Integrate Security Command Center with Google SecOps
Integration version: 14.0
This document explains how to integrate Security Command Center with Google Security Operations.
Before you begin
To integrate Security Command Center, you must complete the following steps:
-
Create a custom Identity and Access Management (IAM) role with the necessary permissions.
-
Configure authentication using one of the following options:
-
Workload Identity (Recommended)
Create and configure an IAM role
To create and configure a custom IAM role for the integration, complete the following steps:
-
In the Google Cloud console, go to the IAM Rolespage.
-
Click Create roleto create a custom role with permissions required for the integration.
-
Enter a Title, Description, and unique ID.
-
Set the Role Launch Stageto
General Availability. -
Add the following permissions to the created role:
-
securitycenter.assets.list -
securitycenter.findings.list -
securitycenter.findings.setMute -
securitycenter.findings.setState
-
-
Click Create.
Configure authentication
To authenticate the integration, use a service account with a JSON key, or with a Workload Identity.
Authentication with a JSON key
This method uses a static JSON key file to authenticate the service account.
Create a service account
To authenticate using a JSON key, you must first create a service account:
-
In the Google Cloud console, navigate to IAM & Admin > Service accounts.
-
Select the project where you want to create the service account.
-
Click Create Service Account.
If you prefer to use an existing service account, select the service account you want to use and generate a JSON key .
-
Provide a name and description and click Create and Continue.
-
In the Grant this service account access to projectstep, add the custom role you created.
-
Click Doneto finish creating the account.
Generate a JSON Key
Complete the following steps to generate the required JSON key file:
-
In the service accounts list, select the email address of the service account you created (or selected) to open its details.
-
Click the Keystab.
-
Click Add Key > Create new key.
-
Select JSONas the key type and click Create.
-
The JSON key file downloads to your computer. Store this file securely and paste the entire contents of this file into
User's Service Accountwhen configuring the integration parameters.
Authentication with a Workload Identity (Recommended)
This method allows the integration to impersonate a service account without the need to handle long-lived secrets.
To configure a Workload Identity, complete the following steps:
-
In the Google Cloud console, go to IAM & Admin > Service accounts.
-
Select an existing service account or create a new one.
-
Grant the custom role you created to the service account.
-
Grant the Service Usage Consumerrole to the service account. This permission is required to associate API usage with the project defined in the
Quota Project ID. -
Grant the Service Account Token Creatorrole to the service account.
This permission allows the integration to generate the short-lived credentials needed for authentication.
-
Note the Client Emailof the service account and use this value in Workload Identity Emailwhen configuring the integration parameters.
Integration parameters
The Security Command Centerintegration requires the following parameters:
| Parameter | Description |
|---|---|
API Root
|
Required. The API root of the Security Command Center instance. |
Organization ID
|
Optional. The ID of the Google Cloud organization to use for scoping the Security Command Center integration queries. |
Project ID
|
Optional. The Google Cloud project ID used to scope the Security Command Center instance queries. |
Quota Project ID
|
Optional. The Google Cloud project ID used for API usage and billing purposes. |
User's Service Account
|
Optional. The full content of the service account key JSON file. Only use this parameter if you are authenticating using a JSON key. |
Workload Identity Email
|
Optional. The client email address of your service account. Only use this parameter if you are authenticating using a Workload Identity. If you configure this parameter, you must also configure |
Verify SSL
|
Required. If selected, the integration validates the SSL certificate when connecting to the Security Command Center server. Enabled by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Get Finding Details
Use the Get Finding Detailsaction to retrieve details about a finding in Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Finding Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Finding Name
|
Required. The full resource names of the findings to return details, in the format This parameter accepts multiple values as a comma-separated list. |
Action outputs
The Get Finding Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get Finding Detailsaction can return the following table:
Table title: Finding Details
Table columns:
- Category
- State
- Severity
- Type
JSON result
The following example shows the JSON result output received when using the Get Finding Detailsaction:
{
{
"finding_name"
:
"organizations/ ORGANIZATION_ID
/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m"
,
"finding"
:
{
"name"
:
"organizations/ ORGANIZATION_ID
/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m"
,
"parent"
:
"organizations/ ORGANIZATION_ID
/sources/2678067631293752869"
,
"resourceName"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
,
"state"
:
"ACTIVE"
,
"category"
:
"Discovery: Service Account Self-Investigation"
,
"sourceProperties"
:
{
"sourceId"
:
{
"projectNumber"
:
" PROJECT_ID
"
,
"customerOrganizationNumber"
:
" ORGANIZATION_ID
"
},
"detectionCategory"
:
{
"technique"
:
"discovery"
,
"indicator"
:
"audit_log"
,
"ruleName"
:
"iam_anomalous_behavior"
,
"subRuleName"
:
"service_account_gets_own_iam_policy"
},
"detectionPriority"
:
"LOW"
,
"affectedResources"
:
[
{
"gcpResourceName"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
}
],
"evidence"
:
[
{
"sourceLogId"
:
{
"projectId"
:
" PROJECT_ID
"
,
"resourceContainer"
:
"projects/ PROJECT_ID
"
,
"timestamp"
:
{
"seconds"
:
"1622678907"
,
"nanos"
:
448368000
},
"insertId"
:
" ID
"
}
}
],
"properties"
:
{
"serviceAccountGetsOwnIamPolicy"
:
{
"principalEmail"
:
"prisma-cloud-serv@ PROJECT_ID
.iam.gserviceaccount.com"
,
"projectId"
:
" PROJECT_ID
"
,
"callerIp"
:
"192.0.2.41"
,
"callerUserAgent"
:
"Redlock/GC-MDC/resource-manager/ PROJECT_ID
Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
,
"rawUserAgent"
:
"Redlock/GC-MDC/resource-manager/ PROJECT_ID
Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
}
},
"contextUris"
:
{
"mitreUri"
:
{
"displayName"
:
"Permission Groups Discovery: Cloud Groups"
,
"url"
:
"https://attack.mitre.org/techniques/ ID
/003/"
},
"cloudLoggingQueryUri"
:
[
{
"displayName"
:
"Cloud Logging Query Link"
,
"url"
:
"https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-06-03T00:08:27.448368Z%22%0AinsertId%3D%22 ID
%22%0Aresource.labels.project_id%3D%22 PROJECT_ID
%22?project= PROJECT_ID
"
}
]
}
},
"securityMarks"
:
{
"name"
:
"organizations/ ORGANIZATION_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
/securityMarks"
},
"eventTime"
:
"2021-06-03T00:08:27.448Z"
,
"createTime"
:
"2021-06-03T00:08:31.074Z"
,
"severity"
:
"LOW"
,
"canonicalName"
:
"projects/ PROJECT_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
"
,
"mute"
:
"UNDEFINED"
,
"findingClass"
:
"THREAT"
,
"mitreAttack"
:
{
"primaryTactic"
:
"DISCOVERY"
,
"primaryTechniques"
:
[
"PERMISSION_GROUPS_DISCOVERY"
,
"CLOUD_GROUPS"
]
}
},
"resource"
:
{
"name"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
,
"projectName"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
,
"projectDisplayName"
:
" PROJECT_ID
"
,
"parentName"
:
"//cloudresourcemanager.googleapis.com/organizations/ ORGANIZATION_ID
"
,
"parentDisplayName"
:
"example.net"
,
"type"
:
"google.cloud.resourcemanager.Project"
,
"displayName"
:
" PROJECT_ID
"
}
}
}
Output messages
The Get Finding Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Finding Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Finding Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
List Asset Vulnerabilities
Use the List Asset Vulnerabilitiesaction to list vulnerabilities related to entities in Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
The List Asset Vulnerabilitiesaction requires the following parameters:
Asset Resource Names
Required.
A comma-separated list of the unique identifiers (full resource names) for the assets to retrieve data about.
Timeframe
Optional.
The timeframe to search for the vulnerabilities or misconfigurations.
The possible values are as follows:
-
Last Week -
Last Month -
Last Year -
All Time
The default value is All Time
.
Record Types
Optional.
The type of record to return.
The possible values are as follows:
-
Vulnerabilities + Misconfigurations -
Vulnerabilities -
Misconfigurations
The default value is Vulnerabilities + Misconfigurations
.
Output Type
Optional.
The type of output to return in the JSON result for every asset.
The possible values are as follows:
-
Statistics -
Data -
Statistics + Data
The default value is Statistics
.
Max Records To Return
Optional.
The maximum number of records to return for every record type.
The default value is 100
.
Action outputs
The List Asset Vulnerabilitiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List Asset Vulnerabilitiesaction can return the following tables:
Table title: ASSET_ID Vulnerabilities
Table columns:
- Category
- Description
- Severity
- Event Time
- CVE
Table title: ASSET_ID Misconfigurations
Table columns:
- Category
- Description
- Severity
- Event Time
- Recommendation
JSON result
The following example shows the JSON result output received when using the List Asset Vulnerabilitiesaction:
{
.
"siemplify_asset_display_name"
:[
1
]
[
2
]
""
"vulnerabilities"
:
{
"statistics"
:
{
"critical"
:
1
,
"high"
:
1
,
"medium"
:
1
,
"low"
:
1
,
"undefined"
:
1
},
"data"
:
[
{
"category"
:
" CATEGORY
"
"description"
:
" DESCRIPTION
"
"cve_id"
:
" CVE_ID
"
"event_time"
:
" EVENT_TIME
"
"related_references"
:
" RELATED_REFERENCES
"
"severity"
:
" SEVERITY
"
}
]
},
"misconfigurations"
:
{
"statistics"
:
{
"critical"
:
1
,
"high"
:
1
,
"medium"
:
1
,
"low"
:
1
,
"undefined"
:
1
},
"data"
:
[
{
"category"
:
" CATEGORY
"
"description"
:
" DESCRIPTION
"
"recommendation"
:
" RECOMMENDATION
"
"event_time"
:
" EVENT_TIME
"
"severity"
:
" SEVERITY
"
}
]
},
}
Output messages
The List Asset Vulnerabilitiesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "List Asset Vulnerabilities". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Asset Vulnerabilitiesaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Ping
Use the Pingaction to test the connectivity to Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Security Command Center server
with the provided connection parameters!
|
The action succeeded. |
Failed to connect to the Security Command Center server! Error
is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Update Finding
Use the Update Findingaction to update an existing finding in Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Findingaction requires the following parameters:
Finding Name
Required.
The full resource names of the findings to return details, in the format organizations/ ORGANIZATION_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
.
This parameter accepts multiple values as a comma-separated list.
Mute Status
Optional.
The mute status of the finding.
The possible values are as follows:
-
Mute -
Unmute
State Status
Optional.
The state of the finding.
The possible values are as follows:
-
Active -
Inactive
Action outputs
The Update Findingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update Findingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Update Finding". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Findingaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Connectors
To learn more about configuring connectors in Google SecOps, see Ingest your data (connectors) .
For example, a single raw alert containing three different email addresses is ingested as three separate events, each containing one distinct email address.
This process ensures that every entity is correctly indexed as a unique asset, making it fully searchable and actionable in playbooks.
Security Command Center - Findings Connector
Use the Security Command Center - Findings Connectorto retrieve information about findings from Security Command Center.
This connector supports filtering findings by category using the dynamic list.
Connector inputs
The Security Command Center - Findings Connectorrequires the following parameters:
Product Field Name
Required.
The name of the field where the product name is stored.
The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.
The default value is Product Name
.
Event Field Name
Required.
The name of the field that determines the event name (subtype).
Environment Field Name
Optional.
The name of the field where the environment name is stored.
If the environment field is missing, the connector uses the default value.
The default value is ""
.
Environment Regex Pattern
Optional.
A regular expression pattern to run on the value found in the Environment Field Name
field. This parameter lets you manipulate
the environment field using the regular expression logic.
Use the default value .*
to retrieve the required raw Environment Field Name
value.
If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
PythonProcessTime
Required.
The timeout limit, in seconds, for the Python process that runs the current script.
The default value is 180
.
API Root
Required.
The API root of the Security Command Center instance.
Organization ID
Optional.
The ID of the Google Cloud organization to use
Project ID
Optional.
The Google Cloud project ID to use.
Quota Project ID
Optional.
The Google Cloud project ID to use.
User's Service Account
Required.
The full content of the service account key JSON file.
Only use this parameter if you are authenticating using a JSON key.
Workload Identity Email
Optional.
The client email address of your service account.
Only use this parameter if you are authenticating using a Workload Identity.
If you configure this parameter, you must also configure Quota Project ID
.
Finding Class Filter
Optional.
A comma-separated list of the types of security findings to include when ingesting data from the source.
The possible values are as follows:
-
Threat -
Vulnerability -
Misconfiguration -
SCC_Error -
Observation -
Toxic Combination -
Chokepoint
If no value is provided, findings from all classes are ingested.
Lowest Severity To Fetch
Optional.
The lowest severity of the alerts to retrieve.
If you don't configure this parameter, the connector ingests alerts with all severity levels.
The possible values are as follows:
-
Low -
Medium -
High -
Critical
If a finding with an undefined severity is assigned the Fallback Severity
level, that finding is exempt from filtering
by this parameter.
If no value is provided, all severity types are ingested.
Fallback Severity
Optional.
The severity level to assign to any ingested security finding without a defined or recognizable severity rating from the source.
The possible values are as follows:
-
Low -
Medium -
High -
Critical
The default value is Medium
.
Max Hours Backwards
Optional.
The number of hours prior to now to retrieve findings.
This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp.
The maximum value is 24
.
The default value is 1
.
Max Findings To Fetch
Optional.
The number of findings to process in every connector iteration.
The maximum value is 1000
.
The default value is 100
.
Use dynamic list as a blacklist
Required.
If selected, the connector uses the dynamic list as a blocklist.
Disabled by default.
Verify SSL
Required.
If selected, the integration validates the SSL certificate when connecting to the Security Command Center server.
Disabled by default.
Proxy Server Address
Optional.
The address of the proxy server to use.
Proxy Username
Optional.
The proxy username to authenticate with.
Proxy Password
Optional.
The proxy password to authenticate with.
Need more help? Get answers from Community members and Google SecOps professionals.
