https://cloud.google.com/security-command-center/docs/how-to-notifications#create-notification-config

Create following function example in Google Cloud Functions. Make sure to replace [WEBHOOK_URL]with the Url generated in this step.

import (
	"context"
	"log"
	"net/http"
	"github.com/go-resty/resty/v2"
)

type PubSubMessage struct {
	Data []byte `json:"data"`
}

func WebhookPubSub(ctx context.Context, m PubSubMessage) {

	// Send the webhook request with the Pub/Sub message as the content
	webhookURL := "[WEBHOOK_URL]"

	client := resty.New()
	resp, err := client.R().
		SetHeader("Content-Type", "application/json").
		SetBody(m.Data).
		Post(webhookURL)
	if err != nil {
		log.Printf("Error creating webhook request: %v", err)
		return
	}

	// Check the webhook response
	if resp.StatusCode() != http.StatusAccepted {
		log.Printf("Webhook request failed with status code: %d", resp.StatusCode())
		return
	}
}

Deploy the Google Cloud Function by running the following command in the terminal: gcloud functions deploy WebhookPubSub --runtime go116 --trigger-topic YOUR_PUBSUB_TOPIC Replace YOUR_PUBSUB_TOPIC with the actual Pub/Sub topic name that you want the Cloud Function to be triggered by.