Sending Security Command Center data to Cortex XSOAR

Stay organized with collections Save and categorize content based on your preferences.

This page explains how to automatically send Security Command Center findings, assets, and security sources to Cortex XSOAR. It also describes how to manage the exported data. The third-party security automation platform lets you view, update, and analyze enriched Security Command Center data in real time.

In this guide, you ensure that the required Security Command Center and Google Cloud services are properly configured, and enable Cortex XSOAR to access findings and assets in your Security Command Center environment. Some of the instructions on this page are compiled from Cortex XSOAR's integrations guide on Github.

Before you begin

This guide assumes you have a working version of Cortex XSOAR. To get started with Cortex XSOAR, sign up.

Before connecting Security Command Center to Cortex XSOAR, do the following:

  1. Create a service account with the following Identity and Access Management (IAM) roles:

    • Security Center Admin (roles/securitycenter.admin)
    • Organization Viewer (roles/resourcemanager.organizationViewer)
    • Cloud Asset Owner (roles/cloudasset.owner)
    • Pub/Sub Admin (roles/pubsub.admin)

    For instructions on granting roles, see Granting, changing, and revoking access to resources.

  2. Complete one of the following:

    1. If you are hosting Cortex XSOAR in Google Cloud, add the service account to the project that hosts Cortex XSOAR.

    2. If you are hosting Cortex XSOAR in your on-premises environment, create a service account key. You will need the service account JSON from this task to complete this guide.

    3. If you are hosting Cortex XSOAR in Microsoft Azure or Amazon Web Services, configure workload identity federation and download the credentials configuration file.

  3. Set up finding notifications as follows:

    1. Enable the Security Command Center API.
    2. Create a filter to export findings.
    3. Create a Pub/Sub topic for findings. The notificationConfig must use the Pub/Sub topic you create for findings.
  4. Enable the Cloud Asset API for your project.

You will need your organization ID, project ID, and the Pub/Sub subscription ID from this task to configure Cortex XSOAR. To retrieve your organization ID and project ID, see Retrieving your organization ID and Identifying projects, respectively.

Configure Cortex XSOAR

Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform that ingests security data from one or more sources and lets security teams manage responses to incidents. You can use Cortex XSOAR to view your Security Command Center findings and assets, and to update findings when issues are resolved.

When granted access, Cortex XSOAR will receive findings and assets updates in real time.

To use Security Command Center with Cortex XSOAR, perform the following steps:

  1. Install the Google Cloud SCC content pack from the Cortex XSOAR Marketplace.

    The content pack is a module maintained by Security Command Center that automates the process of scheduling Security Command Center API calls and regularly retrieves Security Command Center data for use in Cortext XSOAR.

  2. In the Cortex XSOAR application menu, navigate to Settings, and then click Integrations.

  3. Under Integrations, select Servers & Services.

  4. Search for and select GoogleCloudSCC.

  5. To create and configure a new integration instance, click Add instance.

  6. Enter information into the following fields as needed:

    Parameter Description Required
    Service Account Configuration One of the following, as described in Before you begin:
    • The contents of the Service Account JSON file, if you created a service account key
    • The contents of the credential configuration file, if you are using workload identity federation
    True
    Organization ID The ID for your organization True
    Fetch incidents Enables fetch incident False
    Project ID The ID of the project to use for fetching incidents; if empty, the ID of the project contained in the provided service account JSON is used False
    Subscription ID The ID of your Pub/Sub subscription True
    Max Incidents The maximum number of incidents to fetch during each retrieval False
    Incident type The type of incident False
    Trust any certificate (not secure) Enables to trust on all certificates False
    Use system proxy settings Enables system proxy settings False

  7. To validate your configuration, click Test.

    If the configuration is valid, you see a "success" message. If invalid, you get an error message.

Cortex XSOAR automatically maps fields from Security Command Center findings to appropriate Cortex XSOAR fields. To override selections or learn more about Cortex XSOAR, read product documentation.

The configuration of Cortex XSOAR is complete. The following sections explain how to view and manage Security Command Center data in the service.

Upgrade the Google Cloud SCC content pack

This section describes how to upgrade from a previous version.

  1. Access the latest version of Google Cloud SCC content pack from the Cortex XSOAR Marketplace.

  2. Click Download with Dependencies.

  3. Click Install.

  4. Click Refresh content.

The upgrade maintains your previous configuration information. To use workload identity federation, add the configuration file, as described in Configure Cortex XSOAR.

Manage findings and assets

You can view and update assets and findings using Cortex XSOAR's command line interface (CLI). You can run commands as part of automated triaging and remediation, or in a playbook.

For names and descriptions of all supported methods and arguments for Cortex XSOAR's CLI, and output examples, see Commands.

Findings are compiled from Security Command Center's built-in services—Security Health Analytics, Web Security Scanner, Event Threat Detection, and Container Threat Detection—and any integrated services you enable.

List assets

To list your organization's assets, use Cortex XSOAR's google-cloud-scc-asset-list method. For example, the following command lists assets where lifecycleState is Active and limits the response to three assets:

!google-cloud-scc-asset-list pageSize="3" activeAssetsOnly=TRUE

The exclamation symbol (!) in code samples is a required symbol to start commands in Cortex XSOAR. It doesn't represent negation or NOT.

View asset resources

To list assets contained in parent resources, such as projects, use Cortex XSOAR's google-cloud-scc-asset-resource-list command. For example, the following command lists assets with an assetType of compute.googleapis.com/Disk and limits the response to two assets:

!google-cloud-scc-asset-resource-list assetType="compute.googleapis.com/Disk" pageSize=2

Wildcards and regular expressions are supported. For example, assetType=".*Instance" lists assets where the asset type ends with "instance."

View findings

To list findings for your organization or a security source, use Cortex XSOAR's google-cloud-scc-finding-list command. For example, the following command lists active findings with critical severity for all sources and limits the response to three findings:

!google-cloud-scc-finding-list severity="CRITICAL" sourceTypeId="-" pageSize="3" state="ACTIVE"

You can filter your findings as well. The following command lists any findings that are classified as threats:

!google-cloud-scc-finding-list filter="findingClass=\"THREAT\""

Update findings

You can update a finding by using Cortex XSOAR's google-cloud-scc-finding-update command. You must provide the name, or relative resource name, of the finding, using the following format: organizations/ORGANIZATION_ID/sources/SOURCE_ID</var>/finding/FINDING_ID.

For example, the following command updates the severity of a finding:

!google-cloud-scc-finding-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" severity="CRITICAL"

Replace the following:

  • ORGANIZATION_ID with your organization ID. To retrieve your organization ID and project ID, see Retrieving your organization ID
  • SOURCE_ID with the ID of the security source. To find a source ID, see Getting the source ID.
  • FINDING_ID with the finding ID that is included in finding details.

Update finding status

You can update the status of a finding by using Cortex XSOAR's google-cloud-scc-finding-status-update command. You must provide the name, or relative resource name, of the finding, using the following format: organizations/ORGANIZATION_ID/sources/SOURCE_ID/finding/FINDING_ID.

For example, the following command sets the finding status to active:

!google-cloud-scc-finding-status-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" state="ACTIVE"

Replace the following:

  • ORGANIZATION_ID with your organization ID. To retrieve your organization ID and project ID, see Retrieving your organization ID.
  • SOURCE_ID with the ID of the security source. To find a source ID, see Getting the source ID.
  • FINDING_ID with the finding ID that is included in finding details.

Get asset owners

To list the owners of an asset, use Cortex XSOAR's google-cloud-scc-asset-owner-get command. You must provide the project name in the form of projects/PROJECT_NUMBER. For example, the following command lists the owner of the provided project.

!google-cloud-scc-asset-owner-get projectName="projects/PROJECT_NUMBER"

To add multiple projects to the command, use a comma separator, for example, projectName="projects/123456789, projects/987654321"

What's next