Google Cloud 建議工具
本文提供相關指引,協助您設定 Recommender 並與 Google Security Operations 整合。 Google Cloud
必要條件
請務必先完成所有必要步驟,再設定整合功能。
建立及設定 IAM 角色
前往 Google Cloud 控制台的「IAM Roles」(IAM 角色) 頁面。
按一下「建立角色」,建立具有整合項目所需權限的自訂角色。
如果是新的自訂角色,請提供「名稱」、「說明」和專屬「ID」。
將「角色發布階段」設為「正式發布」。
將下列權限新增至建立的角色:
iam.roles.createiam.roles.deleteiam.roles.getiam.roles.listiam.roles.undeleteiam.roles.updateiam.serviceAccounts.createiam.serviceAccounts.deleteiam.serviceAccounts.disableiam.serviceAccounts.enableiam.serviceAccounts.getiam.serviceAccounts.getIamPolicyiam.serviceAccounts.listiam.serviceAccounts.setIamPolicyiam.serviceAccounts.undeleteiam.serviceAccounts.updaterecommender.iamPolicyInsights.getrecommender.iamPolicyInsights.listrecommender.iamPolicyLateralMovementInsights.getrecommender.iamPolicyLateralMovementInsights.listrecommender.iamPolicyRecommendations.getrecommender.iamPolicyRecommendations.listrecommender.iamPolicyRecommendations.updaterecommender.iamServiceAccountInsights.getrecommender.iamServiceAccountInsights.listrecommender.locations.getrecommender.locations.listresourcemanager.folders.getresourcemanager.folders.getIamPolicyresourcemanager.folders.setIamPolicyresourcemanager.organizations.getresourcemanager.organizations.getIamPolicyresourcemanager.organizations.setIamPolicyresourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.listresourcemanager.projects.setIamPolicysecuritycenter.assets.listsecuritycenter.findings.groupsecuritycenter.findings.listsecuritycenter.findings.listFindingPropertyNamessecuritycenter.findings.setMutesecuritycenter.findings.setStatesecuritycenter.sources.getsecuritycenter.sources.listsecuritycenter.userinterfacemetadata.get
點選「建立」。
建立服務帳戶
如要建立服務帳戶,請按照建立服務帳戶的程序操作。
建立服務帳戶後,請將其下載為 JSON 檔案。設定整合參數時,您需要提供下載的 JSON 檔案內容。
將 Google Cloud 建議事項與 Google SecOps 整合
請參閱這篇說明文章,瞭解在 Google SecOps SOAR 中設定整合功能的詳細操作說明。
整合輸入內容
如要設定整合,請使用下列參數:
| 參數 | |
|---|---|
API Root |
必要
Google Cloud Recommender 服務的 API 根目錄。 預設值為 |
Organization ID |
選填
應與 Google CloudRecommender 整合服務搭配使用的機構 ID。 |
User's Service Account |
必要
Google Cloud Recommender 服務帳戶的內容。 請務必提供您在建立服務帳戶時下載的服務帳戶 JSON 檔案完整內容。 |
Verify SSL |
選填
勾選後,這個參數會驗證用於連線至 Google Cloud Recommender 伺服器的 SSL 憑證是否有效。 預設為勾選。 |
動作
套用 IAM 建議
根據提供的輸入內容套用 IAM 建議。
這項動作僅適用於google.iam.policy.Recommender建議。
實體
系統不會對實體執行這項操作。
動作輸入內容
如要設定動作,請使用下列參數:
| 參數 | |
|---|---|
IAM Recommendations JSON |
必要
建議的 JSON 結果。 JSON 結果可做為「列出最佳化建議」或「取得最佳化建議」動作的預留位置。 |
動作輸出內容
| 動作輸出類型 | |
|---|---|
| 案件總覽附件 | 不適用 |
| 案件總覽連結 | 不適用 |
| 案件訊息牆表格 | 不適用 |
| 補充資訊表格 | 不適用 |
| 實體洞察 | 不適用 |
| 深入分析 | 不適用 |
| JSON 結果 | 可用 |
| 立即可用的小工具 | 不適用 |
| 指令碼結果 | 可用 |
指令碼結果
| 指令碼結果名稱 | 值 |
|---|---|
| is_success | True/False |
JSON 結果
{
"applied_recommendations": [
{
"name": "projects/PROJECT_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations/217d3019-bae5-4a52-9968-787fdd546a53",
"description": "Replace the current role with a smaller role to cover the permissions needed.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 610
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "add",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/-",
"value": "USER_ID@example.com",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/role": "roles/compute.instanceAdmin"
}
},
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "USER_ID@example.com",
"/iamPolicy/bindings/*/role": "roles/compute.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "user:USER_ID@example.com",
"removedRole": "roles/compute.admin",
"addedRoles": [
"roles/compute.instanceAdmin"
],
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "SUCCEEDED",
"stateMetadata": {
"applied_by": "bulk_apply_by_automated_script-2023-08-11"
}
},
"etag": "\"892d57ee41baa03e\"",
"recommenderSubtype": "REPLACE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/INSIGHT_ID"
}
],
"priority": "P4"
},
{
"name": "projects/PROJECT_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations/RECOMMENDATION_ID",
"description": "Replace the current role with a smaller role to cover the permissions needed.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 19
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "add",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/-",
"value": "user:USER_ID@example.com",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/role": "roles/storage.objectAdmin"
}
},
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "user:USER_ID@example.com",
"/iamPolicy/bindings/*/role": "roles/storage.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "user:USER_ID@example.com",
"removedRole": "roles/storage.admin",
"addedRoles": [
"roles/storage.objectAdmin"
],
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "SUCCEEDED",
"stateMetadata": {
"applied_by": "bulk_apply_by_automated_script-2023-08-11"
}
},
"etag": "\"af7635ffeb512998\"",
"recommenderSubtype": "REPLACE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/INSIGHT_ID"
}
],
"priority": "P4"
}
],
"failed_recommendations": []
}
案件總覽
這個動作會提供下列輸出訊息:
| 輸出訊息 | 訊息說明 |
|---|---|
Successfully applied provided IAM recommendations. |
動作成功。 |
Successfully applied provided IAM recommendation, but some of the
recommendations were not applied. |
動作成功。 |
No provided IAM recommendations were applied. |
建議失敗。 |
Error executing action ACTION_NAME. |
動作傳回錯誤。 |
取得建議
從 Google Cloud Recommender 服務取得特定建議。
實體
系統不會對實體執行這項操作。
動作輸入內容
如要設定動作,請使用下列參數:
| 參數 | |
|---|---|
Recommendation name |
必要
指定要傳回的建議名稱。 這項動作接受以半形逗號分隔的多個值。 預期輸入內容範例:
projects/projectname/locations/global/recommenders/google.iam.policy.Recommender/recommendations/0f262740-bf4a-4c3d-9573-0da3345cf3f7
|
動作輸出內容
| 動作輸出類型 | |
|---|---|
| 案件總覽附件 | 不適用 |
| 案件總覽連結 | 不適用 |
| 案件訊息牆表格 | 不適用 |
| 補充資訊表格 | 不適用 |
| 實體洞察 | 不適用 |
| 深入分析 | 不適用 |
| JSON 結果 | 可用 |
| 立即可用的小工具 | 不適用 |
| 指令碼結果 | 可用 |
指令碼結果
| 指令碼結果名稱 | 值 |
|---|---|
| is_success | True/False |
JSON 結果
[
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 68
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"/iamPolicy/bindings/*/role": "roles/monitoring.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"removedRole": "roles/monitoring.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/"
}
],
"priority": "P4"
}
]
案件總覽
這個動作會提供下列輸出訊息:
| 輸出訊息 | 訊息說明 |
|---|---|
Successfully found recommendation in the Google Cloud Recommender
service. |
動作成功。 |
No recommendations were found in the Google Cloud Recommender
service.
|
沒有資料。 |
Error executing action ACTION_NAME。 |
動作傳回錯誤。 |
列出建議
列出 Google Cloud 推薦服務中的可用建議。
實體
系統不會對實體執行這項操作。
動作輸入內容
如要設定動作,請使用下列參數:
| 參數 | |
|---|---|
Recommendation Filter |
選填
指定要擷取建議的篩選條件。 參數應為字串,且格式如下:
如果未提供任何值,動作會從已設定的服務帳戶擷取專案 ID。 |
Recommendation Location |
必要
指定要擷取建議的 Google Cloud 位置。 預設值為 |
Recommendation State |
選填
指定要傳回的建議狀態。 預設值為 可能的值包括:
|
Recommendation Priority |
選填
指定要傳回建議的優先順序。多個值可以指定為以半形逗號分隔的字串。 |
Recommender Subtype |
選填
指定傳回的建議子類型。 預設值為 可能的值包括:
|
Max Records To Return |
選填
指定要傳回的記錄數。如未提供任何值,這項動作預設會傳回 50 筆記錄。 |
動作輸出內容
| 動作輸出類型 | |
|---|---|
| 案件總覽附件 | 不適用 |
| 案件總覽連結 | 不適用 |
| 案件訊息牆表格 | 可用 |
| 補充資訊表格 | 不適用 |
| 實體洞察 | 不適用 |
| 深入分析 | 不適用 |
| JSON 結果 | 可用 |
| 立即可用的小工具 | 不適用 |
| 指令碼結果 | 可用 |
指令碼結果
| 指令碼結果名稱 | 值 |
|---|---|
| is_success | True/False |
JSON 結果
[
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-27T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 68
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "serviceAccount:SERVICE_ACCOUNT_ID",
"/iamPolicy/bindings/*/role": "roles/monitoring.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/",
"member": "serviceAccount:SERVICE_ACCOUNT_ID",
"removedRole": "roles/monitoring.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects/i/locations/global/insightTypes/"
}
],
"priority": "P4"
},
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-27T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 5
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "user:USER_ID@example.com",
"/iamPolicy/bindings/*/role": "roles/chroniclesm.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects",
"member": "user:USER_ID@example.com",
"removedRole": "roles/chroniclesm.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects"
}
],
"priority": "P4"
}
]
案件總覽
這個動作會提供下列輸出訊息:
| 輸出訊息 | 訊息說明 |
|---|---|
Successfully found recommendations for the provided criteria in
the Google Cloud Recommender service. |
動作成功。 |
No recommendations were found for the provided criteria in the
Google Cloud Recommender service. |
沒有資料。 |
Error executing action ACTION_NAME. |
動作傳回錯誤。 |
這個動作會提供下列案件牆表格:
| 可用的最佳化建議 | |
|---|---|
| 資料欄 |
|
乒乓
使用 Google SecOps Marketplace 分頁中整合設定頁面提供的參數,測試與 Google Cloud 建議事項服務的連線。
實體
系統不會對實體執行這項操作。
動作輸入內容
不適用
動作輸出內容
| 動作輸出類型 | |
|---|---|
| 案件總覽附件 | 不適用 |
| 案件總覽連結 | 不適用 |
| 案件訊息牆表格 | 不適用 |
| 補充資訊表格 | 不適用 |
| 實體洞察 | 不適用 |
| 深入分析 | 不適用 |
| JSON 結果 | 不適用 |
| 立即可用的小工具 | 不適用 |
| 指令碼結果 | 可用 |
指令碼結果
| 指令碼結果名稱 | 值 |
|---|---|
| is_success | True/False |
案件總覽
這個動作會提供下列輸出訊息:
| 輸出訊息 | 訊息說明 |
|---|---|
Successfully connected to the Google Cloud Recommender service
with the provided connection parameters! |
動作成功。 |
Failed to connect to the Google Cloud Recommender service!
|
動作傳回錯誤。 |
更新建議
在 Google Cloud 推薦服務中更新建議。
實體
系統不會對實體執行這項操作。
動作輸入內容
使用下列參數設定動作:
| 參數 | |
|---|---|
Recommendation name |
必要
指定要更新的建議名稱。 這項動作接受以半形逗號分隔的多個值。 預期輸入內容範例:
|
Recommendation State |
選填
指定建議要變更的狀態。 預設值為 可能的值包括:
|
Recommendation Result |
選填
指定建議要變更成的結果。 預設值為 可能的值包括:
|
動作輸出內容
| 動作輸出類型 | |
|---|---|
| 案件總覽附件 | 不適用 |
| 案件總覽連結 | 不適用 |
| 案件訊息牆表格 | 不適用 |
| 補充資訊表格 | 不適用 |
| 實體洞察 | 不適用 |
| 深入分析 | 不適用 |
| JSON 結果 | 可用 |
| 立即可用的小工具 | 不適用 |
| 指令碼結果 | 可用 |
指令碼結果
| 指令碼結果名稱 | 值 |
|---|---|
| is_success | True/False |
JSON 結果
[
{
"name": "name",
"description": "This role has not been used during the observation window.",
"lastRefreshTime": "2023-07-28T07:00:00Z",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 68
}
}
},
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilters": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"/iamPolicy/bindings/*/role": "roles/monitoring.admin"
}
}
]
}
],
"overview": {
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"member": "serviceAccount:SERVICE_ACCOUNT_ID.iam.gserviceaccount.com",
"removedRole": "roles/monitoring.admin",
"minimumObservationPeriodInDays": "0"
}
},
"stateInfo": {
"state": "ACTIVE"
},
"etag": "",
"recommenderSubtype": "REMOVE_ROLE",
"associatedInsights": [
{
"insight": "projects/PROJECT_ID/locations/global/insightTypes/google.iam.policy.Insight/insights/"
}
],
"priority": "P4"
}
]
案件總覽
這個動作會提供下列輸出訊息:
| 輸出訊息 | 訊息說明 |
|---|---|
Successfully updated recommendation in the Google Cloud
Recommender service. |
動作成功。 |
No recommendations were found in the Google Cloud Recommender
service.
|
沒有資料。 |
Error executing action ACTION_NAME。 |
動作傳回錯誤。 |
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。