Update Enterprise use case, June 2024

Updates are available for the security operations features of the Enterprise tier of Security Command Center. To apply the updates, you need to follow the procedures on this page.

The update procedure includes the following high-level steps:

1. Prepare the system for update by disabling a connector and deleting certain existing playbooks.
2. Install the latest version of the SCC Enterprise – Cloud Orchestration and Remediation use case.
3. Validate the installation and run the updated playbooks.

Confirm that you have the required roles

To complete this procedure, you must be granted any of the following SOC roles in the Security Operations console:

• Administrator
• Vulnerability Manager
• Threat Manager

For more details about SOC roles in the Security Operations console and permissions required for users, see Control access to features in the Security Operations console.

Prepare the system for the update

Before updating the use case, you need to disable the SCC Enterprise – Urgent Posture Findings Connector and delete the playbooks provided by the current use case version.

Disable the connector

To avoid having alerts with no playbooks attached, disable the SCC Enterprise – Urgent Posture Findings Connector connector before deleting playbooks. Security Command Center ingests findings collected while the connector is disabled when you update and enable the connector.

To disable the connector, complete the following steps:

1. In the Security Operations console, go to Settings > SOAR Settings > Ingestion > Connectors.
2. Under the SCCEnterprise, select SCC Enterprise – Urgent Posture Findings Connector.
3. Switch the toggle to disable the connector.
4. Click Save.

Delete playbooks

To avoid playbook duplication, delete default playbooks that you use in the current version of your use case. Deleting playbooks before upgrading the use case has no impact on the case management.

To delete default playbooks, complete the following steps:

1. In the Security Operations console, go to Response > Playbooks.
2. To filter playbooks from blocks on the Playbooks page, change the drop-down filter from Show All to Playbooks.
3. Select Siemplify Use Cases. The folder contains the following default playbooks:
   • AWS Threat Response Playbook
   • GCP Threat Response Playbook
   • IAM Recommender Response
   • Posture Findings – Generic
   • Posture Findings With Jira
   • Posture Findings With ServiceNow
4. In the Playbooks page navigation, click Edit to select multiple items.
5. Next to Siemplify Use Cases, click done_all Select all to select all playbooks in the folder.
6. In the Playbooks page navigation, click list Menu > Delete. A window appears that requires you to confirm or cancel the deletion of selected playbooks.

7. Click Confirm.

   Now you can update your use case version.

Install the Security Command Center Enterprise use case

To install the latest version SCC Enterprise use case to the latest version and check that all integrations provided in the use case are up to date.

Install the latest use case

To install the latest version of the SCC Enterprise – Cloud Orchestration and Remediation use case, complete the following steps:

1. In the Security Operations console console, go to Marketplace > Use Cases.
2. Open the Filter by categories dialog by clicking the filter icon, .
3. In the Filter by categories dialog, type SCC Enterprise. The use case appears in the Use Cases section.

4. In the description of the SCC Enterprise – Cloud Orchestration and Remediation use case, check for a date.

   • If the date is earlier than the date of the latest use case or there is no date in the description, delete the use case. The latest use case appears in place of the deleted use case automatically.

   • If the date in the SCC Enterprise – Cloud Orchestration and Remediation use case is the expected date of the latest use case, confirm that the playbooks in the latest use case are installed by completing the following steps:

     1. Click the use case to open the installation wizard.
     2. Expand the playbooks category and take note of any new or updated playbooks.
     3. On the Response > Playbooks page in the Security Operations console, search for the new or updated playbook. If you find the new or updated playbook, the use case installation is already complete.

5. To complete the installation the use case, click the SCC Enterprise – Cloud Orchestration and Remediation use case and follow the instructions in the installation wizard.

Apply and validate configurations from the new use case

You need to validate that the various features that are included in the latest use case are updated correctly. For certain features, you need to apply the updates from new use case manually.

Validate integration versions in the use case

To ensure that the integrations in the use case are up to date, complete the following steps:

1. In the Security Operations console, go to Marketplace > Integrations.
2. In the Type field, select All Integrations.
3. In the Status field, select Available Upgrade. All of the integrations that require an upgrade are displayed.
4. To upgrade an integration, click the circular upgrade icon in the integration card and complete the upgrade wizard. Upgrading the Security Command Center Enterprise integration is required.

Validate the synchronization job

After installing the latest use case version and validating the integration versions, check that the Sync SCC Data job contains updated parameters.

To validate the synchronization job, complete the following steps:

1. In the Security Operations console, go to Response > Job Scheduler.
2. Under the GoogleSecurityCommandCenter, select Sync SCC Data.

3. In the Parameters section, check that the Project ID and Quota Project ID parameter values are the same.

   If the values are the same, the job is up to date. You can proceed to updating the case view widgets.

   If the values differ, proceed to the following section.

Update the synchronization job parameters

If the synchronization job failed to update automatically during the use case update, you need to manually enter the values for the Project ID and Quota Project ID parameters.

To specify the correct parameter values, complete the following steps:

1. Go to Settings > SOAR Settings > Ingestion > Connectors.
2. Under SCCEnterprise, select SCC Enterprise – Urgent Posture Findings Connector.
3. In the Parameters section, copy the value of the Quota Project ID parameter.
4. Go to Response > Job Scheduler.
5. Under the GoogleSecurityCommandCenter, select Sync SCC Data.
6. In the Parameters section of the Sync SCC Data job, enter the copied value in the Project ID and Quota Project ID fields.
7. Click Save.

Update case view widgets

1. In the Security Operations console, go to Settings > SOAR Settings > Case Data > Views.
2. Select Default Case View.
3. Select the Predefined tab.
4. From the Default Case View panel, delete the following widgets:
   • Finding Summary (Misconfiguration)
   • Finding Summary (Vulnerability)
   • SCC - Finding State
   • SCC Next Steps
   • Ticket Information

5. Drag the widgets from the Predefined tab into the Default Case View in the following recommended order:

   1. Case Summary
   2. Toxic combination attack path
   3. Findings
   4. AI Investigation/Gemini Summary
   5. Finding Summary
   6. SCC - Finding State
   7. Impacted Assets
   8. Impacted AWS Assets
   9. Ticket Information
   10. Pending Actions
   11. Alerts
   12. Entities Graph
   13. Entities Highlights
   14. Latest Case Wall Activity
   15. Recommendations
   16. Statistics

6. Click Save View.

Validate widgets

To ensure that you get the correct information, validate that the following widgets contain the correct condition:

• Toxic combination attack path
• Finding
• Entities Graph
• AI Investigation/Gemini Summary

To validate the widgets, complete the following steps:

1. In the Security Operations console, go to Settings > SOAR Settings > Case Data > Views.
2. Select Default Case View.
3. For both the Toxic combination attack path and Finding widgets, click settings Configuration.
4. Under Advanced Settings, in the Conditions section, the condition should be as follows: [Case.Tags] () Toxic Combination. If not, update the condition and click Save.
5. For both the Entities Graph and AI Investigation/Gemini Summary widgets, click settings Configuration.
6. Under Advanced Settings, in the Conditions section, the condition should be as follows: [Case.Tags] !() Toxic Combination. If not, update the condition and click Save.

Create an alert grouping rule

To support updates for the latest use case version, create a new alert grouping rule.

To create an alert rule, complete the following steps:

1. In the Security Operations console, go to Settings > SOAR Settings > Advanced > Alerts Grouping.
2. In the Rules section, click add Add. The Add grouping rule window opens.
3. In the Category field, select Data Source.
4. In the Data Source field, select SCCEnterprise.
5. In the Group By field, select Source Grouping Identifier.
6. Click Create.
7. In the Alerts Grouping page, click Save.

Enable playbooks

To enable a playbook for processing vulnerabilities and misconfigurations, complete the following steps:

1. In the Security Operations console, go to Response > Playbooks.

2. Select the Siemplify Use Cases folder.

   If you didn't integrate with ticketing systems, ensure that the Posture Findings – Generic playbook is enabled.

   If you integrated with ticketing systems, complete the following steps:

   1. Select the Posture Findings – Generic playbook.
   2. Switch the toggle to disable it.
   3. Click Save.
   4. If you integrated with Jira, select the Posture Findings With Jira playbook.
      1. Switch the toggle to enable the playbook.
      2. Click Save.
   5. If you integrated with ServiceNow, select the Posture Findings With ServiceNow playbook.
      1. Switch the toggle to enable the playbook.
      2. Click Save.

Rerun playbooks

To apply the new playbooks to existing alerts, rerun the playbooks. Rerunning a playbook doesn't create new tickets for existing alerts.

To rerun a playbook, complete the following steps:

1. In the Security Operations console, go to Cases.
2. Select an open case.
3. In the Case View, select an alert to rerun a playbook on.
4. In the Playbooks tab, next to the playbook name, click Rerun Playbook.

Update the connector

Updating the use case doesn't update the connector automatically. To ensure that data ingestion works as expected after the use case update, update the connector.

To update the connector, complete the following steps:

1. In the Security Operations console, go to Settings > SOAR Settings > Ingestion > Connectors.
2. Under the SCCEnterprise, select SCC Enterprise – Urgent Posture Findings Connector.
3. Click cached Update.
4. Switch the toggle to enable the connector.
5. Click Save.

Verify the update configuration

To ensure that all use case components are updated successfully, test the connector and job.

Test the connector

1. In the Security Operations console, go to Settings > SOAR Settings > Ingestion > Connectors.
2. Under the SCCEnterprise, select SCC Enterprise – Urgent Posture Findings Connector.
3. Go to the Testing tab.
4. Click Run connector once. If the connector configuration is correct, the checkmark appears.

Test the job

1. In the Security Operations console, go to Response > Job Scheduler.
2. Under GoogleSecurityCommandCenter, select Sync SCC Data.
3. Click Run Now. If the job works as expected, the job status is Success.

Troubleshooting

• In the Finding Summary widget, if the Next Steps section of a finding alert is formatted incorrectly or is missing, rerun the playbook on one alert from the affected case.

• The Sync SCC Data job displays the following error:

  TIPCommon.exceptions.JobSetupError: Resource already exists in the project (resource={identifier}_topic)
  

  Wait for ten minutes and click Run Now. If the error persists, complete the following steps:

  1. In the job Parameters section, delete the Organization ID parameter value.
  2. Enter the Organization ID parameter value.
  3. Click Save.
  4. Click Run Now.