This page explains how to automatically send Security Command Center findings, assets, audit logs, and security sources to Google Security Operations SOAR. It also describes how to manage the exported data.
Before you begin, ensure that the required Security Command Center and Google Cloud services are properly configured and enable Google SecOps SOAR to access findings, audit logs, and assets in your Security Command Center environment. For more information on the Security Command Center integration for Google SecOps SOAR, see Security Command Center in the Google Security Operations documentation.
Configure authentication and authorization
Before connecting to Google SecOps SOAR, you need to create an Identity and Access Management service account and grant to it IAM roles at both the organization and project levels.
Create a service account and grant IAM roles
In this document, this service account is also called the user service account . The following steps use the Google Cloud console. For other methods, see the links at the end of this section.
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
- In the same project in which you create your Pub/Sub topics, use the Service Accountspage in the Google Cloud console to create a service account. For instructions, see Creating and managing service accounts .
-
Grant the service account the following role:
- Pub/Sub Editor(
roles/pubsub.editor)
- Pub/Sub Editor(
-
Copy the name of the service account that you just created.
-
Use the project selector in the Google Cloud console to switch to the organization level.
-
Open the IAMpage for the organization:
-
On the IAM page, click Grant access. The grant access panel opens.
-
In the Grant accesspanel, complete the following steps:
- In the Add principalssection in the New principalsfield, paste the name of the service account.
-
In the Assign rolessection, use the Rolefield to grant the following IAM roles to the service account:
- Security Center Admin Viewer(
roles/securitycenter.adminViewer) - Security Center Notification Configurations Editor(
roles/securitycenter.notificationConfigEditor) - Organization Viewer(
roles/resourcemanager.organizationViewer) - Cloud Asset Viewer(
roles/cloudasset.viewer)
- Security Center Admin Viewer(
-
Click Save. The service account appears on the Permissionstab of the IAMpage under View by principals.
By inheritance, the service account also becomes a principal in all child projects of the organization. The roles that are applicable at the project level are listed as inherited roles.
For more information about creating service accounts and granting roles, see the following topics:
Create a service account for impersonation
In this document, this service account is also called the SOAR service account . Create a service account to impersonate the user service account and its permissions.
-
In the Google SecOps SOAR console, navigate to Response, and then click Integrations setup.
-
In the Integrations setuppage, click Create a new instance. The Add instancedialog opens.
-
In the Integrationslist, select Google Security Command Centerand click Save. The Google Security Command Center - Configure Instancedialog opens.
-
In the Workload Identity Emailfield, specify the service account email ID.
-
Click Save.
Provide the credentials to Google SecOps SOAR
Depending on where you are hosting Google SecOps SOAR, how you provide the IAM credentials to Google SecOps SOAR differs.
- If you are hosting Google SecOps SOAR in Google Cloud, the user service account that you created and the organization level roles that you granted to it are available automatically by inheritance from the parent organization.
- If you are hosting Google SecOps SOAR in your on-premises environment, create a key for the user service account that you created. You need the service account key JSON file to complete this task. To learn about best practices for storing your service account keys securely, see Best practices for managing service account keys .
Configure notifications
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
-
Set up finding notifications as follows:
- Enable the Security Command Center API.
- Create a Pub/Sub topic for findings.
- Create a
NotificationConfigobject that contains the filter for findings that you want to export. TheNotificationConfigmust use the Pub/Sub topic you created for findings.
-
Enable the Cloud Asset API for your project.
You need your organization ID, project ID, and the Pub/Sub subscription ID from this task to configure Google SecOps SOAR. To retrieve your organization ID and project ID, see Retrieving your organization ID and Identifying projects , respectively.
Configure Google SecOps SOAR
Google SecOps SOAR enables enterprises and managed security service providers (MSSPs) to gather data and security alerts from different sources by combining orchestration and automation, threat intelligence, and incident response.
To use Security Command Center with Google SecOps SOAR, complete the following steps:
-
In the Google SecOps SOAR console, navigate to Marketplace, and then click Integrations.
-
Search for
Google Security Command Center, and install the Security Command Center integration that appears in the search results. -
On the Google Security Command Centerintegration, click Configure. The Google Google Security Command Center - Configure Instancedialog opens.
-
Optional: To create a new environment or to edit the environment configuration, click Settings screen. The Environmentspage opens in a new tab.
-
On the Environmentspage, select the environment for which you want to configure the integration instance.
-
In the selected environment, click Create a new instance. The Add instancedialog opens.
-
In the Integrationslist, select Google Security Command Centerand click Save. The Google Security Command Center - Configure Instancedialog opens.
-
Specify the configuration parameters and click Save.
Parameter Description Required API Root API root of the Security Command Center instance. For example, securitycenter.googleapis.com.Yes Organization ID ID of the organization whose findings you want to export. No Project ID ID of the project to be used in the Security Command Center integration. No Quota Project ID ID of your Google Cloud project for Google Cloud API usage and billing. No Location ID ID of the location to be used in the Security Command Center integration. Default location ID is global. No User's Service Account Service account that you created in Create a service account and grant IAM roles . If you are hosting Google SecOps SOAR in your on-premises environment, then provide the service account key ID and all the content of the service account JSON file. Yes Workload Identity Email Email that you created in Create a service account for impersonation . It is a service account client email to replace the usage of the user service account that can be used for impersonation. The SOAR service account must be granted the Service Account Token CreatorIAM role on the user service account.Yes Verify SSL Enable to verify that the SSL certificate used for the connection to the Security Command Center server is valid. Yes -
To verify that the integration is configured correctly, click Test.
-
After successful verification, click Save.
Upgrade the Google Security Command Center integration
To upgrade the Google Security Command Center integration, complete the following steps:
-
In the Google SecOps SOAR console, navigate to Marketplace, and then click Integrations.
-
Search for the Google Security Command Centerintegration and click Upgrade to VERSION_NUMBER .
Work with findings and assets
Google SecOps SOAR uses connectors to ingest alerts from a variety of data sources into the platform.
Fetch Security Command Center alerts for analysis in Google SecOps SOAR
You need to configure a connector to pull information about findings from Security Command Center. To configure the connector, see Ingest your data (connectors) .
Set the following parameters in Google SecOps SOAR to configure the Google Security Command Center - Findings connector.
securitycenter.googleapis.com
.- Threat
- Vulnerability
- Misconfiguration
- SCC_Error
- Observation
- Low
- Medium
- High
- Critical
Enrich assets
To enable a security investigation, Google Security Operations ingests contextual data from different sources, performs analysis on the data, and provides additional context about artifacts in a customer environment.
To enrich assets using information from Security Command Center, add the enrich assets action to a playbook in Google SecOps SOAR and run the playbook. For more information, see Adding an action
To configure this action, set the following parameters:
| Parameter | Type | Default value | Mandatory | Description |
|---|---|---|---|---|
|
Product Field Name
|
String | Product Name | Yes | Enter the source field name to retrieve the product field name. |
List alert vulnerabilities
To list vulnerabilities related to the entities in Security Command Center, add the list asset vulnerabilities action to a playbook in Google Security Operations SOAR and run the playbook. For more information, see Adding an action
To configure this action, set the following parameters:
- Last Week
- Last Month
- Last Year
- All Time
- Vulnerabilities
- Misconfigurations
- Vulnerabilities + Misconfigurations
- Statistics
- Data
- Statistics + Data
Update findings
To update findings in Security Command Center, add the update findings action to a playbook in Google SecOps SOAR and run the playbook. For more information, see Adding an action
To configure this action, set the following parameters:
organizations/ ORGANIZATION_ID
/sources/ SOURCE_ID
/findings/ FINDING_ID
- Mute
- Unmute
- Active
- Inactive
