Console
    Contact Us Start free

    Integrate Security Command Center Enterprise with ticketing systems

    This document explains how to integrate the Enterprise tier of Security Command Center with ticketing systems after configuring security orchestration, automation, and response (SOAR).

    Integrating with ticketing systems is optional and requires manual configuration. If you use the default Security Command Center Enterprise configuration, you don't need to perform this procedure. You can integrate with a ticketing system later at any time.

    Overview

    You can track findings using the console and APIs with the default Security Command Center Enterprise configuration. If your organization uses ticketing systems to track issues, integrate with Jira or ServiceNow after you have configured your Google Security Operations instance.

    Upon receiving findings for resources, the SCC Enterprise – Urgent Posture Findings Connectoranalyzes and groups them into new or existing cases, depending on the finding type.

    If you integrate with a ticketing system, Security Command Center creates a new ticket every time it creates a new case for findings. Security Command Center automatically updates the related ticket whenever a case is updated.

    A single case can contain multiple findings. Security Command Center creates one ticket for each case and synchronizes the case content and information with the corresponding ticket to let ticket assignees know what to remediate.

    The synchronization between a case and its ticket works both ways:

    • Changes within a case, such as a status update or new comment, are automatically reflected in the associated ticket.

    • Similarly, ticket details synchronize back to the case, enriching it with information from the ticketing system.

    Before you begin

    Before configuring Jira or ServiceNow, provide a valid email address for the Fallback Ownerparameter in the SCC Enterprise – Urgent Posture Findings Connector, and make sure that this email is assignable in your ticketing system.

    Integrate with Jira

    Make sure to complete all integration steps to synchronize the case updates with Jira issues and ensure the correct playbook flow.

    A case priority is reflected in the Jira issue severity .

    Create a new project in Jira

    To create a new project in Jira for the Security Command Center Enterprise issues called SCC Enterprise Project (SCCE), run a manual action in the case. You can use any existing case or simulate one. For more information about simulating cases, refer to the Simulate cases page in the Google SecOps documentation.

    Creating a new Jira project requires Jira admin-level credentials.

    To create a new Jira project, complete the following steps:

    1. In the Google Cloud console, go to Risk > Cases.
    2. Select an existing case or the one that you've simulated.
    3. In the Case Overviewtab, click Manual Action.
    4. In the manual action Searchfield, enter Create SCC Enterprise .
    5. In search results under the SCCEnterpriseintegration, select the Create SCC Enterprise Cloud Posture Ticket Type Jiraaction. The dialog window opens.

    6. To configure the API Rootparameter, enter the API root of your Jira instance, such as https:// YOUR_DOMAIN_NAME .atlassian.net

    7. To configure the Usernameparameter, enter the username that you use to sign in to Jira as an administrator.

    8. To configure the Passwordparameter, enter the password that you use to sign in to Jira as an administrator.

    9. To configure the API Tokenparameter, enter the API token of your Atlassian admin account that was generated in the Jira console.

    10. Click Execute. Wait until the action is completed.

    Optional: Configure custom Jira issue layout

    1. Sign in to Jira as an administrator.
    2. Go to Projects > SCC Enterprise Project (SCCE).
    3. Adjust and reorder issue fields. For more details about managing issue fields, see Configuring issue field layout in Jira documentation.

    Configure Jira integration

    1. In the Google Cloud console, go to Response > Playbooksto open the Security Operations console navigation.
    2. In the Security Operations console navigation, go to Response > Integrations Setup.
    3. Select the Default Environment.
    4. In the integration Searchfield, enter Jira . The Jiraintegration returns as a search result.
    5. Click Configure Instance. The dialog window opens.

    6. To configure the API Rootparameter, enter the API root of your Jira instance, such as https:// YOUR_DOMAIN_NAME .atlassian.net

    7. To configure the Usernameparameter, enter the username that you use to sign in to Jira. Don't use your admin credentials.

    8. To configure the API Tokenparameter, enter the API token of your non-admin Atlassian account that was generated in the Jira console.

    9. Click Save.

    10. To test your configuration, click Test.

    Enable the Posture Findings With Jira playbook

    1. In the Google Cloud console, go to Response > Playbooksto open the Security Operations console Playbookspage.
    2. In the Playbook Searchbar, enter Generic .
    3. Select the Posture Findings - Genericplaybook. This playbook is enabled by default.
    4. Switch the toggle to disable the playbook.
    5. Click Save.
    6. In the Playbook Searchbar, enter Jira .
    7. Select the Posture Findings With Jiraplaybook. This playbook is disabled by default.
    8. Switch the toggle to enable the playbook.
    9. Click Save.

    Integrate with ServiceNow

    Make sure to complete all integration steps to synchronize the updates of Google SecOps cases with ServiceNow tickets and ensure the correct playbook flow.

    Create and configure ServiceNow custom ticket type

    Make sure to create and configure the ServiceNow custom ticket type enable the Activities tab in the ServiceNow UI and avoid using the erroneous ticket layout.

    Create ServiceNow custom ticket type

    Creating a custom ServiceNow ticket type requires ServiceNow admin-level credentials.

    To create a custom ticket type, complete the following steps:

    1. In the Google Cloud console, go to Risk > Cases.
    2. Select an existing case or the one you've simulated.
    3. In the Case Overviewtab, click Manual Action.
    4. In the manual action Searchfield, enter Create SCC Enterprise .
    5. In search results under the SCCEnterpriseintegration, select the Create SCC Enterprise Cloud Posture Ticket Type SNOWaction. The dialog window opens.

    6. To configure the API Rootparameter, enter the API root of your ServiceNow instance, such as https:// INSTANCE_NAME .service-now.com/api/now/v1/

    7. To configure the Usernameparameter, enter the username that you use to sign in to ServiceNow as an administrator.

    8. To configure the Passwordparameter, enter the password that you use to sign in to ServiceNow as an administrator.

    9. To configure the Table Roleparameter, leave the field empty or provide a value if you have one. This parameter only accepts one role value.

      By default, the Table Rolefield is empty. You must create a new custom role in ServiceNow to specifically manage the Security Command Center Enterprise tickets. Only ServiceNow users granted this new custom role have access to the Security Command Center Enterprise tickets.

      If you already have a dedicated role for users who manage incidents in ServiceNow and you'd like to use this role for managing the Security Command Center Enterprise findings, enter the existing ServiceNow role name in the Table Rolefield. For example, if you provide the existing incident_handler_role value, all of the users who are granted the incident_handler_role role in ServiceNow can access the Security Command Center Enterprise tickets.

    10. Click Execute. Wait until the action is completed.

    Configure ServiceNow custom ticket layout

    To ensure that the ServiceNow web interface accurately displays the updates related to cases and case comments, complete the following steps:

    1. In your ServiceNow administrator account, go to the Alltab.
    2. In the Searchfield, enter SCC Enterprise .
    3. In the drop-down list, select the SCC Enterprise Cloud Posture Ticketand run a search.
    4. Select the Posture Test Ticket. The ServiceNow ticket layout page opens.
    5. At the ServiceNow ticket layout page, go to Additional actions > Configure > Form Layout.
    6. Go to the Form view and sectionsection.
    7. In the Sectionfield, select u_scc_enterprise_cloud_posture_ticket.
    8. Click Save. After the page updates, the ticket template has fields that are distributed into two columns.
    9. Go to Additional actions > Configure > Form Layout.
    10. Go to the Form view and sectionsection.
    11. In the Sectionfield, select Summary.
    12. Click Save. After the page updates, the ticket template displays the new Summary structure.

    Configure ServiceNow integration

    1. In the Google Cloud console, go to Response > Playbooksto open the Security Operations console navigation.
    2. In the Security Operations console navigation, go to Response > Integrations Setup.
    3. Select the Default Environment.
    4. In the integration Searchfield, enter ServiceNow . The ServiceNowintegration returns as a search result.
    5. Click Configure Instance. The dialog window opens.

    6. To configure the API Rootparameter, enter the API root of your ServiceNow instance, such as https:// INSTANCE_NAME .service-now.com/api/now/v1/

    7. To configure the Usernameparameter, enter the username that you use to sign in to ServiceNow. Don't use your admin credentials.

    8. To configure the Passwordparameter, enter the password that you use to sign in to ServiceNow. Don't use your admin credentials.

    9. Click Save.

    10. To test your configuration, click Test.

    Enable the Posture Findings With SNOW playbook

    1. In the Google Cloud console, go to Response > Playbooks.
    2. In the Playbook Searchbar, enter Generic .
    3. Select the Posture Findings - Genericplaybook. This playbook is enabled by default.
    4. Switch the toggle to disable the playbook.
    5. Click Save.
    6. In the Playbook Searchbar, enter SNOW .
    7. Select the Posture Findings With SNOWplaybook. This playbook is disabled by default.
    8. Switch the toggle to enable the playbook.
    9. Click Save.

    Enable case data synchronization

    Security Command Center automatically synchronizes the information between a case and its corresponding ticket, ensuring matching priority, status, comments, and other relevant data between a case and its ticket.

    To synchronize case data, Security Command Center uses internal automatic processes called synchronization jobs. The Sync SCC-Jira Ticketsand Sync SCC-ServiceNow Ticketsjobs synchronize case data between Security Command Center and integrated ticketing systems. Both jobs are initially disabled and require you to enable them to initiate automatic case data synchronization.

    Closing a case automatically resolves the corresponding ticket. Resolving a ticket in Jira or ServiceNow triggers the synchronization jobs to close the case too.

    Before you begin

    To enable case synchronization, you must be granted any of the following SOC roles on the SOAR settingspage:

    • Administrator
    • Vulnerability Manager
    • Threat Manager

    For more details about SOC roles and permissions required for users, see Control access to features in Security Operations console pages .

    Enable synchronization for ticketing systems

    To ensure that the information in cases and tickets is automatically synchronized, enable the synchronization job that is relevant to the ticketing system that you integrated with.

    To enable the synchronization job, complete the following steps:

    1. In the Google Cloud console, go to Security Command Center.

      Go to Security Command Center

    2. In the navigation menu, click Response > Playbooks. The Playbookspage opens in the Security Operations console.

    3. Click Response > JobScheduler.

    4. Choose the correct synchronization job:

      • If you integrated with Jira, select Sync SCC-Jira Ticketsjob.

      • If you integrated with ServiceNow, select Sync SCC-ServiceNow Ticketsjob.

    5. Switch the toggle to enable the selected job.

    6. Click Saveto enable Security Command Center automatically synchronize case data with a ticketing system.

    Create tickets for existing cases

    Security Command Center automatically creates tickets only for cases opened after you have integrated with a ticketing system and does not retroactively attach new playbooks to existing alerts. To create tickets for cases opened before integrating with a ticketing system, use one of the following approaches:

    • Close a case that has no ticket and wait until SCC reingests findings and assigns a new playbook to the case alerts.

    • Manually add a playbook to any alert in a case that was opened before you integrated with a ticketing system.

    Close a case with no ticket

    To close a case that has no ticket, complete the following steps:

    1. In the Google Cloud console, go to Security Command Center.

      Go to Security Command Center

    2. In the navigation, click Risk > Cases. The Casespage opens in the Security Operations console.

    3. Click Open Filter. The Case queue filterpanel opens.

    4. In the Case queue filter, specify the following:

      1. In the Time Framefield, specify time period for open cases.
      2. Set Logical operatorto AND.
      3. For the first value under Logical operator, select Tags.
      4. Set the condition to IS.
      5. For the second value, select Internal-SCC-Ticket-Info.
      6. Click Applyto update cases in the case queue and show only the cases that match the filter you specified.

    5. From the case queue, select the case.

    6. In the Case view, select Close Case. The Close Casewindow opens.

    7. In the Close Casewindow, specify the following:

      1. Select a value for the Reasonfield to state the reason for closing the case.

      2. Select a value for the Root Causefield to state the cause for closing the case.

      3. Optional: Add a comment.

      4. Click Closeto close the case. Security Command Center then reingests findings into a new case and automatically attaches a correct playbook to them.

    Manually add a playbook to an alert

    To manually attach a playbook to an alert in an existing case, complete the following steps:

    1. In the Google Cloud console, go to Security Command Center.

      Go to Security Command Center

    2. Click Risk > Cases. The Casespage opens in the Security Operations console.

    3. Click Open Filter. The Case queue filterpanel opens.

    4. In the Case queue filter, specify the following:

      1. In the Time Framefield, specify time period for open cases.
      2. Set Logical operatorto AND.
      3. For the first value under Logical operator, select Tags.
      4. Set the condition to IS.
      5. For the second value, select Internal-SCC-Ticket-Info.
      6. Click Applyto update cases in the case queue and show only the cases that match the filter you specified.

    5. From the case queue, select the case.

    6. Select any alert contained in a case.

    7. In an alert view, go to the Playbookstab.

    8. Click add Add Playbook. The Add a Playbookwindow with a list of available playbooks appears.

    9. In the search field of the Add a Playbookwindow, enter Posture Findings .

      • If you integrated with Jira, select the Posture Findings With Jiraplaybook.
      • If you integrated with ServiceNow, select the Posture Findings With SNOWplaybook.

    10. Click Addto add a playbook to an alert.

    Upon completion, the playbook creates a ticket for a case and automatically populates the ticket with information from the case.

    Adding a playbook to a single alert within a case is sufficient to create a ticket and trigger data synchronization.

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: