Google Cloud 推荐者
本文档提供了一些指南,可帮助您配置 Google Cloud推荐器并将其与 Google Security Operations 集成。
前提条件
请务必先完成所有前提步骤,然后再配置集成。
创建和配置 IAM 角色
在 Google Cloud 控制台中,前往 IAM 角色页面。
点击创建角色,以创建具有集成所需权限的自定义角色。
对于新的自定义角色,请提供标题、说明和唯一的 ID。
将角色发布阶段设置为正式版。
向创建的角色添加以下权限:
iam.roles.createiam.roles.deleteiam.roles.getiam.roles.listiam.roles.undeleteiam.roles.updateiam.serviceAccounts.createiam.serviceAccounts.deleteiam.serviceAccounts.disableiam.serviceAccounts.enableiam.serviceAccounts.getiam.serviceAccounts.getIamPolicyiam.serviceAccounts.listiam.serviceAccounts.setIamPolicyiam.serviceAccounts.undeleteiam.serviceAccounts.updaterecommender.iamPolicyInsights.getrecommender.iamPolicyInsights.listrecommender.iamPolicyLateralMovementInsights.getrecommender.iamPolicyLateralMovementInsights.listrecommender.iamPolicyRecommendations.getrecommender.iamPolicyRecommendations.listrecommender.iamPolicyRecommendations.updaterecommender.iamServiceAccountInsights.getrecommender.iamServiceAccountInsights.listrecommender.locations.getrecommender.locations.listresourcemanager.folders.getresourcemanager.folders.getIamPolicyresourcemanager.folders.setIamPolicyresourcemanager.organizations.getresourcemanager.organizations.getIamPolicyresourcemanager.organizations.setIamPolicyresourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.listresourcemanager.projects.setIamPolicysecuritycenter.assets.listsecuritycenter.findings.groupsecuritycenter.findings.listsecuritycenter.findings.listFindingPropertyNamessecuritycenter.findings.setMutesecuritycenter.findings.setStatesecuritycenter.sources.getsecuritycenter.sources.listsecuritycenter.userinterfacemetadata.get
点击创建。
创建服务账号
如需创建服务账号,请按照创建服务账号的流程操作。
创建服务账号后,请将其下载为 JSON 文件。配置集成参数时,您需要提供下载的 JSON 文件的内容。
将 Google Cloud Recommender 与 Google SecOps 集成
有关如何在 Google SecOps SOAR 中配置集成的详细说明,请参阅配置集成。
集成输入
如需配置集成,请使用以下参数:
| 参数 | |
|---|---|
API Root |
必需
Google Cloud Recommender 服务的 API 根。 默认值为 |
Organization ID |
可选
应与 Google CloudRecommender 集成搭配使用的组织 ID。 |
User's Service Account |
必需
Google Cloud 服务账号的内容。 请务必提供您在创建服务账号时下载的服务账号 JSON 文件的完整内容。 |
Verify SSL |
可选
选中后,该参数会验证用于连接到 Google Cloud Recommender 服务器的 SSL 证书是否有效。 默认处于选中状态。 |
操作
应用 IAM 建议
根据提供的输入应用 IAM 建议。
此操作仅适用于google.iam.policy.Recommender建议。
实体
此操作不会在实体上运行。
操作输入
如需配置操作,请使用以下参数:
| 参数 | |
|---|---|
IAM Recommendations JSON |
必需
建议的 JSON 结果。 JSON 结果可以作为占位符从列出建议或获取建议操作中提供。 |
操作输出
| 操作输出类型 | |
|---|---|
| 案例墙附件 | 不适用 |
| 案例墙链接 | 不适用 |
| “支持请求墙”表格 | 不适用 |
| 丰富化表 | 不适用 |
| 实体数据分析 | 不适用 |
| 数据分析 | 不适用 |
| JSON 结果 | 可用 |
| OOTB widget | 不适用 |
| 脚本结果 | 可用 |
脚本结果
| 脚本结果名称 | 值 |
|---|---|
| is_success | True/False |
JSON 结果
{
"applied_recommendations": [
{
"name": "projects/PROJECT_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations/217d3019-bae5-4a52-9968-787fdd546a53",
"description": "Replace the current role with a smaller role to cover the permissions needed.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 610
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "add",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/-",
"value": "USER_ID@example.com",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/role": "roles/compute.instanceAdmin"
}
},
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "USER_ID@example.com",
"/iamPolicy/bindings/*/role": "roles/compute.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "user:USER_ID@example.com",
"removedRole": "roles/compute.admin",
"addedRoles": [
"roles/compute.instanceAdmin"
],
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "SUCCEEDED",
"stateMetadata": {
"applied_by": "bulk_apply_by_automated_script-2023-08-11"
}
},
"etag": "\"892d57ee41baa03e\"",
"recommenderSubtype": "REPLACE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/INSIGHT_ID"
}
],
"priority": "P4"
},
{
"name": "projects/PROJECT_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations/RECOMMENDATION_ID",
"description": "Replace the current role with a smaller role to cover the permissions needed.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 19
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "add",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/-",
"value": "user:USER_ID@example.com",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/role": "roles/storage.objectAdmin"
}
},
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "user:USER_ID@example.com",
"/iamPolicy/bindings/*/role": "roles/storage.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "user:USER_ID@example.com",
"removedRole": "roles/storage.admin",
"addedRoles": [
"roles/storage.objectAdmin"
],
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "SUCCEEDED",
"stateMetadata": {
"applied_by": "bulk_apply_by_automated_script-2023-08-11"
}
},
"etag": "\"af7635ffeb512998\"",
"recommenderSubtype": "REPLACE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/INSIGHT_ID"
}
],
"priority": "P4"
}
],
"failed_recommendations": []
}
案例墙
该操作会提供以下输出消息:
| 输出消息 | 消息说明 |
|---|---|
Successfully applied provided IAM recommendations. |
操作成功。 |
Successfully applied provided IAM recommendation, but some of the
recommendations were not applied. |
操作成功。 |
No provided IAM recommendations were applied. |
建议失败。 |
Error executing action ACTION_NAME. |
相应操作返回了错误。 |
获取推荐内容
从 Google Cloud Recommender 服务获取具体建议。
实体
此操作不会在实体上运行。
操作输入
如需配置操作,请使用以下参数:
| 参数 | |
|---|---|
Recommendation name |
必需
指定要返回的建议名称。 该操作接受多个值,这些值以英文逗号分隔的字符串形式提供。 预期输入示例:
projects/projectname/locations/global/recommenders/google.iam.policy.Recommender/recommendations/0f262740-bf4a-4c3d-9573-0da3345cf3f7
|
操作输出
| 操作输出类型 | |
|---|---|
| 案例墙附件 | 不适用 |
| 案例墙链接 | 不适用 |
| “支持请求墙”表格 | 不适用 |
| 丰富化表 | 不适用 |
| 实体数据分析 | 不适用 |
| 数据分析 | 不适用 |
| JSON 结果 | 可用 |
| OOTB widget | 不适用 |
| 脚本结果 | 可用 |
脚本结果
| 脚本结果名称 | 值 |
|---|---|
| is_success | True/False |
JSON 结果
[
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 68
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"/iamPolicy/bindings/*/role": "roles/monitoring.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"removedRole": "roles/monitoring.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/"
}
],
"priority": "P4"
}
]
案例墙
该操作会提供以下输出消息:
| 输出消息 | 消息说明 |
|---|---|
Successfully found recommendation in the Google Cloud Recommender
service. |
操作成功。 |
No recommendations were found in the Google Cloud Recommender
service.
|
数据尚不可用。 |
Error executing action ACTION_NAME。 |
相应操作返回了错误。 |
列出建议
列出 Google Cloud Recommender 服务中的可用建议。
实体
此操作不会在实体上运行。
操作输入
如需配置操作,请使用以下参数:
| 参数 | |
|---|---|
Recommendation Filter |
可选
指定用于提取建议的过滤条件。 该形参应为采用以下任一格式的字符串:
如果未提供值,该操作会从配置的服务账号中提取项目 ID。 |
Recommendation Location |
必需
指定用于获取建议的 Google Cloud 位置。 默认值为 |
Recommendation State |
可选
指定要返回的建议状态。 默认值为 可能的值包括:
|
Recommendation Priority |
可选
指定要返回的建议的优先级。多个值可以指定为以英文逗号分隔的字符串。 |
Recommender Subtype |
可选
指定返回的推荐器子类型。 默认值为 可能的值包括:
|
Max Records To Return |
可选
指定要返回的记录数。如果未提供值,则该操作默认返回 50 条记录。 |
操作输出
| 操作输出类型 | |
|---|---|
| 案例墙附件 | 不适用 |
| 案例墙链接 | 不适用 |
| “支持请求墙”表格 | 可用 |
| 丰富化表 | 不适用 |
| 实体数据分析 | 不适用 |
| 数据分析 | 不适用 |
| JSON 结果 | 可用 |
| OOTB widget | 不适用 |
| 脚本结果 | 可用 |
脚本结果
| 脚本结果名称 | 值 |
|---|---|
| is_success | True/False |
JSON 结果
[
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-27T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 68
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "serviceAccount:SERVICE_ACCOUNT_ID",
"/iamPolicy/bindings/*/role": "roles/monitoring.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/",
"member": "serviceAccount:SERVICE_ACCOUNT_ID",
"removedRole": "roles/monitoring.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects/i/locations/global/insightTypes/"
}
],
"priority": "P4"
},
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-27T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 5
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "user:USER_ID@example.com",
"/iamPolicy/bindings/*/role": "roles/chroniclesm.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects",
"member": "user:USER_ID@example.com",
"removedRole": "roles/chroniclesm.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects"
}
],
"priority": "P4"
}
]
案例墙
该操作会提供以下输出消息:
| 输出消息 | 消息说明 |
|---|---|
Successfully found recommendations for the provided criteria in
the Google Cloud Recommender service. |
操作成功。 |
No recommendations were found for the provided criteria in the
Google Cloud Recommender service. |
没有可用的数据。 |
Error executing action ACTION_NAME. |
相应操作返回了错误。 |
该操作提供以下支持请求墙表格:
| 可采纳的建议 | |
|---|---|
| 列 |
|
Ping
使用 Google SecOps Marketplace 标签页中的集成配置页面上提供的参数,测试与 Google Cloud 推荐器服务的连接。
实体
此操作不会在实体上运行。
操作输入
不适用
操作输出
| 操作输出类型 | |
|---|---|
| 案例墙附件 | 不适用 |
| 案例墙链接 | 不适用 |
| “支持请求墙”表格 | 不适用 |
| 丰富化表 | 不适用 |
| 实体数据分析 | 不适用 |
| 数据分析 | 不适用 |
| JSON 结果 | 不适用 |
| OOTB widget | 不适用 |
| 脚本结果 | 可用 |
脚本结果
| 脚本结果名称 | 值 |
|---|---|
| is_success | True/False |
案例墙
该操作会提供以下输出消息:
| 输出消息 | 消息说明 |
|---|---|
Successfully connected to the Google Cloud Recommender service
with the provided connection parameters! |
操作成功。 |
Failed to connect to the Google Cloud Recommender service!
|
相应操作返回了错误。 |
更新建议
更新 Google Cloud Recommender 服务中的建议。
实体
此操作不会在实体上运行。
操作输入
使用以下参数配置操作:
| 参数 | |
|---|---|
Recommendation name |
必需
指定要更新的建议名称。 该操作接受多个值,这些值以英文逗号分隔的字符串形式提供。 预期输入示例:
|
Recommendation State |
可选
指定建议要更改为的状态。 默认值为 可能的值包括:
|
Recommendation Result |
可选
指定建议要更改为的结果。 默认值为 可能的值包括:
|
操作输出
| 操作输出类型 | |
|---|---|
| 案例墙附件 | 不适用 |
| 案例墙链接 | 不适用 |
| “支持请求墙”表格 | 不适用 |
| 丰富化表 | 不适用 |
| 实体数据分析 | 不适用 |
| 数据分析 | 不适用 |
| JSON 结果 | 可用 |
| OOTB widget | 不适用 |
| 脚本结果 | 可用 |
脚本结果
| 脚本结果名称 | 值 |
|---|---|
| is_success | True/False |
JSON 结果
[
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 68
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"/iamPolicy/bindings/*/role": "roles/monitoring.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"removedRole": "roles/monitoring.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/"
}
],
"priority": "P4"
}
]
案例墙
该操作会提供以下输出消息:
| 输出消息 | 消息说明 |
|---|---|
Successfully updated recommendation in the Google Cloud
Recommender service. |
操作成功。 |
No recommendations were found in the Google Cloud Recommender
service.
|
数据尚不可用。 |
Error executing action ACTION_NAME。 |
相应操作返回了错误。 |
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。