Console
    Start free

    Collect Nucleus Security - Nucleus Unified Vulnerability Management logs

    Supported in:

    This document explains how to ingest Nucleus Security - Nucleus Unified Vulnerability Management logs to Google Security Operations using Amazon S3.

    Nucleus Security provides a unified vulnerability management platform that aggregates and enriches vulnerability data from 150+ security tools, asset inventories, and threat intelligence sources. The platform enables organizations to prioritize and remediate critical exposures at scale through automated workflows, risk-based prioritization, and comprehensive reporting.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Privileged access to Nucleus Securityconsole with connector configuration permissions
    • Privileged access to AWS(S3, IAM)

    Configure Nucleus Security

    To configure Nucleus Security to export vulnerability and asset data to S3, you must first set up the AWS connector in your Nucleus project.

    1. Sign in to your Nucleus Securityconsole.
    2. Go to Integration Hub > Connector Setup.
    3. Select Amazon Web Services.
    4. In the Namefield, enter a name for the connector (for example, Chronicle S3 Export ).
    5. In the Descriptionfield, enter a description for this connector (for example, Export to Chronicle via S3 ).
    6. In the Authenticationsection, note the AWS External IDand AWS Accountvalues displayed. You will use these values when creating the cross-account role in AWS.
    7. Leave this page open. You will return to complete the configuration after setting up AWS resources.

    Configure AWS S3 bucket and IAM for Google SecOps

    1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket
    2. Save bucket Nameand Regionfor future reference (for example, nucleus-chronicle-export ).
    3. Create a Userfollowing this user guide: Creating an IAM user .
    4. Select the created User.
    5. Select Security credentialstab.
    6. Click Create Access Keyin section Access Keys.
    7. Select Third-party serviceas Use case.
    8. Click Next.
    9. Optional: Add description tag.
    10. Click Create access key.
    11. Click Download .csv fileto save the Access Keyand Secret Access Keyfor future reference.
    12. Click Done.
    13. Select Permissionstab.
    14. Click Add permissionsin section Permissions policies.
    15. Select Add permissions.
    16. Select Attach policies directly.
    17. Search for AmazonS3FullAccesspolicy.
    18. Select the policy.
    19. Click Next.
    20. Click Add permissions.
    1. In the AWS console, go to IAM > Roles > Create role.
    2. Select AWS accountas the trusted entity type.
    3. Select Another AWS account.
    4. In the Account IDfield, enter the AWS Accountvalue you noted from the Nucleus connector setup page.
    5. Select Require external ID.
    6. In the External IDfield, enter the AWS External IDvalue you noted from the Nucleus connector setup page.
    7. Click Next.
    8. Search for and select AmazonS3FullAccesspolicy.
    9. Click Next.
    10. In the Role namefield, enter NucleusAWSConnectorRole .
    11. Click Create role.
    12. Select the newly created NucleusAWSConnectorRolerole.
    13. Copy the ARNvalue (for example, arn:aws:iam::123456789012:role/NucleusAWSConnectorRole ). You will use this in the next section.

    Configure Nucleus Security Amazon S3 connection

    1. Return to the Nucleus Securityconsole where you left the AWS connector configuration page open.
    2. In the Authenticationsection, click the green plus buttonto add a new AWS role.
    3. In the Labelfield, enter a label for the role (for example, Chronicle Export Role ).
    4. In the Role ARNfield, enter the Amazon Resource Name (ARN) for the role you created in the previous section.
    5. Click Verify Credentials.
    6. Wait for the message confirming a successful connection to appear.
    7. In the S3 Data Uploadsection, select the checkbox to enable uploading asset and finding data to S3 buckets.
    8. In the S3 Bucket Namefield, enter the name of the S3 bucket you created (for example, nucleus-chronicle-export ).
    9. In the S3 Bucket Regiondropdown, select the region matching your S3 bucket.
    10. In the AWS Access Key IDfield, enter the access key you saved in step 11 of the AWS configuration.
    11. In the AWS Secret Access Keyfield, enter the secret key you saved in step 11 of the AWS configuration.

    12. Click Save & Finish.

    Configure a feed in Google SecOps to ingest Nucleus Security logs

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. Enter a unique name for the Feed name.
    5. Select Amazon S3 V2as the Source type.
    6. Select Nucleus Security - Nucleus Unified Vulnerability Managementas the Log type.
    7. Click Nextand then click Submit.

    8. Specify values for the following fields:

      • S3 URI: s3://nucleus-chronicle-export/
      • Source deletion option: Select the deletion option according to your preference
      • Maximum File Age: Include files modified in the last number of days (default is 180 days)
      • Access Key ID: User access key with access to the S3 bucket
      • Secret Access Key: User secret key with access to the S3 bucket
      • Asset namespace: The asset namespace
      • Ingestion labels: The label to be applied to the events from this feed

    9. Click Nextand then click Submit.

    UDM mapping table

    Log Field UDM Mapping Logic
    host_score
    		 entity.asset.attribute.labels Custom labels or attributes associated with the asset
    risk_score
    		 entity.asset.attribute.labels
    scan_type
    		 entity.asset.attribute.labels
    status
    		 entity.asset.deployment_status Deployment status of the asset
    asset_name
    		 entity.asset.hostname Hostname of the asset
    ip_address
    		 entity.asset.ip IP address associated with the asset
    asset_id
    		 entity.asset.product_object_id Product-specific identifier for the object
    finding_name
    		 entity.asset.vulnerabilities.description Description of the vulnerability
    finding_name
    		 entity.asset.vulnerabilities.name Name of the vulnerability
    finding_severity
    		 entity.asset.vulnerabilities.severity Severity level of the vulnerability
    nucleus_url
    		 entity.url URL of the entity
    metadata.entity_type
    		 metadata.entity_type Type of entity
    metadata.product_name
    		 metadata.product_name Name of the product that generated the event
    metadata.vendor_name
    		 metadata.vendor_name Name of the vendor that produced the product

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: