Integrate Security Command Center with Google SecOps
This document explains how to integrate Security Command Center with Google Security Operations (Google SecOps).
Integration version: 13.0
Before you begin
To use the integration, you need a custom Identity and Access Management (IAM) role and a Google Cloud service account. You can use an existing service account or create a new one.
Create and configure an IAM role
To create and configure a custom IAM role for the integration, complete the following steps:
-
In the Google Cloud console, go to the IAM Rolespage.
-
Click Create roleto create a custom role with permissions required for the integration.
-
For a new custom role, enter a Title, Description, and unique ID.
-
Set the Role Launch Stageto General Availability.
-
Add the following permissions to the created role:
-
securitycenter.assets.list -
securitycenter.findings.list -
securitycenter.findings.setMute -
securitycenter.findings.setState
-
Create and configure an API key
To create the API key, complete the following steps:
-
In the Google Cloud console, go to APIs & Services > Credentials > Create Credentials.
-
Select API key. A dialog appears with a generated API key. Copy the API key and store it securely.
To configure the API restriction for the API key, complete the following steps:
-
Click Restrict key > API restrictions > Restrict key.
-
Select Security Command Center APIfrom the API list and configure the applicable restrictions and click Save.
Grant access to the API key
To grant Security Command Center access to your API key, complete the following steps:
-
In the Google Cloud console, go to IAM & Admin > Service accounts.
-
Select the service account which you use in the Security Command Center integration.
-
Click the service account's email address.
-
Select Grant access.
-
In the New membersfield, enter the service account's email address.
-
Under Security Center, select the
Security Center Findings Editorrole and click Save.
Integration parameters
The Security Command Center integration requires the following parameters:
| Parameter | Description |
|---|---|
API Root
|
Required. The API root of the Security Command Center instance. |
Organization ID
|
Optional. The organization ID of to use in the Security Command Center integration. |
Project ID
|
Optional. The project ID of the Security Command Center instance. |
Quota Project ID
|
Optional. The Google Cloud project ID that you use for
Google Cloud APIs and billing. This parameter requires you to grant
the If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
User's Service Account
|
Required. The content of the service account key JSON file. You can configure this parameter or the To configure this parameter, provide the full content of the service account key JSON file that you downloaded when you created a service account. |
Workload Identity Email
|
Optional. The client email address of your service account. You can configure this parameter or the If you set this parameter, configure
the To impersonate service accounts with the Workload Identity Federation,
grant the |
Verify SSL
|
Required. If selected, the integration validates the SSL certificate when connecting to the Security Command Center server. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Get Finding Details
Use the Get Finding Detailsaction to retrieve details about a finding in Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Finding Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Finding Name
|
Required. Finding names to return details. This parameter accepts multiple values as a comma-separated list. The example for finding names is as follows: organizations/ ORGANIZATION_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
|
Action outputs
The Get Finding Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get Finding Detailsaction can return the following table:
Table title: Finding Details
Table columns:
- Category
- State
- Severity
- Type
JSON result
The following example shows the JSON result output received when using the Get Finding Detailsaction:
{
{
"finding_name"
:
"organizations/ ORGANIZATION_ID
/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m"
,
"finding"
:
{
"name"
:
"organizations/ ORGANIZATION_ID
/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m"
,
"parent"
:
"organizations/ ORGANIZATION_ID
/sources/2678067631293752869"
,
"resourceName"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
,
"state"
:
"ACTIVE"
,
"category"
:
"Discovery: Service Account Self-Investigation"
,
"sourceProperties"
:
{
"sourceId"
:
{
"projectNumber"
:
" PROJECT_ID
"
,
"customerOrganizationNumber"
:
" ORGANIZATION_ID
"
},
"detectionCategory"
:
{
"technique"
:
"discovery"
,
"indicator"
:
"audit_log"
,
"ruleName"
:
"iam_anomalous_behavior"
,
"subRuleName"
:
"service_account_gets_own_iam_policy"
},
"detectionPriority"
:
"LOW"
,
"affectedResources"
:
[
{
"gcpResourceName"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
}
],
"evidence"
:
[
{
"sourceLogId"
:
{
"projectId"
:
" PROJECT_ID
"
,
"resourceContainer"
:
"projects/ PROJECT_ID
"
,
"timestamp"
:
{
"seconds"
:
"1622678907"
,
"nanos"
:
448368000
},
"insertId"
:
" ID
"
}
}
],
"properties"
:
{
"serviceAccountGetsOwnIamPolicy"
:
{
"principalEmail"
:
"prisma-cloud-serv@ PROJECT_ID
.iam.gserviceaccount.com"
,
"projectId"
:
" PROJECT_ID
"
,
"callerIp"
:
"192.0.2.41"
,
"callerUserAgent"
:
"Redlock/GC-MDC/resource-manager/ PROJECT_ID
Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
,
"rawUserAgent"
:
"Redlock/GC-MDC/resource-manager/ PROJECT_ID
Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
}
},
"contextUris"
:
{
"mitreUri"
:
{
"displayName"
:
"Permission Groups Discovery: Cloud Groups"
,
"url"
:
"https://attack.mitre.org/techniques/ ID
/003/"
},
"cloudLoggingQueryUri"
:
[
{
"displayName"
:
"Cloud Logging Query Link"
,
"url"
:
"https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-06-03T00:08:27.448368Z%22%0AinsertId%3D%22 ID
%22%0Aresource.labels.project_id%3D%22 PROJECT_ID
%22?project= PROJECT_ID
"
}
]
}
},
"securityMarks"
:
{
"name"
:
"organizations/ ORGANIZATION_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
/securityMarks"
},
"eventTime"
:
"2021-06-03T00:08:27.448Z"
,
"createTime"
:
"2021-06-03T00:08:31.074Z"
,
"severity"
:
"LOW"
,
"canonicalName"
:
"projects/ PROJECT_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
"
,
"mute"
:
"UNDEFINED"
,
"findingClass"
:
"THREAT"
,
"mitreAttack"
:
{
"primaryTactic"
:
"DISCOVERY"
,
"primaryTechniques"
:
[
"PERMISSION_GROUPS_DISCOVERY"
,
"CLOUD_GROUPS"
]
}
},
"resource"
:
{
"name"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
,
"projectName"
:
"//cloudresourcemanager.googleapis.com/projects/ PROJECT_ID
"
,
"projectDisplayName"
:
" PROJECT_ID
"
,
"parentName"
:
"//cloudresourcemanager.googleapis.com/organizations/ ORGANIZATION_ID
"
,
"parentDisplayName"
:
"example.net"
,
"type"
:
"google.cloud.resourcemanager.Project"
,
"displayName"
:
" PROJECT_ID
"
}
}
}
Output messages
The Get Finding Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Finding Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Finding Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Asset Vulnerabilities
Use the List Asset Vulnerabilitiesaction to list vulnerabilities related to entities in Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
The List Asset Vulnerabilitiesaction requires the following parameters:
Asset Resource Names
Required.
Resource names for the assets to return data. This parameter accepts multiple values as a comma-separated list.
Timeframe
Optional.
A period to search for the vulnerabilities or misconfigurations.
The possible values are as follows:
-
Last Week -
Last Month -
Last Year -
All Time
The default value is All Time
.
Record Types
Optional.
The type of the record to return.
The possible values are as follows:
-
Vulnerabilities Misconfigurations -
Vulnerabilities + Misconfigurations
The default value is Vulnerabilities + Misconfigurations
.
Output Type
Optional.
The type of output to return in the JSON result for every asset.
The possible values are as follows:
-
Statistics -
Data -
Statistics + Data
The default value is Statistics
.
Max Records To Return
Optional.
The maximum number of records to return for every record type.
The default value is 100
.
Action outputs
The List Asset Vulnerabilitiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List Asset Vulnerabilitiesaction can return the following tables:
Table title: ASSET_ID Vulnerabilities
Table columns:
- Category
- Description
- Severity
- Event Time
- CVE
Table title: ASSET_ID Misconfigurations
Table columns:
- Category
- Description
- Severity
- Event Time
- Recommendation
JSON result
The following example shows the JSON result output received when using the List Asset Vulnerabilitiesaction:
{
.
"siemplify_asset_display_name"
:[
1
]
[
2
]
""
"vulnerabilities"
:
{
"statistics"
:
{
"critical"
:
1
,
"high"
:
1
,
"medium"
:
1
,
"low"
:
1
,
"undefined"
:
1
},
"data"
:
[
{
"category"
:
" CATEGORY
"
"description"
:
" DESCRIPTION
"
"cve_id"
:
" CVE_ID
"
"event_time"
:
" EVENT_TIME
"
"related_references"
:
" RELATED_REFERENCES
"
"severity"
:
" SEVERITY
"
}
]
},
"misconfigurations"
:
{
"statistics"
:
{
"critical"
:
1
,
"high"
:
1
,
"medium"
:
1
,
"low"
:
1
,
"undefined"
:
1
},
"data"
:
[
{
"category"
:
" CATEGORY
"
"description"
:
" DESCRIPTION
"
"recommendation"
:
" RECOMMENDATION
"
"event_time"
:
" EVENT_TIME
"
"severity"
:
" SEVERITY
"
}
]
},
}
Output messages
The List Asset Vulnerabilitiesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "List Asset Vulnerabilities". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Asset Vulnerabilitiesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test connectivity to Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Security Command Center server
with the provided connection parameters!
|
The action succeeded. |
Failed to connect to the Security Command Center server! Error
is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update finding
Use the Update findingaction to update finding in Security Command Center.
This action doesn't run on Google SecOps entities.
Action inputs
The Update findingaction requires the following parameters:
Finding Name
Required.
Finding names to update. This parameter accepts multiple values as a comma-separated list.
The example for finding names is as follows: organizations/ ORGANIZATION_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
Mute Status
Optional.
The mute status for the finding.
The possible values are as follows:
-
Select One -
Mute -
Unmute
State Status
Optional.
The finding state.
The possible values are as follows:
-
Select One -
Active -
Inactive
Action outputs
The Update findingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update findingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Update finding". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update findingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors) .
Google Security Command Center - Findings Connector
Use the Google Security Command Center - Findings Connectorto retrieve information about findings from Security Command Center.
The dynamic list filter works with categories.
Connector inputs
The Google Security Command Center - Findings Connectorrequires the following parameters:
Product Field Name
Required.
The name of the field where the product name is stored.
The default value is Product Name
.
The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.
Event Field Name
Required.
The name of the field that determines the event name (subtype).
The default value is category
.
Environment Field Name
Optional.
The name of the field where the environment name is stored.
If the environment field is missing, the connector uses the default value.
Environment Regex Pattern
Optional.
A regular expression pattern to run on the value found in the Environment Field Name
field. This parameter lets you manipulate
the environment field using the regular expression logic.
Use the default value .*
to retrieve the required raw Environment Field Name
value.
If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)
Required.
The timeout limit, in seconds, for the Python process that runs the current script.
The default value is 180
.
API Root
Required.
The API root of the Security Command Center instance.
The default value is https://securitycenter.googleapis.com
.
Organization ID
Optional.
The ID of an organization to use in the Security Command Center integration.
Project ID
Optional.
The project ID of the Security Command Center instance.
Quota Project ID
Optional.
The Google Cloud project ID that you use for
Google Cloud APIs and billing. This parameter requires you to grant
the Service Usage Consumer
role to your service account.
If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
User's Service Account
Required.
The content of the service account key JSON file.
You can configure this parameter or the Workload Identity
Email
parameter.
To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when you created a service account.
Workload Identity Email
Optional.
The client email address of your service account.
You can configure this parameter or the User's Service
Account
parameter.
If you set this parameter, configure
the Quota Project ID
parameter.
To impersonate service accounts with the Workload Identity Federation,
grant the Service
Account Token Creator
role to your service account. For more
details about workload identities and how to work with them, see Identities for workloads
.
Finding Class Filter
Optional.
The finding classes for the connector to ingest.
The possible values are as follows:
-
Threat -
Vulnerability -
Misconfiguration -
SCC_Error -
Observation
If you don't set a value, the connector ingests findings from all classes.
The default value is Threat,Vulnerability,Misconfiguration,SCC_Error,Observation
.
Lowest Severity To Fetch
Optional.
The lowest severity of the alerts to retrieve.
If you don't configure this parameter, the connector ingests alerts with all severity levels.
The connector treats alerts
with undefined severity as those with Medium
severity.
The possible values are as follows:
-
Low -
Medium -
High -
Critical
The default value is High
.
Max Hours Backwards
Optional.
The number of hours prior to now to retrieve findings.
This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp.
The maximum value is 24
.
The default value is 1
.
Max Findings To Fetch
Optional.
The number of findings to process in every connector iteration.
The maximum value is 1000
.
The default
value is 100
.
Use dynamic list as a blacklist
Required.
If selected, the connector uses the dynamic list as a blocklist.
Not selected by default.
Verify SSL
Required.
If selected, the integration validates the SSL certificate when connecting to the Security Command Center server.
Not selected by default.
Proxy Server Address
Optional.
The address of the proxy server to use.
Proxy Username
Optional.
The proxy username to authenticate with.
Proxy Password
Optional.
The proxy password to authenticate with.
Connector rules
The Google Security Command Center - Findings Connectorsupports proxies.
Need more help? Get answers from Community members and Google SecOps professionals.
