Google Security Command Center

Integration version: 12.0

Prerequisites

The minimal set of required permissions to integrate Security Command Center with Google Security Operations SOAR is as follows:

  1. securitycenter.assets.list
  2. securitycenter.findings.list
  3. securitycenter.findings.setMute
  4. securitycenter.findings.setState

Integrate Security Command Center with Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String N/A Yes API root of the Security Command Center instance.
Organization ID String N/A No ID of the organization that should be used in the Security Command Center integration.
User's Service Account Password N/A Yes Service account of the Security Command Center instance. A full content of the service account JSON file should be provided.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Security Command Center server is valid.

Actions

Enrich Assets

Description

Enrich assets using information from Security Command Center.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Asset Resource Names CSV N/A Yes Specify a comma-separated list of resource names of the assets for which you want to return data.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
"siemplify_asset_display_name":[4] [5]  ""
"asset": {
        "name": "organizations/236378329325/assets/4140124989808983197",
        "securityCenterProperties": {
          "resourceName": "//compute.googleapis.com/projects/orbital-signal-243013/zones/europe-west1-b/instances/8494023830802519914",
          "resourceType": "google.compute.Instance",
          "resourceParent": "//cloudresourcemanager.googleapis.com/projects/469755381865",
          "resourceProject": "//cloudresourcemanager.googleapis.com/projects/469755381865",
          "resourceOwners": {
            "serviceAccount": [
              "469755381865@cloudbuild.gserviceaccount.com",
              "alpha-svc-acct@orbital-signal-243013.iam.gserviceaccount.com"
            ],
            "user": [
              "dana@example.com",
              "alex@example.com",
              "test-scc@brinstar.net"
            ]
          },
          "resourceDisplayName": "vm-wordpress",
          "resourceParentDisplayName": "orbital-signal-243013",
          "resourceProjectDisplayName": "orbital-signal-243013"
        },
        "resourceProperties": {
          "shieldedInstanceConfig": "{\"enableIntegrityMonitoring\":true,\"enableSecureBoot\":false,\"enableVtpm\":true}",
          "scheduling": "{\"automaticRestart\":true,\"onHostMaintenance\":\"MIGRATE\",\"preemptible\":false,\"provisioningModel\":\"STANDARD\"}",
          "labelFingerprint": "rs_6ubxpsZU=",
          "creationTimestamp": "2022-02-08T05:00:54.691-08:00",
          "networkInterfaces": "[{\"fingerprint\":\"DLL4fFQQkFU\\u003d\",\"name\":\"nic0\",\"network\":\"https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/global/networks/scc-demo\",\"networkIP\":\"10.1.0.40\",\"stackType\":\"IPV4_ONLY\",\"subnetwork\":\"https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/regions/europe-west1/subnetworks/vm-net1\"}]",
          "name": "vm-wordpress",
          "machineType": "https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/zones/europe-west1-b/machineTypes/e2-standard-2",
          "serviceAccounts": "[{\"email\":\"469755381865-compute@developer.gserviceaccount.com\",\"scopes\":[\"https://www.googleapis.com/auth/devstorage.read_only\",\"https://www.googleapis.com/auth/logging.write\",\"https://www.googleapis.com/auth/monitoring.write\",\"https://www.googleapis.com/auth/pubsub\",\"https://www.googleapis.com/auth/service.management.readonly\",\"https://www.googleapis.com/auth/servicecontrol\",\"https://www.googleapis.com/auth/trace.append\"]}]",
          "tags": "{\"fingerprint\":\"AG-OvsszYew\\u003d\",\"items\":[\"wordpress\"]}",
          "fingerprint": "pJ1DSfT2-oM=",
          "labels": "{\"env\":\"scctest\"}",
          "canIpForward": false,
          "zone": "https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/zones/europe-west1-b",
          "cpuPlatform": "Intel Broadwell",
          "disks": "[",
          "shieldedInstanceIntegrityPolicy": "{\"updateAutoLearnPolicy\":true}",
          "deletionProtection": false,
          "selfLink": "https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/zones/europe-west1-b/instances/vm-wordpress",
          "startRestricted": false,
          "lastStartTimestamp": "2022-02-08T05:01:05.259-08:00",
          "status": "RUNNING",
          "id": "8494023830802519914"
        },
        "securityMarks": {
          "name": "organizations/236378329325/assets/4140124989808983197/securityMarks"
        },
        "createTime": "2022-02-08T13:00:55.518Z",
        "updateTime": "2022-04-27T20:12:50.687Z",
        "iamPolicy": {},
        "canonicalName": "projects/469755381865/assets/4140124989808983197"
      }
}
Entity Enrichment
Enrichment Table for google.compute.Instance - Prefix GSCC_
Enrichment Field Name Source (JSON Key) Logic - When to apply
resourceOwners_{key} Csv of resourceOwners_{key} When available in JSON
type resourceType When available in JSON
create_time createTime When available in JSON
update_time updateTime When available in JSON
related_service_accounts csv of resourceProperties/serviceAccounts/email When available in JSON
tags csv resourceProperties/tags/items When available in JSON
self_link resourceProperties/selfLink When available in JSON
status resourceProperties/status When available in JSON
ip_addresses csv of resourcePropertie/networkInterfaces When available in JSON
Enrichment Table for google.compute.Address - Prefix GSCC_
Enrichment Field Name Source (JSON Key) Logic - When to apply
resourceOwners_{key} Csv of resourceOwners_{key} When available in JSON
name asset/resourceDisplayName When available in JSON
type resourceType When available in JSON
create_time createTime When available in JSON
update_time updateTime When available in JSON
compute_create_time resourceProperties/creationTimestamp When available in JSON
compute_start_time resourceProperties/lastStartTimestamp When available in JSON
self_link resourceProperties/selfLink When available in JSON
start_restricted resourceProperties/startRestricted When available in JSON
purpose resourceProperties/purpose When available in JSON
description resourceProperties/description When available in JSON
address_type resourceProperties/addressType When available in JSON
network_tier resourceProperties/networkTier When available in JSON
status resourceProperties/status When available in JSON
address resourceProperties/address When available in JSON
Enrichment Table for google.iam.ServiceAccount - Prefix GSCC_
Enrichment Field Name Source (JSON Key) Logic - When to apply
resourceOwners_{key} Csv of resourceOwners_{key} When available in JSON
name asset/resourceDisplayName When available in JSON
type resourceType When available in JSON
create_time createTime When available in JSON
update_time updateTime When available in JSON
display_name resourceProperties/displayName When available in JSON
disabled disabled When available in JSON
Enrichment Table for google.cloud.storage.Bucket - Prefix GSCC_
Enrichment Field Name Source (JSON Key) Logic - When to apply
resourceOwners_{key} Csv of resourceOwners_{key} When available in JSON
type resourceType When available in JSON
create_time createTime When available in JSON
update_time updateTime When available in JSON
iam_roles csv of iamPolicy/policyBlob/binding/role When available in JSO
Insights

N/A

Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one asset (is_success=true): "Successfully enriched the following assets using information from Security Command Center: {asset.identifier}."

If data is not available for one asset (is_success=true): "Action wasn't able to enrich the following assets using information from Security Command Center: {asset.identifier}."

If data is not available for all assets (is_success=false): "None of the provided assets were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Assets". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Title: {entity.identifier}

Table Columns:

  • Key
  • Value
Entity

Get Finding Details

Description

Get details about a finding in Security Command Center.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Finding Name CSV organizations/{organization_id}/sources/{source_id}/findings/{finding_id} Yes

Specify a comma-separated list of finding names for which you want to return details.

Note: Finding name has the following structure:
organizations/{organization_id}/sources/{source_id}/findings/{finding_id}

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
      "finding_name": "organizations/236378329325/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
      "finding": {
        "name": "organizations/236378329325/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
        "parent": "organizations/236378329325/sources/2678067631293752869",
        "resourceName": "//cloudresourcemanager.googleapis.com/projects/469755381865",
        "state": "ACTIVE",
        "category": "Discovery: Service Account Self-Investigation",
        "sourceProperties": {
          "sourceId": {
            "projectNumber": "469755381865",
            "customerOrganizationNumber": "236378329325"
          },
          "detectionCategory": {
            "technique": "discovery",
            "indicator": "audit_log",
            "ruleName": "iam_anomalous_behavior",
            "subRuleName": "service_account_gets_own_iam_policy"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/469755381865"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "projectId": "orbital-signal-243013",
                "resourceContainer": "projects/orbital-signal-243013",
                "timestamp": {
                  "seconds": "1622678907",
                  "nanos": 448368000
                },
                "insertId": "v2rzg4d9u9q"
              }
            }
          ],
          "properties": {
            "serviceAccountGetsOwnIamPolicy": {
              "principalEmail": "prisma-cloud-serv-zlbni@orbital-signal-243013.iam.gserviceaccount.com",
              "projectId": "orbital-signal-243013",
              "callerIp": "52.39.60.41",
              "callerUserAgent": "Redlock/GC-MDC/resource-manager/orbital-signal-243013 Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)",
              "rawUserAgent": "Redlock/GC-MDC/resource-manager/orbital-signal-243013 Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
            }
          },
          "contextUris": {
            "mitreUri": {
              "displayName": "Permission Groups Discovery: Cloud Groups",
              "url": "https://attack.mitre.org/techniques/T1069/003/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-06-03T00:08:27.448368Z%22%0AinsertId%3D%22v2rzg4d9u9q%22%0Aresource.labels.project_id%3D%22orbital-signal-243013%22?project=orbital-signal-243013"
              }
            ]
          }
        },
        "securityMarks": {
          "name": "organizations/236378329325/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m/securityMarks"
        },
        "eventTime": "2021-06-03T00:08:27.448Z",
        "createTime": "2021-06-03T00:08:31.074Z",
        "severity": "LOW",
        "canonicalName": "projects/469755381865/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
        "mute": "UNDEFINED",
        "findingClass": "THREAT",
        "mitreAttack": {
          "primaryTactic": "DISCOVERY",
          "primaryTechniques": [
            "PERMISSION_GROUPS_DISCOVERY",
            "CLOUD_GROUPS"
          ]
        }
      },
      "resource": {
        "name": "//cloudresourcemanager.googleapis.com/projects/469755381865",
        "projectName": "//cloudresourcemanager.googleapis.com/projects/469755381865",
        "projectDisplayName": "orbital-signal-243013",
        "parentName": "//cloudresourcemanager.googleapis.com/organizations/236378329325",
        "parentDisplayName": "brinstar.net",
        "type": "google.cloud.resourcemanager.Project",
        "displayName": "orbital-signal-243013"
      }
    }
}
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for findings (is_success=true): "Successfully returned details about the following findings in Security Command Center: {name of the findings that returned data}."

If data is not available for one finding (is_success=true): "Action wasn't able to find the following findings in Security Command Center: {name of the findings that returned data}."

If no data is available for findings (is_success=false): "None of the provided findings were found in Security Command Center."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Security Command Center". Reason: {0}''.format(error.Stacktrace)

If an error is reported in the response: "Error executing action "Security Command Center". Reason: {0}''.format(error/message)

General
Case Wall Table

Table Name: Finding Details

Table Columns:

  • Category - category
  • State - state
  • Severity - severity
  • Type - findingClass
General

List Asset Vulnerabilities

Description

List vulnerabilities related to the entities in Security Command Center.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Asset Resource Names CSV N/A Yes Specify a comma-separated list of resource names of the assets for which you want to return data.
Timeframe DDL

All Time

Possible Value:

  • Last Week
  • Last Month
  • Last Year
  • All Time
No Specify the time frame for the vulnerabilities or misconfiguration search.
Record Types DDL

Vulnerabilities + Misconfigurations

Possible Values:

  • Vulnerabilities Misconfigurations
  • Vulnerabilities + Misconfigurations
No Specify the type of record that should be returned.
Output Type DDL

Statistics

Possible Values:

  • Statistics
  • Data
  • Statistics + Data
No Specify the type of output that should be returned in the JSON result for the asset.
Max Records To Return String 100 No Specify the number of records to return per record type per assets.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
   ."siemplify_asset_display_name":[1] [2]  ""
"vulnerabilities": {
        "statistics": {
            "critical": 1,
            "high": 1,
            "medium": 1,
            "low": 1,
            "undefined": 1
        },
        "data": [
            {
                "category": {category}
                "description": {description}
                "cve_id": {vulnerability/cve/id}
                "event_time": {eventTime}
                "related_references": [{vulnerability/cve/references/uri}]
                "severity": {severity}
            }
        ]
    },
    "misconfigurations": {
        "statistics": {
            "critical": 1,
            "high": 1,
            "medium": 1,
            "low": 1,
            "undefined": 1
        },
        "data": [
            {
                "category": {category}
                "description": {description}
                "recommendation": {sourceProperties/Recommendation}
                "event_time": {eventTime}
                "severity": {severity}
            }
        ]
    },
}

Should either take from "resourceDisplayName" or "Asset Name" that was provided.
if securityCenterProperties.resourceType" == "google.iam.ServiceAccount", then action needs to use  "resourceProperties.email" as display_name.

if securityCenterProperties.resourceType" == "google.compute.Address", then action needs to use "resourceProperties.address" as display_name.
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully returned related vulnerabilities and misconfigurations to the following entities in Security Command Center: {assets}."

If data is not available for one vulnerability or misconfiguration (is_success=true): "No vulnerabilities and misconfigurations were found to the following entities in Security Command Center: {assets}".

If no data is available (is_success = true): "No vulnerabilities and misconfigurations were found for the provided assets in Security Command Center"

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Security Command Center". Reason: {0}''.format(error.Stacktrace)

If an error is reported in the response: "Error executing action "Security Command Center". Reason: {0}''.format(error/message)

General
Case Wall Table

Table Name: {asset} Vulnerabilities

Table Columns:

  • Category - category
  • Description - description
  • Severity - severity
  • Event Time - event_time
  • CVE - cve_id
Per asset
Case Wall Table

Table Name: {asset} Misconfigurations

Table Columns:

  • Category - category
  • Description - description
  • Severity - severity
  • Event Time - event_time
  • Recommendation - cve_id
Per asset

Ping

Description

Test connectivity to Security Command Center with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Security Command Center server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Security Command Center server! Error is {0}".format(exception.stacktrace)"

General

Update Finding

Description

Update finding in Security Command Center.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Finding Name CSV organizations/{organization_id}/sources/{source_id}/findings/{finding_id} Yes

Specify a comma-separated list of finding names which you want to update.

Note: Finding name has the following structure:
organizations/{organization_id}/sources/{source_id}/findings/{finding_id}

Mute Status DDL

Select One

Possible Values:

  • Select One
  • Mute
  • Unmute
No Specify the mute status for the finding.
State Status DDL

Select One

Possible Values:

  • Select One
  • Active
  • Inactive
No Specify the state status for the finding.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully updated the following findings in Security Command Center: {name of the findings that returned data}."

If data is not available for one finding (is_success=true): "Action wasn't able to find the following findings in Security Command Center: {name of the findings that returned data}."

If no data is available (is_success=false): "None of the provided findings were found in Security Command Center"

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Finding". Reason: {0}''.format(error.Stacktrace)

If an error is reported in the response: "Error executing action "Update Finding". Reason: {0}''.format(error/message)

If the "Mute Status" or "State Status" parameter is set to "Select One": "Error executing action "Update Finding". Reason: at least one of "Mute Status" or "State Status" should have a value.''.format(error/message)

General

Connectors

Google Security Command Center - Findings Connector

Description

Pull information about findings from Security Command Center.

Configure Google Security Command Center - Findings Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field through regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API Root String N/A Yes API root of the Security Command Center instance.
Organization ID String N/A No ID of the organization that should be used in the Security Command Center integration.
User's Service Account Password N/A Yes

Service account of the Security Command Center instance.

A full content of the service account JSON file should be provided.

Finding Class Filter CSV Threat,Vulnerability,Misconfiguration,SCC_Error,Observation No

Finding classes that should be ingested.

Possible values: Threat, Vulnerability, Misconfiguration, SCC_Error, Observation.

If nothing is provided, findings from all classes are ingested.

Lowest Severity To Fetch String High No

The lowest severity that is used to fetch findings.

Possible values:

  • Low
  • Medium
  • High
  • Critical

Note: If finding with undefined severity is ingested, it has the Medium severity.

If nothing is provided, findings with all severities are ingested.

Max Hours Backwards Integer 1 No

Number of hours from where to fetch findings.

Maximum: 24

Max Findings To Fetch Integer 100 No

Number of findings to process per one connector iteration.

Maximum: 1000

Use dynamic list as a blacklist Checkbox Unchecked Yes If enabled, the dynamic lists is used as a blocklist.
Verify SSL Checkbox Unchecked Yes If enabled, verifies that the SSL certificate for the connection to the Sumo Logic Cloud SIEM server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports proxy.