Collect Cloud Security Command Center Error logs

Supported in:

This document explains how to export and ingest Security Command Center Error logs into Google Security Operations using Cloud Storage. The parser transforms raw JSON formatted logs into a unified data model (UDM). It extracts relevant fields from the raw log, performs data cleaning and normalization, and structures the output according to the UDM schema for consistent security analysis.

Before you begin

  • Ensure that Google Cloud Security Command Center is enabled and configured in your Google Cloud environment.
  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Security Command Center and Cloud Logging.

Create a Cloud Storage bucket

  1. Sign in to the Google Cloud console.

  2. Go to the Cloud Storage Buckets page.

    Go to Buckets

  3. Click Create.

  4. On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:

    1. In the Get started section, do the following:

      1. Enter a unique name that meets the bucket name requirements; for example, gcp-scc-error-logs.

      2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.

      3. To add a bucket label, click the expander arrow to expand the Labels section.

      4. Click Add label, and specify a key and a value for your label.

    2. In the Choose where to store your data section, do the following:

      1. Select a Location type.

      2. Use the location type menu to select a Location where object data within your bucket will be permanently stored.

      3. To set up cross-bucket replication, expand the Set up cross-bucket replication section.

    3. In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.

    4. In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.

    5. In the Choose how to protect object data section, do the following:

      1. Select any of the options under Data protection that you want to set for your bucket.
      2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.

  5. Click Create.

Configure Security Command Center logging

  1. Sign in to the Google Cloud console.

  2. Go to the Security Command Center page.

    Go to Security Command Center

  3. Select your organization.

  4. Click Settings.

  5. Click the Continuous Exports tab.

  6. Under Export name, click Logging Export.

  7. Under Sinks, turn on Log Findings to Logging.

  8. Under Logging project, enter or search for the project where you want to log findings.

  9. Click Save.

Configure Google Cloud Security Command Center Error logs export

  1. Sign in to the Google Cloud console.
  2. Go to Logging > Log Router.
  3. Click Create Sink.

  4. Provide the following configuration parameters:

    • Sink Name: enter a meaningful name; for example, scc-error-logs-sink.
    • Sink Destination: select Cloud Storage Storage and enter the URI for your bucket; for example, gs://gcp-scc-error-logs.

    • Log Filter:

      logName="projects/<your-project-id>/logs/cloudsecurityscanner.googleapis.com%2Ferror_logs"
 resource.type="security_command_center_error"

    • Set Export Options: include all log entries.

  5. Click Create.

Configure permissions for Cloud Storage

  1. Go to IAM & Admin > IAM.
  2. Locate the Cloud Logging service account.
  3. Grant the roles/storage.admin on the bucket.

Configure a feed in Google SecOps to ingest Google Cloud Security Command Center Error logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed; for example, Google Cloud Security Command Center Error Logs.
  4. Select Google Cloud Storage as the Source type.
  5. Select Security Command Center Error as the Log type.
  6. Click Get Service Account next to the Chronicle Service Account field.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Storage Bucket URI: Cloud Storage bucket URL; for example, gs://gcp-scc-error-logs.
    • URI Is A: select Directory which includes subdirectories.

    • Source deletion options: select the deletion option according to your preference.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
access.principalEmail about.user.email_addresses Value taken from the access.principalEmail field.
category metadata.product_event_type Value taken from the category or findings.category field depending on the log format.
contacts.security.contacts.email security_result.about.user.email_addresses Value taken from the contacts.security.contacts.email field. The role is set to Security.
contacts.technical.contacts.email security_result.about.user.email_addresses Value taken from the contacts.technical.contacts.email field. The role is set to Technical.
createTime security_result.detection_fields.value Value taken from the createTime or findings.createTime field depending on the log format. The key is set to createTime.
description security_result.description Value taken from the description or findings.description field depending on the log format.
eventTime metadata.event_timestamp Value taken from the eventTime or findings.eventTime field depending on the log format and converted to a timestamp.
externalUri about.url Value taken from the externalUri or findings.externalUri field depending on the log format.
findingClass security_result.category_details Value taken from the findingClass or findings.findingClass field depending on the log format.
findingProviderId target.resource.attribute.labels.value Value taken from the findingProviderId or findings.findingProviderId field depending on the log format. The key is set to finding_provider_id.
mute security_result.detection_fields.value Value taken from the mute or findings.mute field depending on the log format. The key is set to mute.
nextSteps security_result.outcomes.value Value taken from the nextSteps or findings.nextSteps field depending on the log format. The key is set to nextSteps.
resourceName target.resource.name Value taken from the resourceName, findings.resourceName, resource_name or findings.resource_name field depending on the log format.
securityMarks.name security_result.detection_fields.value Value taken from the securityMarks.name or findings.securityMarks.name field depending on the log format. The key is set to securityMarks_name.
severity security_result.severity Value taken from the severity or findings.severity field depending on the log format and mapped to the corresponding UDM severity level.
sourceDisplayName target.resource.attribute.labels.value Value taken from the sourceDisplayName or findings.sourceDisplayName field depending on the log format. The key is set to source_display_name.
sourceProperties.ReactivationCount target.resource.attribute.labels.value Value taken from the sourceProperties.ReactivationCount or findings.sourceProperties.ReactivationCount field depending on the log format. The key is set to sourceProperties_ReactivationCount.
state security_result.detection_fields.value Value taken from the state or findings.state field depending on the log format. The key is set to state.
is_alert Set to true if the parser logic determines that the event represents an active alert.
is_significant Set to true if the parser logic determines that the event is significant.
metadata.event_type Set to GENERIC_EVENT as a default value.
metadata.log_type Hardcoded value GCP_SECURITYCENTER_ERROR.
metadata.description Hardcoded value Security Command Center.
metadata.product_name Hardcoded value Security Command Center.
metadata.vendor_name Hardcoded value Google.
target.resource.attribute.labels.key Hardcoded value finding_id.
target.resource.attribute.labels.value Extracted from the name or findings.name field, capturing the last part after the last / character.
target.resource.product_object_id Extracted from the parent or findings.parent field, capturing the value after the last / character.
target.resource.ancestors.name Value taken from the parent or findings.parent field depending on the log format.
target.resource_ancestors.name Extracted from the resourceName or findings.resourceName field, capturing the value after the //cloudresourcemanager.googleapis.com/projects/ prefix.
target.resource_ancestors.resource_type Hardcoded value CLOUD_PROJECT.
target.resource.attribute.labels.key Hardcoded value source_id.
target.resource.attribute.labels.value Extracted from the parent or findings.parent field, capturing the value after the second / character.
security_result.alert_state Mapped based on the state or findings.state field. If the state is ACTIVE, the alert_state is set to ALERTING, otherwise NOT_ALERTING.
about.user.email_addresses Value taken from the iamBindings.member field.
about.user.attribute.roles.name Hardcoded value Security.

Changes

2023-11-29

  • Fixed an inconsistency between how principal/target.hostname and principal/target.asset.hostname were being handled.

2023-05-02

  • Ensured that the security_result.url_back_to_product field now contains a properly formatted web address.

2023-04-12

Need more help? Get answers from Community members and Google SecOps professionals.