LinkedIn
Twitter
Let's face it, Security Command Center (SCC) is a goldmine of security data. But sometimes, those shiny nuggets of insight need a bit of refining before they reveal their true value. That's where BigQuery comes in, transforming your SCC data into a powerful data lake for supercharged security analytics.
Why SCC + BigQuery = A Security Analyst's Dream
- Long-term Retention: Exporting findings to BigQuery provides a comprehensive repository for investigating security events over time.
- Custom Queries with a Vengeance: Go beyond SCC's built-in searches. BigQuery lets you unleash your inner SQL ninja to hunt down threats like a true cyber-warrior.
- Trend Analysis and Visualization: Identify patterns, anomalies, and recurring incidents by analyzing large volumes of SCC data within BigQuery. Easily visualize these insights for better decision-making.
Let's Get Practical!
SCC Data Export: We are not going into too much details on the initial configuration itself as this is already documented at the following link with an easy to follow step by step instructions
https://cloud.google.com/security-command-center/docs/how-to-analyze-findings-in-big-query
Next have a look at a few examples of common and useful BigQuery Queries:
1, Get all findings for a specific findings class and severity:
SELECT * FROM `<YOURDATASET>` WHERE finding.severity = 'HIGH' AND finding.finding_class = 'MISCONFIGURATION'
2, Get all findings for a specific resource type, severity, and category:
SELECT * FROM `<YOURDATASET>` WHERE resource.type = 'google.compute.Instance' AND finding.severity = 'MEDIUM' AND finding.finding_class = 'MISCONFIGURATION'
3, Get All Findings for a specific project
SELECT * FROM `<YOURDATASET>` WHERE resource.project_display_name = '<YOURPROJECT>'
Wait, thereโs more?
Yes, while getting lost in the amazing world of datasets and SQL queries can be fun, we have to remember that itโs always better to visualize our data wherever possible. Hands up anyone who does not like a nice and shiny pie chart!
With BigQuery you have a range of options on how you can visualize your datasets and results.
1, Explore your datasets with Sheets!
You can explore your data using Google Sheets with a simple click of a button
Here you have the full power of Sheets to work and visualize your data as needed
2, Explore your dataset with Looker!
You also have the option to explore your dataset with Looker with the same ease of integration as Sheets.
Here you have the full power of Looker to create any dashboards needed to visualize your data, just the way you want it!
We are not going into too much detail on Looker and Sheets here as both of those subjects could be an individual topic of their own and we can revisit a few different cool Looker dashboards at another post in the near future.
To sum it up, think of BigQuery as the trusty sidekick to your SCC superhero. It won't stop threats on its own, but it'll give you the X-ray vision to see patterns, anomalies, and the long-term trends that can make all the difference in protecting your digital assets.
- Refine threat detection rules: Identify patterns suggesting new or evolving attack techniques.
- Proactively mitigate risk: Address recurring vulnerabilities exposed through trend analysis.
- Improve incident response: Leverage historical data for faster and more informed responses to security events.
Ready to level up your security analytics game?
Start exploring SCC's BigQuery integration today!
Have an awesome custom query or dashboard you would like to share?
Share them in the comments below!
Useful links and resources
Setup SCC stream to BigQuery
https://cloud.google.com/security-command-center/docs/how-to-analyze-findings-in-big-query
Running queries in BigQuery
https://cloud.google.com/bigquery/docs/running-queries
BigQuery and Looker
