Cloud Asset Inventory
This document provides guidance to help you configure and integrate Cloud Asset Inventory with Google Security Operations SOAR.
Prerequisites
Before you proceed to configuring the integration in Google Security Operations SOAR, make sure to complete the following prerequisite steps:
Create and configure the IAM role.
Create a service account.
Create and configure the IAM role
In the Google Cloud console, go to the IAM Roles page.
Click Create role to create a custom role with permissions required for the integration.
For a new custom role, provide the Title, Description, and a unique ID.
Set the Role Launch Stage to General Availability.
Add the following permission to the created role:
cloudasset.assets.searchAllResources
Click Create.
Create a service account
To create a service account, follow the procedure for creating a service account.
After you have created a service account, download it as a JSON file. You need to provide the downloaded JSON file when configuring the integration parameters.
Integrate Cloud Asset Inventory with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
API Root |
Required
API root of the Cloud Asset Inventory instance. Default value is |
Organization ID |
Optional
Organization ID that should be used in the Cloud Asset Inventory integration. |
User's Service Account |
Required
Service account of the Cloud Asset Inventory instance. Make sure to provide the full content of the service account JSON file that you have downloaded when creating a service account. |
Verify SSL |
Required
When checked, the parameter verifies if the SSL certificate for connecting to the Cloud Asset Inventory server is valid. Checked by default. |
Actions
Enrich resource
Enrich information about a Google Cloud resource using Cloud Asset Inventory.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Resource Names |
Required
A comma-separated list containing resource names of resources to fetch details for. |
Fields To Return |
Optional
A comma-separated list of fields to return. Default value is
Examples of values: There is also an option to provide more advanced
filters. For example, to return a specific key from the
|
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
[
{
"Entity": "//iam.googleapis.com/projects/test-project/serviceAccounts/123456789/keys/1d0b9d0d4641b4a1c09ce1ccc8b070454f2gfrd843",
"EntityResult": {
"additionalAttributes": {
"email": "test-2@test-project.iam.gserviceaccount.com",
"uniqueId": 123456789
},
"name": "//iam.googleapis.com/projects/test-project/serviceAccounts/123456789/keys/1d0b9d0d4641b4a1c09ce1ccc8b070454f2gfrd843",
"assetType": "iam.googleapis.com/ServiceAccountKey",
"project": "projects/123456789",
"displayName": "projects/test-project/serviceAccounts/test-service-account@test-project.iam.gserviceaccount.com/keys/1d0b9d0d4641b4a1c09ce1ccc8b070454f2gfrd843",
"createTime": "2022-05-26T17:35:07Z",
"versionedResources": [
{
"version": "v1",
"resource": {
"keyAlgorithm": "KEY_ALG_RSA_2048",
"keyOrigin": "GOOGLE_PROVIDED",
"keyType": "USER_MANAGED",
"name": "projects/test-project/serviceAccounts/test-service-account@test-project.iam.gserviceaccount.com/keys/1d0b9d0d4641b4a1c09ce1ccc8b070454f2gfrd843",
"validAfterTime": "2022-05-26T17:35:07Z",
"validBeforeTime": "9999-12-31T23:59:59Z"
}
}
],
"organization": "organizations/123456789",
"parentFullResourceName": "//iam.googleapis.com/projects/test-project/serviceAccounts/test-service-account@test-project.iam.gserviceaccount.com",
"parentAssetType": "iam.googleapis.com/ServiceAccount"
}
}
]
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Enrich resources". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Get Resource Snapshot
Get information about the resource using Cloud Asset Inventory.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Resource Names |
Required Comma-separated list of resources to fetch details for. |
Fields To Return |
Optional Comma-separated list of fields to return. Input every field in the following format: assets.FIELD
Example of values: Default value is |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
For this action, there are two types of JSON results: one is for Google Cloud and the other for AWS.
JSON result for Google Cloud:
[
{
"Entity": "//compute.googleapis.com/projects/example-project/zones/us-central1-a/instances/example-instance",
"EntityResult": {
"window": {
"startTime": "2023-08-14T19:43:41.805828Z",
"endTime": "2262-04-11T23:47:16.854775807Z"
},
"asset": {
"name": "//compute.googleapis.com/projects/example-project/zones/us-central1-a/instances/example-instance",
"assetType": "compute.googleapis.com/Instance",
"resource": {
"version": "v1",
"discoveryDocumentUri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
"discoveryName": "Instance",
"parent": "//cloudresourcemanager.googleapis.com/projects/example-project-id",
"data": {
"description": "",
"serviceAccounts": [
{
"email": "user@example.com",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"lastStartTimestamp": "2022-05-26T01:44:52.756-07:00",
"deletionProtection": false,
"name": "example-name",
"keyRevocationActionType": "NONE_ON_KEY_REVOCATION",
"canIpForward": false,
"shieldedInstanceIntegrityPolicy": {
"updateAutoLearnPolicy": true
},
"zone": "https://www.googleapis.com/compute/v1/projects/example-project/zones/us-central1-a",
"resourceStatus": {},
"scheduling": {
"onHostMaintenance": "MIGRATE",
"preemptible": false,
"provisioningModel": "STANDARD",
"automaticRestart": true
},
"machineType": "https://www.googleapis.com/compute/v1/projects/example-project/zones/us-central1-a/machineTypes/e2-micro",
"confidentialInstanceConfig": {
"enableConfidentialCompute": false
},
"selfLink": "https://www.googleapis.com/compute/v1/projects/example-project/zones/us-central1-a/instances/example-instance",
"id": "example-id",
"fingerprint": "example-fingerprint",
"startRestricted": false,
"networkInterfaces": [
{
"network": "https://www.googleapis.com/compute/v1/projects/example-project/global/networks/example-network",
"stackType": "IPV4_ONLY",
"name": "example",
"subnetwork": "https://www.googleapis.com/compute/v1/projects/example-project/regions/us-central1/subnetworks/example-network-subnet",
"accessConfigs": [
{
"type": "ONE_TO_ONE_NAT",
"name": "External NAT",
"natIP": "192.0.2.1",
"networkTier": "PREMIUM"
}
],
"fingerprint": "example-fingerprint",
"networkIP": "203.0.113.2"
}
],
"allocationAffinity": {
"consumeAllocationType": "ANY_ALLOCATION"
},
"labelFingerprint": "example-label",
"shieldedInstanceConfig": {
"enableSecureBoot": false,
"enableVtpm": true,
"enableIntegrityMonitoring": true
},
"cpuPlatform": "Intel Broadwell",
"creationTimestamp": "2022-05-26T01:44:40.323-07:00",
"status": "RUNNING",
"disks": [
{
"guestOsFeatures": [
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
},
{
"type": "SEV_CAPABLE"
},
{
"type": "UEFI_COMPATIBLE"
},
{
"type": "GVNIC"
}
],
"interface": "SCSI",
"shieldedInstanceInitialState": {
"dbxs": [
{
"content": "2gcDBhMRFQAAAAAAAAAAABENAAAAAvEOndK",
"fileType": "BIN"
}
],
"dbx": [
{
"fileType": "BIN",
"content": "2gcDBhMRFQAAAAAAAAAAABENAAAAAvEOndK"
}
]
},
"diskSizeGb": "10",
"deviceName": "example-device-name",
"type": "PERSISTENT",
"source": "https://www.googleapis.com/compute/v1/projects/example-project/zones/us-central1-a/disks/example-instance",
"boot": true,
"licenses": [
"https://www.googleapis.com/compute/v1/projects/example-project/global/licenses"
],
"index": 0,
"autoDelete": true,
"mode": "READ_WRITE"
}
],
"tags": {
"items": [
"http-server"
],
"fingerprint": "example-fingerprint"
},
"displayDevice": {
"enableDisplay": false
},
"reservationAffinity": {
"consumeReservationType": "ANY_ALLOCATION"
}
},
"location": "us-central1-a"
},
"ancestors": [
"projects/example-project-id",
"organizations/example-org-id"
],
"updateTime": "2023-08-14T19:43:41.805828Z"
}
}
},
{
"Entity": "//iam.googleapis.com/projects/example-project/serviceAccounts/example-account-id",
"EntityResult": {
"window": {
"startTime": "2023-12-22T13:37:50Z",
"endTime": "2262-04-11T23:47:16.854775807Z"
},
"asset": {
"name": "//iam.googleapis.com/projects/example-project/serviceAccounts/example-account-id",
"assetType": "iam.googleapis.com/ServiceAccount",
"resource": {
"version": "v1",
"discoveryDocumentUri": "https://iam.googleapis.com/$discovery/rest",
"discoveryName": "ServiceAccount",
"parent": "//cloudresourcemanager.googleapis.com/projects/example-project-id",
"data": {
"name": "projects/example-project/serviceAccounts/cloud-asset-inventory-auto@example-project.iam.gserviceaccount.com",
"projectId": "example-project",
"email": "cloud-asset-inventory-auto@example-project.iam.gserviceaccount.com",
"uniqueId": "example-account-id",
"displayName": "Cloud Asset Inventory Automation",
"oauth2ClientId": "example-account-id"
}
},
"ancestors": [
"projects/example-project-id",
"organizations/example-org-id"
],
"updateTime": "2023-12-22T13:37:50Z"
}
}
}
]
JSON result for AWS:
[
{
"Entity": "//cloudasset.googleapis.com/organizations/example-org-id/otherCloudConnections/aws/arn:aws:s3:::aps-max-test-bucket",
"EntityResult": {
"assets": [
{
"window": {
"startTime": "2024-01-24T17:51:03.412233028Z",
"endTime": "2262-04-11T23:47:16.854775807Z"
},
"asset": {
"name": "//cloudasset.googleapis.com/organizations/example-org-id/otherCloudConnections/aws/arn:aws:s3:::aps-max-test-bucket",
"assetType": "cloudasset.googleapis.com/AWS::S3::Bucket",
"resource": {
"version": "v1",
"discoveryDocumentUri": "n/a",
"discoveryName": "n/a",
"data": {
"dataSourceProvider": "AMAZON_WEB_SERVICES",
"supplementaryConfigurations": {
"PublicAccessBlockConfiguration": {
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true,
"BlockPublicAcls": true,
"IgnorePublicAcls": true
},
"TagSet": [
{
"Key": "my-key2",
"Value": "my-value2"
},
{
"Key": "my-key1",
"Value": "my-value1"
}
],
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
},
"BucketKeyEnabled": true
}
]
},
"AccessControlPolicy": {
"Grants": [
{
"Grantee": {
"DisplayName": "example",
"ID": "example-id",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
],
"Owner": {
"DisplayName": "example",
"ID": "example-id"
}
}
},
"configuration": {
"Name": "aps-max-test-bucket",
"CreationDate": "2023-12-04T15:29:50+00:00"
},
"tags": {
"my-key2": "my-value2",
"my-key1": "my-value1"
},
"originalResourceName": "arn:aws:s3:::aps-max-test-bucket",
"awsAccount": "arn:aws:organizations::example-id:account/example-account/example-account-id"
},
"location": "global"
},
"ancestors": [
"organizations/example-org-id"
],
"updateTime": "2024-01-24T17:51:03.412233028Z"
}
}
]
}
}
]
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully returned information about the following resources
using Google Cloud Asset Inventory:
ASSET_IDENTIFIER
|
Action succeeded. |
Error executing action "Get Resource Snapshot". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
List Service Account Roles
List roles related to the Google Cloud service account using Cloud Asset Inventory.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Service Accounts |
Required Comma-separated list of service accounts to fetch details for. |
Check Roles |
Optional Comma-separated list of roles to check in relation
to service account, such as |
Check Permissions |
Optional Comma-separated list of permission to check in
relation to service account, such as |
Expand Permissions |
Optional If
|
Max Roles To Return |
Required The number of roles related to service account to return. Default value is 100. |
Max Permissions To Return |
Required The number of permissions related to service account to return. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| OOTB Widget | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"roles": ["role1", "role2"],
"unique_permissions": ["permission1", "permission2"]
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "List Service Account Roles". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Widget
This action uses a standard enrichment widget.
The example of the widget is as follows:
Roles
- Role 1
- Role 2
Unique Permissions
- Role 1
- Role 2
- Role 3
Ping
Test connectivity to Cloud Asset Inventory with parameters provided at the integration configuration page in the Google Security Operations SOAR Marketplace tab.
Entities
The action does not run on entities.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | N/A |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Google Cloud Asset Inventory
server with the provided connection parameters! |
Connection established successfully. |
Failed to connect to the Google Cloud Asset Inventory server!
|
Action failed. |