Enabling real-time chat notifications

Overview

Security Command Center provides real-time notifications of findings in the Google Cloud console. This guide describes how to use Google Cloud services and third-party APIs to extend that functionality and receive near real-time notifications in Slack. When you complete the guide, you get alerts about new findings in configured third-party services without logging into the Google Cloud console, allowing for faster triaging of vulnerabilities and threats. Learn more about the different types of vulnerabilities and threats in Security Command Center.

Topology

In this guide, you create the configuration that is illustrated in the following diagram.

Near real-time notifications workflow (click to enlarge) — Near real-time notifications workflow for Security Command Center (click to enlarge)

Objectives

In this guide, you do the following:

Set up a Pub/Sub topic.
Set up Slack.
Write code in Cloud Run functions.
Configure Pub/Sub and Cloud Run functions to send notifications to Slack whenever a new high or critical severity finding is written to Security Command Center.
Troubleshoot notification problems.

Costs

This tutorial uses billable components of Google Cloud, including:

Pub/Sub
Cloud Run functions
Cloud Build

Use the pricing calculator to generate a cost estimate based on your projected usage.

Before you begin

To complete this guide, you must have the following Identity and Access Management (IAM) roles:

Organization Admin ( roles/resourcemanager.organizationAdmin )
Security Center Admin ( roles/securitycenter.admin )
Security Admin ( roles/iam.securityAdmin )
A role with the serviceusage.services.use permission , such as Owner ( roles/owner ), Editor ( roles/editor ), or a custom role
Create Service Accounts ( roles/iam.serviceAccountCreator )
Pub/Sub Editor ( roles/pubsub.editor )
Billing Account Administrator ( roles/billing.admin )

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control .

Setting up a project

Complete the following steps to create or select a project.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the Cloud Build API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

Enable the API

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the Cloud Build API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

Enable the API

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

Estimated time: it takes approximately one hour to set up and test notifications for a single service.

Setting up a Pub/Sub topic

Pub/Sub is a real-time messaging service that enables messages to be sent and received between independent applications. Learn more about Pub/Sub .

In this section, you configure Security Command Center to publish findings to a Pub/Sub topic.

To set up and subscribe to a Pub/Sub topic:

Specify your Google Cloud project in an environment variable.

Note: This project ID is used throughout this document.
```
  export 
  
 PROJECT_ID 
 = 
 PROJECT_ID 
 
```
Replace PROJECT_ID with your project ID.
Specify your Google Cloud organization in an environment variable.
```
  export 
  
 ORG_ID 
 = 
 ORG_ID 
 
```
Replace ORG_ID with your organization ID.

Set the project ID for gcloud commands.

 gcloud  
config  
 set 
  
project  
 PROJECT_ID

Create the Pub/Sub topic where notifications are published.

 gcloud  
pubsub  
topics  
create  
scc-critical-and-high-severity-findings-topic

Specify the topic in an environment variable.

  export 
  
 TOPIC 
 = 
projects/ $PROJECT_ID 
/topics/scc-critical-and-high-severity-findings-topic

Create the subscription that notifies Cloud Run functions to send a chat message when messages are published to the topic.
```
 gcloud  
pubsub  
subscriptions  
create  
scc-critical-and-high-severity-findings-sub  
 \ 
  
--topic  
scc-critical-and-high-severity-findings-topic 
```
Note: By default, Pub/Sub subscriptions expire after 31 days of inactivity, defined as subscriptions without active connections, pull requests, or push successes. To keep subscriptions longer, set the --expiration-period flag to a higher value or the special value never , indicating the subscription never expires. See Using subscription properties for more information.
Configure Security Command Center to publish notifications to the topic. Any filter compatible with the ListFindings API can be used.

The following filter publishes notifications for active high and critical severity findings in the global location. Learn more about filtering findings .
```
   
gcloud  
scc  
notifications  
create  
scc-critical-high-severity  
 \ 
  
--pubsub-topic = 
 $TOPIC 
  
 \ 
  
--organization = 
 $ORG_ID 
  
 \ 
  
--location = 
global  
 \ 
  
--filter  
 '(severity="HIGH" OR severity="CRITICAL") AND state="ACTIVE"' 
 
```
Note: If you use VPC Service Controls, you might need to grant access to protected project resources before creating a NotificationConfig and in order for notifications to work. For more information, see Granting perimeter access in VPC Service Controls .

Next, you create or configure your chat app to receive notifications from Pub/Sub.

Setting up a messaging app

This section describes how to use Pub/Sub and Cloud Run functions or Cloud Run functions (1st gen) to enable near real-time notifications for Slack.

To send notifications to a Slack channel, you do the following: * Create a new Slack app with sufficient privileges to post messages to a public Slack channel. * Create and deploy a Cloud Run function that posts chat messages to Slack when notifications are received from Pub/Sub.

### Create a new Slack app

In this section, you create a new Slack app to receive notifications.

Navigate to Slack API apps . The page opens in a new tab.
Sign in or create an account.
Select Create an App.
Set App Nameto " SCC Finding Notifier."
Select the Development Slack Workspacewhere you'd like the Slack Bot to post messages, and then click Create App.
In the navigation panel, select OAuth & Permissions.
Navigate to the Scopessection. Scopes fall into two categories:
- Bot Token Scopes
- User Token Scopes
For this exercise, you don't need to add a User Token Scope. Under Bot Token Scopes, click Add an OAuth Scopeand enter:
- chat:write
- chat:write.public
Go to the top of the OAuth & Permissionspage and click Install App to Workspace.
In the confirmation dialog, click Allow.
Copy the Bot User OAuth Access Tokenfor use in the Cloud Function.

Next, you deploy a Cloud Run function to send notifications to a Slack group.

Create the Slack Cloud Run function

In this section, you deploy a function to send notifications to your Slack account. The code sample in this section is written in Python, but you can use any language that is supported by Cloud Run functions.

Note : This code sample requires you to hardcode user or application credentials. For added security, and to safeguard credentials, consider using Secret Manager with Cloud Run functions. For instructions, see Using secrets in the Cloud Run functions documentation.
In the Google Cloud console, go to Cloud Run functions Servicespage.

Go to Services
Select the ID of the project that contains the Pub/Sub topic.
Click Write a function, and fill in the fields:
1. For Service name, enter slack-chat-high-and-critical-findings .
2. For Region, select the region where you want to store the service.
3. For Runtime, select the Python version to use to run your function.
Click Add triggerand select Pub/Sub trigger.
Enter the details of the Pub/Sub topic that you created in Setting up a Pub/Sub topic , and click Save trigger.
Click Create. The service details are displayed.
In the Sourcepane of the Sourcetab, click requirements.txt.
In the code editor, add requests and functions-framework==3.* :
```
 requests
 functions-framework==3.* 
```
In the Sourcepane, click main.py.

In the code editor, replace the code with the following:

  import 
  
 base64 
 import 
  
 json 
 import 
  
 requests 
 import 
  
 functions_framework 
 TOKEN 
 = 
 " BOT_ACCESS_TOKEN 
" 
 @functions_framework 
 . 
 cloud_event 
 def 
  
 send_slack_chat_notification 
 ( 
 cloud_event 
 ): 
 pubsub_message 
 = 
 base64 
 . 
 b64decode 
 ( 
 cloud_event 
 . 
 data 
 [ 
 "message" 
 ][ 
 "data" 
 ]) 
 . 
 decode 
 ( 
 'utf-8' 
 ) 
 . 
 strip 
 () 
 message_json 
 = 
 json 
 . 
 loads 
 ( 
 pubsub_message 
 ) 
 finding 
 = 
 message_json 
 [ 
 'finding' 
 ] 
 requests 
 . 
 post 
 ( 
 "https://slack.com/api/chat.postMessage" 
 , 
 data 
 = 
 { 
 "token" 
 : 
 TOKEN 
 , 
 "channel" 
 : 
 "# SLACK_CHANNEL_NAME 
" 
 , 
 "text" 
 : 
 f 
 "A high severity finding 
 { 
 finding 
 [ 
 'category' 
 ] 
 } 
 was detected." 
 })

Replace the following:

BOT_ACCESS_TOKEN : the Bot User OAuth Access Tokenthat you created with the Slack app.
SLACK_CHANNEL_NAME : the Slack channel where you want to send the notifications.

In the Function entry pointfield, enter the name of the function in the code sample: send_slack_chat_notification .
Click Save and redeploy. If a green check mark appears next to the function name, your function has been successfully deployed. This process can take a few minutes.

If the preceding steps completed without errors, the setup is complete and you start receiving notifications. Keep in mind:

You receive a separate chat message for each individual critical or high severity finding. The frequency or number of notifications depends on the resources within your organization.
Notifications are published and sent in near real time. However, the immediacy of messages is not guaranteed and multiple factors can cause delays, including issues with Slack.

To change the notifications workflow, you can do the following:

Change recipients by updating your Cloud Run function.
Change which findings trigger notifications by updating the filter for the Pub/Sub topic.

Testing notifications

To test whether notifications are properly configured, follow these instructions to toggle high severity findings between active and inactive states.

Go to the Security Command Center Findings page.
Go to the Findings page
Select your organization, if prompted.
In the Quick filterspanel, scroll down to the Severitysection and select either Highor Critical. The Findings query resultspanel updates to show findings of only the selected severity.
In the Findings query resultspanel, select a finding by checking the box next to its name.
From the Change active statemenu in the Findings query resultsaction bar, select Inactive. If the current findings query shows only active findings, the finding is removed from the query results.
In the Quick filterspanel, scroll down to the Statesection and change the selections so that only Inactiveis selected. The Findings query resultspanel updates to show only inactive findings.
In the Findings query resultspanel, select the finding that you marked inactive.
From the Change active statemenu in the Findings query resultsaction bar, select Active.
Check your Slack messages. A message similar to the following images is displayed:

Slack notification

Troubleshooting

If chat messages are not being sent or received, follow these steps to identify and resolve potential issues.

  1. 
  
 Check 
  
 [ 
 Stackdriver 
 logs 
 ]( 
https://console.cloud.google.com/ projectselector2 
 / 
 logs 
 / 
 viewer 
 ) 
  
 for 
 your 
  
 Cloud 
  
 Run 
  
 function 
  
 to 
  
 determine 
  
 whether 
  
 the 
  
 function 
  
 is 
  
 being 
 invoked 
 . 
  
 If 
  
 it 
  
 is 
  
 not 
  
 being 
  
 invoked 
 , 
  
 ensure 
  
 that 
  
 notifications 
  
 are 
  
 set 
  
 up 
 correctly 
 . 
 1. 
  
 If 
  
 the 
  
 Cloud 
  
 Run 
  
 function 
  
 is 
  
 being 
  
 invoked 
 , 
  
 then 
  
 it 
  
 might 
  
 be 
 crashing 
 . 
  
 Check 
  
 for 
  
 errors 
  
 in 
  
 Cloud 
  
 Run 
  
 functions 
  
 using 
 [ 
Google Cloud  
 console 
  
 Error 
  
 Reporting 
 ] 
 ( 
 https 
 : 
 //console.developers.google.com/errors).

Cleaning up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Deleting the project

In the Google Cloud console, go to the Manage resources page.
Go to Manage resources
In the project list, select the project that you want to delete, and then click Delete .
In the dialog, type the project ID, and then click Shut down to delete the project.

Deleting individual resources

Delete your notification configuration:
```
 gcloud  
scc  
notifications  
delete  
scc-critical-high-severity  
 \ 
  
--organization = 
 ORG_ID 
  
 \ 
  
--location = 
global 
```
Replace ORG_ID with your organization ID.

To maintain your configuration and temporarily pause notifications, comment out the send or post calls in your Cloud Run function.
Delete your Cloud Run function:
1. Go to Cloud Run functions.
  Go to Cloud Run functions
2. Click the checkbox next to the function you want to delete.
3. Click Delete .
Delete the service account:
1. Go to the Service accountspage.
  Go to the Service accounts page
2. Select a project.
3. Select the service account you want to delete, and then click Delete .

What's next

Read more about notification errors .
Learn about filtering notifications .
Learn how to remediate Web Security Scanner and Security Health Analytics findings.