GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
32 stars 28 forks source link

Managed LZ: Provide diff of alerts/logs/metrics on GKE autopilot vs standard CC deployments - with triaged priority for Tier1-4 ticket generation use cases #433

Open fmichaelobrien opened 1 year ago

fmichaelobrien commented 1 year ago

Raised by SSC team and @lucstjean-ssc today Managed LZ: Provide alerts/logs/metrics on GKE autopilot vs standard CC deployments - with triaged priority for Tier1-4 ticket generation use cases Also discussed was from the perspective of current GCP users of GKE autopilot clusters - Thinking consumers of GKE threat analysis - Mandiant team?

Deliverables is both a diff list of metrics/alerts/logs on GKE autopilot/standard and a prioritized list of alerts based on temporary/critical levels - to drive Tier1-4 ticket support

cartyc commented 1 year ago

@lucstjean-ssc would GKE Security Posture help with this at all? Happy to sync offline to get more details of what you need.

There is also our hardening Guide's https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

lucstjean-ssc commented 1 year ago

@cartyc Thanks I'm not sure I ever came across this. I will have a look. Our main concern is what alerts should we create and fire off via notification channels.

cartyc commented 1 year ago

It's pretty handy but doesn't cover alerting like you're looking for. I'll look into if we have any recommendations for what alerts should enabled for GKE (std/ap) clusters.

KingBain commented 1 year ago

Note sure if this has moved further in terms of alerting, but this is what we were looking to implement

https://github.com/gschaeffer/scc-findings-to-pubsub

I assume from Cloud monitoring it could be easier to trigger alerts for things like SIEM or SRE bots ?

cartyc commented 1 year ago

Alerts from Cloud Monitoring would likely be easier, lots of integrations are available in the notifcation channels that Alerts use.

image

cartyc commented 1 year ago

@KingBain are there specific metrics you are looking to extract from Security Command Center?

KingBain commented 1 year ago

"Just the good ones"

honeslty unsure right now, we're just at the phase now to start investigating org level alerts and project level alerts

lucstjean-ssc commented 1 year ago

@KingBain We should start looking deeper into alerting during our next sprint. I did find this link to be a good point of reference: https://cloud.google.com/monitoring/api/metrics_gcp

fmichaelobrien commented 1 year ago

Good discussion guys, I am also looking at alerts - starting with routers and bgp sessions up/down via VPNs or interconnects we are deploying. Will sync

448

Around https://cloud.google.com/network-connectivity/docs/interconnect/how-to/monitoring