This page explains how to automatically send Security Command Center findings, assets, audit logs, and security sources to Google Security Operations SOAR. It also describes how to manage the exported data.
Before you begin, ensure that the required Security Command Center and Google Cloud services are properly configured and enable Google SecOps SOAR to access findings, audit logs, and assets in your Security Command Center environment. For more information on the Security Command Center integration for Google SecOps SOAR, see Security Command Center in the Google Security Operations documentation.
Configure authentication and authorization
Before connecting to Google SecOps SOAR, you need to create an Identity and Access Management service account and grant to it IAM roles at both the organization and project levels.
Create a service account and grant IAM roles
In this document, this service account is also called the user service account. The following steps use the Google Cloud console. For other methods, see the links at the end of this section.
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
- In the same project in which you create your Pub/Sub topics, use the Service Accounts page in the Google Cloud console to create a service account. For instructions, see Creating and managing service accounts.
Grant the service account the following role:
- Pub/Sub Editor (
roles/pubsub.editor)
- Pub/Sub Editor (
Copy the name of the service account that you just created.
Use the project selector in the Google Cloud console to switch to the organization level.
Open the IAM page for the organization:
On the IAM page, click Grant access. The grant access panel opens.
In the Grant access panel, complete the following steps:
- In the Add principals section in the New principals field, paste the name of the service account.
In the Assign roles section, use the Role field to grant the following IAM roles to the service account:
- Security Center Admin Viewer (
roles/securitycenter.adminViewer) - Security Center Notification Configurations Editor
(
roles/securitycenter.notificationConfigEditor) - Organization Viewer (
roles/resourcemanager.organizationViewer) - Cloud Asset Viewer (
roles/cloudasset.viewer)
- Security Center Admin Viewer (
Click Save. The service account appears on the Permissions tab of the IAM page under View by principals.
By inheritance, the service account also becomes a principal in all child projects of the organization. The roles that are applicable at the project level are listed as inherited roles.
For more information about creating service accounts and granting roles, see the following topics:
Create a service account for impersonation
In this document, this service account is also called the SOAR service account. Create a service account to impersonate the user service account and its permissions.
In the Google SecOps SOAR console, navigate to Response, and then click Integrations setup.
In the Integrations setup page, click Create a new instance. The Add instance dialog opens.
In the Integrations list, select Google Security Command Center and click Save. The Google Security Command Center - Configure Instance dialog opens.
In the Workload Identity Email field, specify the service account email ID.
Click Save.
Provide the credentials to Google SecOps SOAR
Depending on where you are hosting Google SecOps SOAR, how you provide the IAM credentials to Google SecOps SOAR differs.
- If you are hosting Google SecOps SOAR in Google Cloud, the user service account that you created and the organization level roles that you granted to it are available automatically by inheritance from the parent organization.
- If you are hosting Google SecOps SOAR in your on-premises environment, create a key for the user service account that you created. You need the service account key JSON file to complete this task. To learn about best practices for storing your service account keys securely, see Best practices for managing service account keys.
Configure notifications
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
Set up finding notifications as follows:
- Enable the Security Command Center API.
- Create a Pub/Sub topic for findings.
- Create a
NotificationConfigobject that contains the filter for findings that you want to export. TheNotificationConfigmust use the Pub/Sub topic you created for findings.
Enable the Cloud Asset API for your project.
You need your organization ID, project ID, and the Pub/Sub subscription ID from this task to configure Google SecOps SOAR. To retrieve your organization ID and project ID, see Retrieving your organization ID and Identifying projects, respectively.
Configure Google SecOps SOAR
Google SecOps SOAR enables enterprises and managed security service providers (MSSPs) to gather data and security alerts from different sources by combining orchestration and automation, threat intelligence, and incident response.
To use Security Command Center with Google SecOps SOAR, complete the following steps:
In the Google SecOps SOAR console, navigate to Marketplace, and then click Integrations.
Search for
Google Security Command Center, and install the Security Command Center integration that appears in the search results.On the Google Security Command Center integration, click Configure. The Google Google Security Command Center - Configure Instance dialog opens.
Optional: To create a new environment or to edit the environment configuration, click Settings screen. The Environments page opens in a new tab.
On the Environments page, select the environment for which you want to configure the integration instance.
In the selected environment, click Create a new instance. The Add instance dialog opens.
In the Integrations list, select Google Security Command Center and click Save. The Google Security Command Center - Configure Instance dialog opens.
Specify the configuration parameters and click Save.
Parameter Description Required API Root API root of the Security Command Center instance. For example, securitycenter.googleapis.com.Yes Organization ID ID of the organization whose findings you want to export. No Project ID ID of the project to be used in the Security Command Center integration. No Quota Project ID ID of your Google Cloud project for Google Cloud API usage and billing. No Location ID ID of the location to be used in the Security Command Center integration. Default location ID is global. No User's Service Account Service account that you created in Create a service account and grant IAM roles. If you are hosting Google SecOps SOAR in your on-premises environment, then provide the service account key ID and all the content of the service account JSON file. Yes Workload Identity Email Email that you created in Create a service account for impersonation. It is a service account client email to replace the usage of the user service account that can be used for impersonation. The SOAR service account must be granted the Service Account Token CreatorIAM role on the user service account.Yes Verify SSL Enable to verify that the SSL certificate used for the connection to the Security Command Center server is valid. Yes To verify that the integration is configured correctly, click Test.
After successful verification, click Save.
Upgrade the Google Security Command Center integration
To upgrade the Google Security Command Center integration, complete the following steps:
In the Google SecOps SOAR console, navigate to Marketplace, and then click Integrations.
Search for the Google Security Command Center integration and click Upgrade to VERSION_NUMBER.
Work with findings and assets
Google SecOps SOAR uses connectors to ingest alerts from a variety of data sources into the platform.
Fetch Security Command Center alerts for analysis in Google SecOps SOAR
You need to configure a connector to pull information about findings from Security Command Center. To configure the connector, see Ingest your data (connectors).
Set the following parameters in Google SecOps SOAR to configure the Google Security Command Center - Findings connector.
| Parameter | Type | Default value | Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Source field name to retrieve the product field name. |
| Event Field Name | String | type | Yes | Source field name to retrieve the event field name. |
| Environment Field Name | String | Empty | No | Name of the field where the environment name is stored. If the environment field name isn't specified, the default environment is selected. |
| Environment Regex Pattern | String | .* | No | A regular expression pattern to run on the value found in the Environment Field Name field. Default is .* to catch all and return the value unchanged. This parameter is used to allow the user to manipulate the environment field through regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the default environment is selected. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | Yes | API root of the Security Command Center instance. For example,
securitycenter.googleapis.com. |
|
| Organization ID | String | No | ID of the organization that should be used in Google Security Command Center integration. | |
| User's Service Account | Password | Yes | Service account that you created in Create a service account and grant IAM roles. If you are hosting Google SecOps SOAR in your on-premises environment, then provide the service account key ID and all the content of the service account JSON file. | |
| Finding Class Filter | CSV | Threat, Vulnerability, Misconfiguration, SCC_Error, Observation | No | Finding classes that should be ingested. Possible values are:
|
| Lowest Severity To Fetch | String | High | No | The lowest severity that is used to fetch findings. Possible values
are:
|
| Max Hours Backwards | Integer | 1 | No | Number of hours from where to fetch findings. Maximum limit is 24. |
| Max Findings To Fetch | Integer | 100 | No | Number of findings to process per one connector iteration. Maximum limit is 1000. |
| Use dynamic list as an exclude list | Checkbox | Disabled | Yes | Enable the dynamic list as an exclude list. |
| Verify SSL | Checkbox | Disabled | Yes | Enable to verify that the SSL certificate for the connection to the Security Command Center server is valid. |
| Proxy Server Address | String | No | The address of the proxy server to use. | |
| Proxy Username | String | No | The proxy username to authenticate with. | |
| Proxy Password | Password | No | The proxy password to authenticate with. |
Enrich assets
To enable a security investigation, Google Security Operations ingests contextual data from different sources, performs analysis on the data, and provides additional context about artifacts in a customer environment.
To enrich assets using information from Security Command Center, add the enrich assets action to a playbook in Google SecOps SOAR and run the playbook. For more information, see Adding an action
To configure this action, set the following parameters:
| Parameter | Type | Default value | Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name to retrieve the product field name. |
List alert vulnerabilities
To list vulnerabilities related to the entities in Security Command Center, add the list asset vulnerabilities action to a playbook in Google Security Operations SOAR and run the playbook. For more information, see Adding an action
To configure this action, set the following parameters:
| Parameter | Type | Default value | Mandatory | Description |
|---|---|---|---|---|
| Asset Resource Names | CSV | Yes | Specify a comma-separated list of resource names of the assets for which you want to return data. | |
| Timeframe | DDL | All Time | No | Specify the timeframe for the vulnerabilities or misconfiguration
search. Possible values are:
|
| Record Types | DDL | Vulnerabilities + Misconfigurations | No | Specify the type of record that should be returned. Possible values
are:
|
| Output Type | DDL | Statistics | No | Specify the type of output that should be returned in the JSON result
for the asset. Possible values are:
|
| Max Records To Return | String | 100 | No | Specify the number of records to return per record type per assets. |
Update findings
To update findings in Security Command Center, add the update findings action to a playbook in Google SecOps SOAR and run the playbook. For more information, see Adding an action
To configure this action, set the following parameters:
| Parameter | Type | Default value | Mandatory | Description |
|---|---|---|---|---|
| Finding Name | CSV | organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID |
Yes | Specify a comma-separated list of finding names that you want to update. |
| Mute Status | DDL | No | Specify the mute status for the finding. Possible values are:
|
|
| State Status | DDL | No | Specify the state status for the finding. Possible values are:
|