Overview of custom modules for Security Health Analytics

This page provides an overview of Security Health Analytics custom modules. For information about built-in modules, see Security Health Analytics built-in detectors.

With custom modules, you can extend Security Health Analytics's detection capabilities by creating custom detectors that scan the Google Cloud resources and policies that you specify using rules that you define to check for vulnerabilities, misconfigurations, or compliance violations.

The configuration or definition of a custom module, whether you create it in the Google Cloud console or code it yourself, determines the resources that the detector checks, the properties the detector evaluates, and the information that the detector returns when a vulnerability or misconfiguration is detected.

You can create custom modules for any resource or asset that Security Command Center supports.

If you code custom module definitions yourself, you use YAML and Common Expression Language (CEL) expressions. If you use the Google Cloud console to create your custom modules, most of the coding is done for you, although you do need to code the CEL expressions.

For an example of custom module definition in a YAML file, see Example custom module definition.

Custom modules run alongside Security Health Analytics's built-in detectors in both real-time and batch scans. In real-time mode, scans are triggered whenever an asset's configuration changes. Batch-mode scans run with all detectors for enrolled organizations or projects once a day.

During a scan, each custom detector is applied to all matching assets in each organization, folder, or project for which it is enabled.

Findings from custom detectors are written to Security Command Center.

For more information, see the following:

Comparing built-in detectors and custom modules

Custom modules offer broader detection capabilities than built-in Security Health Analytics detectors. However, custom modules lack support for some Security Command Center features that the built-in detectors provide.

Feature support

Security Health Analytics custom modules are not supported by attack path simulations. Findings that are produced by custom modules don't include attack exposure scores or attack paths.

Comparing detection logic

As an example of some of the things that you can do with a custom module, compare what the built-in detector PUBLIC_SQL_INSTANCE checks for with what you can do with a custom module.

The built-in detector PUBLIC_SQL_INSTANCE checks whether the authorizedNetworks property of Cloud SQL instances is set to 0.0.0.0/0. If it is, the detector generates a finding that states that the Cloud SQL instance is open to the public, because it accepts connections from all IP addresses.

With a custom module, you can implement more complex detection logic to check Cloud SQL instances for things like:

IP addresses with specific prefixes, by using wildcards.
The value of the state property, which you can use to ignore instances if the value is set to MAINTENANCE or trigger findings if the value is something else.
The value of the region property, which you can use to trigger findings only for instances with public IP addresses in specific regions.

Required IAM roles and permissions

IAM roles determine the actions that you can perform with Security Health Analytics custom modules.

The following table contains a list of Security Health Analytics custom module permissions that are required as well as the predefined IAM roles that include them.

You can use the Google Cloud console or Security Command Center API to apply these roles at the organization, folder, or project level.

Permissions required Roles

securitycentermanagement.securityHealthAnalyticsCustomModules.create securitycentermanagement.securityHealthAnalyticsCustomModules.update securitycentermanagement.securityHealthAnalyticsCustomModules.delete securitycentermanagement.securityHealthAnalyticsCustomModules.list securitycentermanagement.securityHealthAnalyticsCustomModules.get securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get securitycentermanagement.securityHealthAnalyticsCustomModules.simulate securitycentermanagement.securityHealthAnalyticsCustomModules.test roles/securitycentermanagement.shaCustomModulesEditor roles/securitycenter.settingsEditor roles/securitycenter.admin

securitycentermanagement.securityHealthAnalyticsCustomModules.list securitycentermanagement.securityHealthAnalyticsCustomModules.get securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get securitycentermanagement.securityHealthAnalyticsCustomModules.simulate securitycentermanagement.securityHealthAnalyticsCustomModules.test roles/securitycentermanagement.shaCustomModulesViewer roles/securitycenter.settingsViewer roles/securitycenter.adminViewer roles/securitycenter.admin

Permissions required	Roles
securitycentermanagement.securityHealthAnalyticsCustomModules.create securitycentermanagement.securityHealthAnalyticsCustomModules.update securitycentermanagement.securityHealthAnalyticsCustomModules.delete securitycentermanagement.securityHealthAnalyticsCustomModules.list securitycentermanagement.securityHealthAnalyticsCustomModules.get securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get securitycentermanagement.securityHealthAnalyticsCustomModules.simulate securitycentermanagement.securityHealthAnalyticsCustomModules.test	`roles/securitycentermanagement.shaCustomModulesEditor roles/securitycenter.settingsEditor roles/securitycenter.admin`
`securitycentermanagement.securityHealthAnalyticsCustomModules.list securitycentermanagement.securityHealthAnalyticsCustomModules.get securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get securitycentermanagement.securityHealthAnalyticsCustomModules.simulate securitycentermanagement.securityHealthAnalyticsCustomModules.test`	`roles/securitycentermanagement.shaCustomModulesViewer roles/securitycenter.settingsViewer roles/securitycenter.adminViewer roles/securitycenter.admin`

For more information about IAM permissions and roles and how to grant them, see Grant an IAM role by using the Google Cloud console.

Custom module quotas

Security Health Analytics custom modules are subject to quota limits.

The default quota limit for the creation of custom modules is 100, but you can request a quota increase, if necessary.

API calls to custom module methods are also subject to quota limits. The following table shows the default quota limits for custom module API calls.

API Call Type	Limit
CustomModules Read Requests (Get, List)	1,000 API calls per minute, per organization
CustomModules Write Requests (Create, Update, Delete)	60 API calls per minute, per organization
CustomModules Test Requests	12 API calls per minute, per organization

For quota increases, submit a request in the Google Cloud console on the Quotas page.

For more information about Security Command Center quotas, see Quotas and limits.

Supported resource types

This section summarizes the Google Cloud resource types supported with custom modules.

Service name	Resource name
Access Context Manager	`accesscontextmanager.googleapis.com/AccessLevelaccesscontextmanager.googleapis.com/AccessPolicy accesscontextmanager.googleapis.com/ServicePerimeter`
Gemini Enterprise Agent Platform	`aiplatform.googleapis.com/BatchPredictionJobaiplatform.googleapis.com/CustomJob aiplatform.googleapis.com/Dataset aiplatform.googleapis.com/Endpoint aiplatform.googleapis.com/Featurestore aiplatform.googleapis.com/HyperparameterTuningJob aiplatform.googleapis.com/Index aiplatform.googleapis.com/MetadataStore aiplatform.googleapis.com/Model aiplatform.googleapis.com/NotebookRuntimeTemplate aiplatform.googleapis.com/SpecialistPool aiplatform.googleapis.com/Tensorboard aiplatform.googleapis.com/TrainingPipeline`
AlloyDB	`alloydb.googleapis.com/Backupalloydb.googleapis.com/Cluster alloydb.googleapis.com/Instance`
API keys	`apikeys.googleapis.com/Key`
Artifact Registry Repository	`artifactregistry.googleapis.com/Repository`
BigQuery	`bigquery.googleapis.com/Datasetbigquery.googleapis.com/Model bigquery.googleapis.com/Table bigquerydatatransfer.googleapis.com/TransferConfig`
Cloud Billing Project Billing Info	`cloudbilling.googleapis.com/ProjectBillingInfo`
Cloud Run functions	`cloudfunctions.googleapis.com/CloudFunction`
Cloud KMS	`cloudkms.googleapis.com/CryptoKeycloudkms.googleapis.com/CryptoKeyVersion cloudkms.googleapis.com/ImportJob cloudkms.googleapis.com/KeyRing`
Resource Manager	`cloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Project cloudresourcemanager.googleapis.com/TagBinding`
Managed Service for Apache Airflow Environment	`composer.googleapis.com/Environment`
Compute Engine	`compute.googleapis.com/Address`compute.googleapis.com/Autoscaler compute.googleapis.com/BackendBucket compute.googleapis.com/BackendService compute.googleapis.com/Commitment compute.googleapis.com/Disk compute.googleapis.com/Firewall compute.googleapis.com/FirewallPolicy compute.googleapis.com/ForwardingRule compute.googleapis.com/GlobalForwardingRule compute.googleapis.com/HealthCheck compute.googleapis.com/Image compute.googleapis.com/Instance compute.googleapis.com/InstanceGroup compute.googleapis.com/InstanceGroupManagers compute.googleapis.com/InstanceTemplate compute.googleapis.com/InterconnectAttachment compute.googleapis.com/MachineImage compute.googleapis.com/Network compute.googleapis.com/NetworkEndpointGroup compute.googleapis.com/NodeGroup compute.googleapis.com/NodeTemplate compute.googleapis.com/PacketMirroring compute.googleapis.com/Project compute.googleapis.com/RegionBackendService compute.googleapis.com/RegionDisk compute.googleapis.com/Reservation compute.googleapis.com/ResourcePolicy compute.googleapis.com/Route compute.googleapis.com/Router compute.googleapis.com/SecurityPolicy compute.googleapis.com/Snapshot compute.googleapis.com/SslCertificate compute.googleapis.com/SslPolicy compute.googleapis.com/Subnetwork compute.googleapis.com/TargetHttpProxy compute.googleapis.com/TargetHttpsProxy compute.googleapis.com/TargetInstance compute.googleapis.com/TargetPool compute.googleapis.com/TargetSslProxy compute.googleapis.com/TargetVpnGateway compute.googleapis.com/UrlMap compute.googleapis.com/VpnGateway compute.googleapis.com/VpnTunnel
Google Kubernetes Engine	`container.googleapis.com/Clustercontainer.googleapis.com/NodePool`
Dataflow	`dataflow.googleapis.com/Job`
Cloud Data Fusion	`datafusion.googleapis.com/Instance`
Managed Service for Apache Spark	`dataproc.googleapis.com/AutoscalingPolicydataproc.googleapis.com/Batch dataproc.googleapis.com/Cluster dataproc.googleapis.com/Job`
Datastream	`datastream.googleapis.com/ConnectionProfiledatastream.googleapis.com/PrivateConnection datastream.googleapis.com/Stream`
Dialogflow CX	`dialogflow.googleapis.com/Agent`
Sensitive Data Protection	`dlp.googleapis.com/DeidentifyTemplatedlp.googleapis.com/DlpJob dlp.googleapis.com/InspectTemplate dlp.googleapis.com/JobTrigger dlp.googleapis.com/StoredInfoType`
Cloud DNS	`dns.googleapis.com/ManagedZonedns.googleapis.com/Policy`
Filestore	`file.googleapis.com/Instance`
Hub (also known as fleets)	`gkehub.googleapis.com/Featuregkehub.googleapis.com/Membership`
IAM	`iam.googleapis.com/Roleiam.googleapis.com/ServiceAccountKey`
`Kubernetes`	`k8s.io/Namespacek8s.io/Node k8s.io/Pod k8s.io/Service apps.k8s.io/DaemonSet apps.k8s.io/Deployment apps.k8s.io/ReplicaSet apps.k8s.io/StatefulSet batch.k8s.io/CronJob networking.k8s.io/Ingress networking.k8s.io/NetworkPolicy rbac.authorization.k8s.io/ClusterRole rbac.authorization.k8s.io/ClusterRoleBinding rbac.authorization.k8s.io/Role rbac.authorization.k8s.io/RoleBinding`
Cloud Logging	`logging.googleapis.com/LogBucketlogging.googleapis.com/LogMetric logging.googleapis.com/LogSink`
Cloud Monitoring	`monitoring.googleapis.com/AlertPolicymonitoring.googleapis.com/NotificationChannel`
NetApp Volumes
`netapp.googleapis.com/Snapshotnetapp.googleapis.com/Volume`
Gemini Enterprise Agent Platform Workbench	`notebooks.googleapis.com/Instance`
Organization Policy Service v2	`orgpolicy.googleapis.com/CustomConstraintorgpolicy.googleapis.com/Policy`
Certificate Authority Service	`privateca.googleapis.com/Certificateprivateca.googleapis.com/CertificateRevocationList`
Pub/Sub	`pubsub.googleapis.com/Snapshotpubsub.googleapis.com/Subscription pubsub.googleapis.com/Topic`
Memorystore for Redis	`redis.googleapis.com/Clusterredis.googleapis.com/Instance`
Cloud Run	`run.googleapis.com/DomainMappingrun.googleapis.com/Execution run.googleapis.com/Job run.googleapis.com/Revision run.googleapis.com/Service`
Secret Manager	`secretmanager.googleapis.com/Secretsecretmanager.googleapis.com/SecretVersion`
Service Usage	`serviceusage.googleapis.com/Service`
Spanner	`spanner.googleapis.com/Backupspanner.googleapis.com/Database spanner.googleapis.com/Instance`
Cloud SQL for MySQL	`sqladmin.googleapis.com/BackupRunsqladmin.googleapis.com/Instance`
Cloud Storage	`storage.googleapis.com/Bucket`
Google Cloud VMware Engine	`vmwareengine.googleapis.com/Clustervmwareengine.googleapis.com/ExternalAccessRule vmwareengine.googleapis.com/ExternalAddress vmwareengine.googleapis.com/NetworkPeering vmwareengine.googleapis.com/NetworkPolicy vmwareengine.googleapis.com/PrivateCloud vmwareengine.googleapis.com/PrivateConnection vmwareengine.googleapis.com/VmwareEngineNetwork`
VPC Connector	`vpcaccess.googleapis.com/Connector`
Cloud Workstations	`workstations.googleapis.com/Workstationworkstations.googleapis.com/WorkstationConfig`

What's next

To work with custom modules, see Using custom modules for Security Health Analytics.
To code custom module definitions yourself, see Code custom modules for Security Health Analytics.
To test your custom modules, see Test custom modules for Security Health Analytics.