This repository provides a GCP cloud function that will send an email notification using the Microsoft Graph API when a new high severity finding is published to GCP's Security Command Center.

• Register a new app in Azure portal and grant it the appropriate permissions to send emails.
• Configure Security Command Center to publish notifications to Cloud Pub/Sub when new high and critical severity findings are created.
• Create and deploy a Cloud Function that subscribes to Cloud Pub/Sub to send email messages to when notifications are received from Cloud Pub/Sub topic.

In this section, we will register a new App in Azure that has permission to send emails.

1. Sign in to Azure portal.

2. In the hamburger menu, click Azure Active Directory.

   

3. Click App registrations, then click New registration.

   

4. Under name, type SCC Finding Notifider, then click Register.

   

5. Click API permissions, then click Add a permission.

   

6. Click Microsoft Graph.

   

7. Click Application permissions, then under Select permissions, filter for Mail.Send, check the box next to Mail.Send, then click Add permissions.

   

8. Click Grant admin consent, and confirm by clicking Yes.

   

9. Click Certificates & secrets, then click New client secret. Under description, type GCP Cloud Function Secret, then click Add.

   

10. Copy the secret Value and save it for later.

    

The cloud function that will be sending emails needs the secret and the client and tenant IDs in order to obtain a token. Additionally, the cloud function will also need a user ID that the emails will be sent on behalf of.

1. Click Overview, then copy Application (client) ID and Directory (tenant) ID and save it for later.

   

2. Navigate back to Azure Active Directory by clicking the hamburger menu, and then Azure Active Directory.

3. Click Users.

   

4. Click the user you want the cloud function to send emails on behalf of.

   

5. Under the Identity section, copy the Object ID and save it for later.

   

The rest of this tutorial will be performed in a terminal.

1. Open a Cloud Shell Console, or a shell with the gcloud CLI installed.

2. Clone this repository locally and make it the current working folder.

   git clone https://github.com/shadanan/gcp-scc-finding-notification-azure-email.git
   cd gcp-scc-finding-notification-azure-email

Cloud Pub/Sub is a real-time messaging service that enables messages to be sent and received between independent applications. A publisher creates a message and publishes it to a feed of messages called a topic. A subscriber receives these messages by way of a subscription. In our case, we'll have a Cloud Function that sends an email when High and Critical severity notifications are published to the topic.

1. In the shell that we prepared at the beginning, set the org and project ID. The selected project is where the Cloud Function will execute form.

   export ORG_ID=<your org id>
   export PROJECT_ID=<your project id>
   gcloud config set project $PROJECT_ID

2. Create the topic where all the findings will be published.

   gcloud pubsub topics create scc-critical-and-high-severity-findings-topic
   export TOPIC=projects/$PROJECT_ID/topics/scc-critical-and-high-severity-findings-topic

3. Configure SCC to publish notifications to our topic.

   gcloud scc notifications create scc-critical-and-high-severity-findings-notify \
     --organization $ORG_ID --pubsub-topic $TOPIC \
     --filter '(severity="HIGH" OR severity="CRITICAL") AND state="ACTIVE"'

In this section, we'll provision a service account that will be used by our cloud function. These instructions are adapted from the public documentation.

1. Create the service account.

   export SERVICE_ACCOUNT=email-cloud-function-sa
   gcloud iam service-accounts create $SERVICE_ACCOUNT \
     --display-name "SCC Finding Notifier Email Cloud Function" \
     --project $PROJECT_ID

2. Grant the service account the securitycenter.admin role for the organization.

   gcloud organizations add-iam-policy-binding $ORG_ID \
     --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
     --role='roles/securitycenter.admin'

1. Export the App Secret into an environment variable.

   export APP_SECRET=<your-app-secret>

2. Create the token.

   gcloud secrets create azure-app-secret

3. Set the value of the token.

   echo -n $APP_SECRET | gcloud secrets versions add azure-app-secret --data-file=-

4. Grant your service account access to the token.

   gcloud secrets add-iam-policy-binding azure-app-secret \
     --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
     --role='roles/secretmanager.secretAccessor'

1. Set the Client, Tenant, and User IDs.

   export CLIENT_ID=<your-app-client-id>
   export TENANT_ID=<your-app-tenant-id>
   export USER_ID=<your-user-id>

2. Set the recipient email address.

   export RECIPIENT=<destination-email-address>

3. Deploy the email-azure-high-and-critical-findings cloud function. If you have not enabled Cloud Build API, then this command may fail. Follow the link in the error message to enable it and then try again.

   gcloud functions deploy email-azure-high-and-critical-findings \
     --entry-point=send_email_notification \
     --runtime=python39 \
     --service-account="$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
     --set-env-vars="PROJECT_ID=$PROJECT_ID,CLIENT_ID=$CLIENT_ID,TENANT_ID=$TENANT_ID,USER_ID=$USER_ID,RECIPIENT=$RECIPIENT" \
     --source=cf \
     --trigger-topic=scc-critical-and-high-severity-findings-topic

1. In Security Command Center, manually deactivate and reactivate a high severity finding in order to trigger the cloud function. Ensure Show Only Active Findings is off so that the findings don't disappear after you deactivate one.

   

2. Check your mailbox!