Skip to content

Latest commit

 

History

History
70 lines (53 loc) · 3.25 KB

README.md

File metadata and controls

70 lines (53 loc) · 3.25 KB
Raw

Google Cloud SCC Notifications to Slack

This repository contains provides example code to create Finding Notifications for Security Command Center, and sends the findings to Slack via API call.

The infrastructure is written in Terraform, which will create the following components:

The Cloud Function is written in Python which will parse the Pub/Sub event and send the details to the Slack API using the Slack App Bot Token for validation.

Prerequisites

  1. Tested on Terraform v1.4.6 with Google Cloud Provider v4.64.0
  2. Google Cloud SDK
  3. Enable Cloud Functions, Cloud Build, Pub/Sub and Secrets Manager APIs.
    • gcloud services enable cloudfunctions.googleapis.com
    • gcloud services enable cloudbuild.googleapis.com
    • gcloud services enable pubsub.googleapis.com
    • gcloud services enable secretmanager.googleapis.com
  4. Enable Security Command Center (UI)
  5. Python runtime = 3.8
  6. Create a Slack Channel
  7. Create a Slack API App - info can be found here in the Slack section.

Usage

  • Update the terraform.tfvars file with your ORG, Project and Slack values then deploy using terraform.
  • You will be prompted to enter the Slack Bot Token from step #7 during TF Apply and Deploy.
  • This value will be stored in Secrets Manager.
bucket_name                     = "scc_slack_notification_code"
state_bucket_name               = "scc_gchat_notification_state"
bucket_location                 = "US"
function_name                   = "scc-notification-slack"
function_description            = "SCC Notifications to Slack"
function_runtime                = "python38"
function_location               = "us-central1"
topic_name                      = "scc-notifications-topic-slack"    
topic_iam_role                  = "roles/pubsub.publisher"
scc_notification_name           = "all-active-alerts-slack"    
scc_notification_description    = "My Custom Cloud Security Command Center Finding Notification Configuration"
notification_filter             = "(severity=\"HIGH\" OR severity=\"CRITICAL\") AND state=\"ACTIVE\""
secret_id                       = "scc-slack"
org_id                          = "CHANGE_ME"
project_id                      = "CHANGE_ME"
slack_channel                   = "CHANGE_ME"

Moving state to a GCS bucket

  • Uncomment and Update the backend.tf file with the state bucket name given by the OUTPUT of the Terraform run. (you can also get the value by running: terraform output)
  • terraform init -migrate-state

Moving state back to local

  • Comment all of the content of the backend.tf file.
  • terraform init -migrate-state

Output Example

image

Python code coming from https://cloud.google.com/security-command-center/docs/how-to-enable-real-time-notifications#slack code snippet.