Console
    Contact Us Start free

    Collect Security Command Center Error logs

    Supported in:

    This document explains how to export and ingest Security Command Center Error logs into Google Security Operations using Cloud Storage. The parser transforms raw JSON formatted logs into a unified data model (UDM). It extracts relevant fields from the raw log, performs data cleaning and normalization, and structures the output according to the UDM schema for consistent security analysis.

    Before you begin

    Ensure that you have the following prerequisites:

    • Security Command Center is enabled and configured in your Google Cloud environment.
    • Google SecOps instance.
    • Privileged access to Security Command Center and Cloud Logging.

    Create a Cloud Storage bucket

    1. Sign in to the Google Cloud console .

    2. Go to the Cloud Storage Bucketspage.

      Go to Buckets

    3. Click Create.

    4. On the Create a bucketpage, enter your bucket information. After each of the following steps, click Continueto proceed to the next step:

      1. In the Get startedsection, do the following:

        1. Enter a unique name that meets the bucket name requirements; for example, gcp-scc-error-logs.

        2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloadssection, and then select Enable Hierarchical namespace on this bucket.

        3. To add a bucket label, click the expander arrow to expand the Labelssection.

        4. Click Add label, and specify a key and a value for your label.

      2. In the Choose where to store your datasection, do the following:

        1. Select a Location type.

        2. Use the location type menu to select a Locationwhere object data within your bucket will be permanently stored.

        3. To set up cross-bucket replication, expand the Set up cross-bucket replicationsection.

      3. In the Choose a storage class for your datasection, either select a default storage classfor the bucket, or select Autoclassfor automatic storage class management of your bucket's data.

      4. In the Choose how to control access to objectssection, select notto enforce public access prevention, and select an access control modelfor your bucket's objects.

      5. In the Choose how to protect object datasection, do the following:

        1. Select any of the options under Data protectionthat you want to set for your bucket.
        2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.

    5. Click Create.

    Configure Security Command Center logging

    1. Sign in to the Google Cloud console .

    2. Go to the Security Command Centerpage.

      Go to Security Command Center

    3. Select your organization.

    4. Click Settings.

    5. Click the Continuous Exportstab.

    6. Under Export name, click Logging Export.

    7. Under Sinks, turn on Log Findings to Logging.

    8. Under Logging project, enter or search for the project where you want to log findings.

    9. Click Save.

    Configure Security Command Center Error logs export

    1. Sign in to the Google Cloud console .
    2. Go to Logging > Log Router.
    3. Click Create Sink.

    4. Provide the following configuration parameters:

      • Sink Name: enter a meaningful name; for example, scc-error-logs-sink .
      • Sink Destination: select Cloud Storage Storageand enter the URI for your bucket; for example, gs://gcp-scc-error-logs .

      • Log Filter:

          logName 
 = 
 "projects/<your-project-id>/logs/cloudsecurityscanner.googleapis.com%2Ferror_logs" 
  
resource.type = 
 "security_command_center_error"

      • Set Export Options: include all log entries.

    5. Click Create.

    Configure permissions for Cloud Storage

    1. Go to IAM & Admin > IAM.
    2. Locate the Cloud Loggingservice account.
    3. Grant the roles/storage.adminon the bucket.

    Set up feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, Security Command Center Error Logs.
    5. Select Google Cloud Storage V2as the Source type.
    6. Select Security Command Center Erroras the Log type.
    7. Click Get Service Accountnext to the Chronicle Service Accountfield.
    8. Click Next.
    9. Specify values for the following input parameters:
      • Storage Bucket URI: Cloud Storage bucket URL; for example, gs://gcp-scc-error-logs .
      • Source deletion options: select the deletion option according to your preference. Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
      • Maximum File Age: Includes files modified in the last number of days. Default is 180 days.
    10. Click Next.
    11. Review your new feed configuration in the Finalizescreen, and then click Submit.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    access.principalEmail
    		 about.user.email_addresses Value taken from the access.principalEmail field.
    category
    		 metadata.product_event_type Value taken from the category or findings.category field depending on the log format.
    contacts.security.contacts.email
    		 security_result.about.user.email_addresses Value taken from the contacts.security.contacts.email field. The role is set to Security .
    contacts.technical.contacts.email
    		 security_result.about.user.email_addresses Value taken from the contacts.technical.contacts.email field. The role is set to Technical .
    createTime
    		 security_result.detection_fields.value Value taken from the createTime or findings.createTime field depending on the log format. The key is set to createTime .
    description
    		 security_result.description Value taken from the description or findings.description field depending on the log format.
    eventTime
    		 metadata.event_timestamp Value taken from the eventTime or findings.eventTime field depending on the log format and converted to a timestamp.
    externalUri
    		 about.url Value taken from the externalUri or findings.externalUri field depending on the log format.
    findingClass
    		 security_result.category_details Value taken from the findingClass or findings.findingClass field depending on the log format.
    findingProviderId
    		 target.resource.attribute.labels.value Value taken from the findingProviderId or findings.findingProviderId field depending on the log format. The key is set to finding_provider_id .
    mute
    		 security_result.detection_fields.value Value taken from the mute or findings.mute field depending on the log format. The key is set to mute .
    nextSteps
    		 security_result.outcomes.value Value taken from the nextSteps or findings.nextSteps field depending on the log format. The key is set to nextSteps .
    resourceName
    		 target.resource.name Value taken from the resourceName , findings.resourceName , resource_name or findings.resource_name field depending on the log format.
    securityMarks.name
    		 security_result.detection_fields.value Value taken from the securityMarks.name or findings.securityMarks.name field depending on the log format. The key is set to securityMarks_name .
    severity
    		 security_result.severity Value taken from the severity or findings.severity field depending on the log format and mapped to the corresponding UDM severity level.
    sourceDisplayName
    		 target.resource.attribute.labels.value Value taken from the sourceDisplayName or findings.sourceDisplayName field depending on the log format. The key is set to source_display_name .
    sourceProperties.ReactivationCount
    		 target.resource.attribute.labels.value Value taken from the sourceProperties.ReactivationCount or findings.sourceProperties.ReactivationCount field depending on the log format. The key is set to sourceProperties_ReactivationCount .
    state
    		 security_result.detection_fields.value Value taken from the state or findings.state field depending on the log format. The key is set to state .
    		metadata.event_type Set to GENERIC_EVENT as a default value.
    		metadata.log_type Hardcoded value GCP_SECURITYCENTER_ERROR .
    		metadata.description Hardcoded value Security Command Center .
    		metadata.product_name Hardcoded value Security Command Center .
    		metadata.vendor_name Hardcoded value Google .
    		target.resource.attribute.labels.key Hardcoded value finding_id .
    		target.resource.attribute.labels.value Extracted from the name or findings.name field, capturing the last part after the last / character.
    		target.resource.product_object_id Extracted from the parent or findings.parent field, capturing the value after the last / character.
    		target.resource.ancestors.name Value taken from the parent or findings.parent field depending on the log format.
    		target.resource_ancestors.name Extracted from the resourceName or findings.resourceName field, capturing the value after the //cloudresourcemanager.googleapis.com/projects/ prefix.
    		target.resource_ancestors.resource_type Hardcoded value CLOUD_PROJECT .
    		target.resource.attribute.labels.key Hardcoded value source_id .
    		target.resource.attribute.labels.value Extracted from the parent or findings.parent field, capturing the value after the second / character.
    		security_result.alert_state Mapped based on the state or findings.state field. If the state is ACTIVE , the alert_state is set to ALERTING , otherwise NOT_ALERTING .
    		about.user.email_addresses Value taken from the iamBindings.member field.
    		about.user.attribute.roles.name Hardcoded value Security .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: