Preview

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Premium and Enterpriseservice tiers (requiresorganization-level activation)

Security graph in Security Command Center is a relationship-aware database that maps cloudresources, their configurations, and associated risk indicators such asvulnerabilities, access permissions, data sensitivity, and network exposure. Thegraph provides a comprehensive view of your cloud assets and theirrelationships.

In this document, you learn aboutGraph Search, a feature that lets you explorethe security graph by creating custom queries to help pinpoint potentialsecurity concerns in your environment.

Query components

Security graph queries consist of three main component types:

• Node: a security finding or a cloud resource.
• Where clause (filter): a filter that's applied to a node to refine thequery based on the specific properties of the node.
• Connection: a directional relationship between two nodes.

The following is an example of a query as seen in the Google Cloud console, usingthese components.

This example query structure identifies a relationship between security entitiesto help pinpoint risk. First, the query establishes the key subjects, ornodes, of the investigation, theCVE Vulnerability and theVirtual Machine (GCE). Theconnection, identified by thephrasethat affects, explicitly links these two nodes. Finally, the query isfinely tuned using multiple attributes, known aswhere clauses orfilters, on each node. The filters that are used here include thevulnerability's severity and the VM's network reachability. Together, thesecomponents help identify potential risks in an environment.

Node

A node represents a security finding or a cloud resource.

Some examples of a node in the Google Cloud console include the following:

• CVE Vulnerability: a Common Vulnerabilities and Exposures vulnerabilitydefined by The MITRE Corporation.
• Virtual Machine (GCE): aCompute Engine instance.
• GKE Deployment: aGoogle Kubernetes Engine resource.
• IAM Service Account: an Identity and Access Management (IAM)service account.
• BigQuery Dataset: a container of data in BigQuery. For moreinformation, seeIntroduction to datasets.

Nodes are grouped by categories such as Compute, Kubernetes, Identity, andDatabases. You can browse or search all available node types in theGoogle Cloud console when constructing your query.

Where clause (filter)

A where clause is a filter that's applied to a node to refine the query basedon the specific properties associated with the node.

The following are some examples of filters:

• Severity = Critical: an item of critical severity, for example, a CVE.
• Has Full API Access = True: indicates that a node is configured with fullaccess to all Google Cloud APIs.
• Exploitation Activity = Confirmed: indicates known, reported, oranticipated instances of a vulnerability being exploited in the wild.

Filters shown in the Google Cloud console are context-aware and depend onthe type of node that you have selected.

Connection

A connection is a directional relationship between two nodes.

The following are examples of connections:

• that affects: defines the relationship between two selected nodes—forexample, a CVE Vulnerability in relation to a Virtual Machine (GCE).
• that uses: defines the relationship between two selected nodes—forexample, a Virtual Machine (GCE) in relation to an IAM Service Account.

Connections are context-aware, and only valid relationships are shown for theselected node type.

Build a query

You can query the security graph to explore your cloud environment based oncriteria that are important to you. Performing and refining queries on the graphcan help you identify specific security weaknesses that you want to monitor.

Create custom queries

You can define custom queries to identify security vulnerabilities specific toyour environment.

To create a custom query, either start a new query orcustomize an existing search suggestion using thefollowing steps:

Use or customize a search suggestion

Several search suggestions are provided as starting points. You can use thesesuggestions as-is or customize them to fit your specific requirements.

Troubleshoot queries that return no results

If your query returns no results, try the following steps to troubleshoot andadjust.

Use a predefined search suggestion

The predefinedsearch suggestions provided are examplesdesigned to return results relevant to a variety of environments. You can modifysearch suggestions to suit your specific needs.

Simplify or adjust your query

• Remove or reduce filters to broaden the scope of your query.

• Try querying a single asset type or property to validate that data is beingreturned.

• Avoid combining too many constraints. Doing so could unintentionally excluderesults.

Verify access permissions

Make sure that you have the necessary permissions to view the data you'requerying. Without the correct access, some assets or relationships might behidden or excluded from results.

Allow time for data sync

Recently created or updated resources might take a few minutes or hours toappear in the graph. For example, delays can occur if you've just added aresource or updated IAM policies. If you've just made changes toyour cloud environment, try running the query again after some time.

Graph coverage

Some data types or relationships might not be available in the security graph,depending on your environment and the supported data types. If you're not seeingexpected data, it might not be available in the graph.

Additional help

If you've tried the preceding steps and still aren't seeing the expectedresults, contact your project administrator or seeGetting supportfor assistance reviewing your query configuration and permissions.

What's next

• Learn more aboutSecurity Command Center issues.
• Manage and remediate issues