Google Security Command Center
Integration version: 4.0
Prerequisites
The minimal set of required permissions to integrate Security Command Center with Google Security Operations SOAR is as follows:
securitycenter.assets.listsecuritycenter.findings.listsecuritycenter.findings.setMutesecuritycenter.findings.setState
Integrate Security Command Center with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | N/A | Yes | API root of the Security Command Center instance. |
| Organization ID | String | N/A | No | ID of the organization that should be used in the Security Command Center integration. |
| User's Service Account | Password | N/A | Yes | Service account of the Security Command Center instance. A full content of the service account JSON file should be provided. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Security Command Center server is valid. |
Actions
Enrich Assets
Description
Enrich assets using information from Security Command Center.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Asset Resource Names | CSV | N/A | Yes | Specify a comma-separated list of resource names of the assets for which you want to return data. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"siemplify_asset_display_name":[4] [5] ""
"asset": {
"name": "organizations/236378329325/assets/4140124989808983197",
"securityCenterProperties": {
"resourceName": "//compute.googleapis.com/projects/orbital-signal-243013/zones/europe-west1-b/instances/8494023830802519914",
"resourceType": "google.compute.Instance",
"resourceParent": "//cloudresourcemanager.googleapis.com/projects/469755381865",
"resourceProject": "//cloudresourcemanager.googleapis.com/projects/469755381865",
"resourceOwners": {
"serviceAccount": [
"469755381865@cloudbuild.gserviceaccount.com",
"alpha-svc-acct@orbital-signal-243013.iam.gserviceaccount.com"
],
"user": [
"dana@example.com",
"alex@example.com",
"test-scc@brinstar.net"
]
},
"resourceDisplayName": "vm-wordpress",
"resourceParentDisplayName": "orbital-signal-243013",
"resourceProjectDisplayName": "orbital-signal-243013"
},
"resourceProperties": {
"shieldedInstanceConfig": "{\"enableIntegrityMonitoring\":true,\"enableSecureBoot\":false,\"enableVtpm\":true}",
"scheduling": "{\"automaticRestart\":true,\"onHostMaintenance\":\"MIGRATE\",\"preemptible\":false,\"provisioningModel\":\"STANDARD\"}",
"labelFingerprint": "rs_6ubxpsZU=",
"creationTimestamp": "2022-02-08T05:00:54.691-08:00",
"networkInterfaces": "[{\"fingerprint\":\"DLL4fFQQkFU\\u003d\",\"name\":\"nic0\",\"network\":\"https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/global/networks/scc-demo\",\"networkIP\":\"10.1.0.40\",\"stackType\":\"IPV4_ONLY\",\"subnetwork\":\"https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/regions/europe-west1/subnetworks/vm-net1\"}]",
"name": "vm-wordpress",
"machineType": "https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/zones/europe-west1-b/machineTypes/e2-standard-2",
"serviceAccounts": "[{\"email\":\"469755381865-compute@developer.gserviceaccount.com\",\"scopes\":[\"https://www.googleapis.com/auth/devstorage.read_only\",\"https://www.googleapis.com/auth/logging.write\",\"https://www.googleapis.com/auth/monitoring.write\",\"https://www.googleapis.com/auth/pubsub\",\"https://www.googleapis.com/auth/service.management.readonly\",\"https://www.googleapis.com/auth/servicecontrol\",\"https://www.googleapis.com/auth/trace.append\"]}]",
"tags": "{\"fingerprint\":\"AG-OvsszYew\\u003d\",\"items\":[\"wordpress\"]}",
"fingerprint": "pJ1DSfT2-oM=",
"labels": "{\"env\":\"scctest\"}",
"canIpForward": false,
"zone": "https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/zones/europe-west1-b",
"cpuPlatform": "Intel Broadwell",
"disks": "[",
"shieldedInstanceIntegrityPolicy": "{\"updateAutoLearnPolicy\":true}",
"deletionProtection": false,
"selfLink": "https://www.googleapis.com/compute/v1/projects/orbital-signal-243013/zones/europe-west1-b/instances/vm-wordpress",
"startRestricted": false,
"lastStartTimestamp": "2022-02-08T05:01:05.259-08:00",
"status": "RUNNING",
"id": "8494023830802519914"
},
"securityMarks": {
"name": "organizations/236378329325/assets/4140124989808983197/securityMarks"
},
"createTime": "2022-02-08T13:00:55.518Z",
"updateTime": "2022-04-27T20:12:50.687Z",
"iamPolicy": {},
"canonicalName": "projects/469755381865/assets/4140124989808983197"
}
}
Entity Enrichment
Enrichment Table for google.compute.Instance - Prefix GSCC_
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| resourceOwners_{key} | Csv of resourceOwners_{key} | When available in JSON |
| type | resourceType | When available in JSON |
| create_time | createTime | When available in JSON |
| update_time | updateTime | When available in JSON |
| related_service_accounts | csv of resourceProperties/serviceAccounts/email | When available in JSON |
| tags | csv resourceProperties/tags/items | When available in JSON |
| self_link | resourceProperties/selfLink | When available in JSON |
| status | resourceProperties/status | When available in JSON |
| ip_addresses | csv of resourcePropertie/networkInterfaces | When available in JSON |
Enrichment Table for google.compute.Address - Prefix GSCC_
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| resourceOwners_{key} | Csv of resourceOwners_{key} | When available in JSON |
| name | asset/resourceDisplayName | When available in JSON |
| type | resourceType | When available in JSON |
| create_time | createTime | When available in JSON |
| update_time | updateTime | When available in JSON |
| compute_create_time | resourceProperties/creationTimestamp | When available in JSON |
| compute_start_time | resourceProperties/lastStartTimestamp | When available in JSON |
| self_link | resourceProperties/selfLink | When available in JSON |
| start_restricted | resourceProperties/startRestricted | When available in JSON |
| purpose | resourceProperties/purpose | When available in JSON |
| description | resourceProperties/description | When available in JSON |
| address_type | resourceProperties/addressType | When available in JSON |
| network_tier | resourceProperties/networkTier | When available in JSON |
| status | resourceProperties/status | When available in JSON |
| address | resourceProperties/address | When available in JSON |
Enrichment Table for google.iam.ServiceAccount - Prefix GSCC_
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| resourceOwners_{key} | Csv of resourceOwners_{key} | When available in JSON |
| name | asset/resourceDisplayName | When available in JSON |
| type | resourceType | When available in JSON |
| create_time | createTime | When available in JSON |
| update_time | updateTime | When available in JSON |
| display_name | resourceProperties/displayName | When available in JSON |
| disabled | disabled | When available in JSON |
Enrichment Table for google.cloud.storage.Bucket - Prefix GSCC_
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| resourceOwners_{key} | Csv of resourceOwners_{key} | When available in JSON |
| type | resourceType | When available in JSON |
| create_time | createTime | When available in JSON |
| update_time | updateTime | When available in JSON |
| iam_roles | csv of iamPolicy/policyBlob/binding/role | When available in JSO |
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one asset (is_success=true): "Successfully enriched the following assets using information from Security Command Center: {asset.identifier}." If data is not available for one asset (is_success=true): "Action wasn't able to enrich the following assets using information from Security Command Center: {asset.identifier}." If data is not available for all assets (is_success=false): "None of the provided assets were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Assets". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Title: {entity.identifier} Table Columns:
|
Entity |
Get Finding Details
Description
Get details about a finding in Security Command Center.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Finding Name | CSV | organizations/{organization_id}/sources/{source_id}/findings/{finding_id} | Yes | Specify a comma-separated list of finding names for which you want to return details. Note: Finding name has the following structure: |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"finding_name": "organizations/236378329325/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
"finding": {
"name": "organizations/236378329325/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
"parent": "organizations/236378329325/sources/2678067631293752869",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/469755381865",
"state": "ACTIVE",
"category": "Discovery: Service Account Self-Investigation",
"sourceProperties": {
"sourceId": {
"projectNumber": "469755381865",
"customerOrganizationNumber": "236378329325"
},
"detectionCategory": {
"technique": "discovery",
"indicator": "audit_log",
"ruleName": "iam_anomalous_behavior",
"subRuleName": "service_account_gets_own_iam_policy"
},
"detectionPriority": "LOW",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/469755381865"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "orbital-signal-243013",
"resourceContainer": "projects/orbital-signal-243013",
"timestamp": {
"seconds": "1622678907",
"nanos": 448368000
},
"insertId": "v2rzg4d9u9q"
}
}
],
"properties": {
"serviceAccountGetsOwnIamPolicy": {
"principalEmail": "prisma-cloud-serv-zlbni@orbital-signal-243013.iam.gserviceaccount.com",
"projectId": "orbital-signal-243013",
"callerIp": "52.39.60.41",
"callerUserAgent": "Redlock/GC-MDC/resource-manager/orbital-signal-243013 Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)",
"rawUserAgent": "Redlock/GC-MDC/resource-manager/orbital-signal-243013 Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
}
},
"contextUris": {
"mitreUri": {
"displayName": "Permission Groups Discovery: Cloud Groups",
"url": "https://attack.mitre.org/techniques/T1069/003/"
},
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-06-03T00:08:27.448368Z%22%0AinsertId%3D%22v2rzg4d9u9q%22%0Aresource.labels.project_id%3D%22orbital-signal-243013%22?project=orbital-signal-243013"
}
]
}
},
"securityMarks": {
"name": "organizations/236378329325/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m/securityMarks"
},
"eventTime": "2021-06-03T00:08:27.448Z",
"createTime": "2021-06-03T00:08:31.074Z",
"severity": "LOW",
"canonicalName": "projects/469755381865/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"mitreAttack": {
"primaryTactic": "DISCOVERY",
"primaryTechniques": [
"PERMISSION_GROUPS_DISCOVERY",
"CLOUD_GROUPS"
]
}
},
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/469755381865",
"projectName": "//cloudresourcemanager.googleapis.com/projects/469755381865",
"projectDisplayName": "orbital-signal-243013",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/236378329325",
"parentDisplayName": "brinstar.net",
"type": "google.cloud.resourcemanager.Project",
"displayName": "orbital-signal-243013"
}
}
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for findings (is_success=true): "Successfully returned details about the following findings in Security Command Center: {name of the findings that returned data}." If data is not available for one finding (is_success=true): "Action wasn't able to find the following findings in Security Command Center: {name of the findings that returned data}." If no data is available for findings (is_success=false): "None of the provided findings were found in Security Command Center." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Security Command Center". Reason: {0}''.format(error.Stacktrace) If an error is reported in the response: "Error executing action "Security Command Center". Reason: {0}''.format(error/message) |
General |
| Case Wall Table | Table Name: Finding Details Table Columns:
|
General |
List Asset Vulnerabilities
Description
List vulnerabilities related to the entities in Security Command Center.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Asset Resource Names | CSV | N/A | Yes | Specify a comma-separated list of resource names of the assets for which you want to return data. |
| Timeframe | DDL | All Time Possible Value:
|
No | Specify the time frame for the vulnerabilities or misconfiguration search. |
| Record Types | DDL | Vulnerabilities + Misconfigurations Possible Values:
|
No | Specify the type of record that should be returned. |
| Output Type | DDL | Statistics Possible Values:
|
No | Specify the type of output that should be returned in the JSON result for the asset. |
| Max Records To Return | String | 100 | No | Specify the number of records to return per record type per assets. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
."siemplify_asset_display_name":[1] [2] ""
"vulnerabilities": {
"statistics": {
"critical": 1,
"high": 1,
"medium": 1,
"low": 1,
"undefined": 1
},
"data": [
{
"category": {category}
"description": {description}
"cve_id": {vulnerability/cve/id}
"event_time": {eventTime}
"related_references": [{vulnerability/cve/references/uri}]
"severity": {severity}
}
]
},
"misconfigurations": {
"statistics": {
"critical": 1,
"high": 1,
"medium": 1,
"low": 1,
"undefined": 1
},
"data": [
{
"category": {category}
"description": {description}
"recommendation": {sourceProperties/Recommendation}
"event_time": {eventTime}
"severity": {severity}
}
]
},
}
Should either take from "resourceDisplayName" or "Asset Name" that was provided.
if securityCenterProperties.resourceType" == "google.iam.ServiceAccount", then action needs to use "resourceProperties.email" as display_name.
if securityCenterProperties.resourceType" == "google.compute.Address", then action needs to use "resourceProperties.address" as display_name.
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully returned related vulnerabilities and misconfigurations to the following entities in Security Command Center: {assets}." If data is not available for one vulnerability or misconfiguration (is_success=true): "No vulnerabilities and misconfigurations were found to the following entities in Security Command Center: {assets}". If no data is available (is_success = true): "No vulnerabilities and misconfigurations were found for the provided assets in Security Command Center" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Security Command Center". Reason: {0}''.format(error.Stacktrace) If an error is reported in the response: "Error executing action "Security Command Center". Reason: {0}''.format(error/message) |
General |
| Case Wall Table | Table Name: {asset} Vulnerabilities Table Columns:
|
Per asset |
| Case Wall Table | Table Name: {asset} Misconfigurations Table Columns:
|
Per asset |
Ping
Description
Test connectivity to Security Command Center with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Security Command Center server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Security Command Center server! Error is {0}".format(exception.stacktrace)" |
General |
Update Finding
Description
Update finding in Security Command Center.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Finding Name | CSV | organizations/{organization_id}/sources/{source_id}/findings/{finding_id} | Yes | Specify a comma-separated list of finding names which you want to update. Note: Finding name has the following structure: |
| Mute Status | DDL | Select One Possible Values:
|
No | Specify the mute status for the finding. |
| State Status | DDL | Select One Possible Values:
|
No | Specify the state status for the finding. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully updated the following findings in Security Command Center: {name of the findings that returned data}." If data is not available for one finding (is_success=true): "Action wasn't able to find the following findings in Security Command Center: {name of the findings that returned data}." If no data is available (is_success=false): "None of the provided findings were found in Security Command Center" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Finding". Reason: {0}''.format(error.Stacktrace) If an error is reported in the response: "Error executing action "Update Finding". Reason: {0}''.format(error/message) If the "Mute Status" or "State Status" parameter is set to "Select One": "Error executing action "Update Finding". Reason: at least one of "Mute Status" or "State Status" should have a value.''.format(error/message) |
General |
Connectors
Google Security Command Center - Findings Connector
Description
Pull information about findings from Security Command Center.
Configure Google Security Command Center - Findings Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field through regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | N/A | Yes | API root of the Security Command Center instance. |
| Organization ID | String | N/A | No | ID of the organization that should be used in the Security Command Center integration. |
| User's Service Account | Password | N/A | Yes | Service account of the Security Command Center instance. A full content of the service account JSON file should be provided. |
| Finding Class Filter | CSV | Threat,Vulnerability,Misconfiguration,SCC_Error,Observation | No | Finding classes that should be ingested. Possible values: Threat, Vulnerability, Misconfiguration, SCC_Error, Observation. If nothing is provided, findings from all classes are ingested. |
| Lowest Severity To Fetch | String | High | No | The lowest severity that is used to fetch findings. Possible values:
Note: If finding with undefined severity is ingested, it has the Medium severity. If nothing is provided, findings with all severities are ingested. |
| Max Hours Backwards | Integer | 1 | No | Number of hours from where to fetch findings. Maximum: 24 |
| Max Findings To Fetch | Integer | 100 | No | Number of findings to process per one connector iteration. Maximum: 1000 |
| Use dynamic list as a blacklist | Checkbox | Unchecked | Yes | If enabled, the dynamic lists is used as a blocklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verifies that the SSL certificate for the connection to the Sumo Logic Cloud SIEM server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.