This page explains how to automatically send Security Command Center findings, assets, and security sources to Cortex XSOAR. It also describes how to manage the exported data. Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform that ingests security data from one or more sources and lets security teams manage responses to incidents. You can use Cortex XSOAR to view your Security Command Center findings and assets, and to update findings when issues are resolved.
In this guide, you ensure that the required Security Command Center and Google Cloud services are properly configured, and enable Cortex XSOAR to access findings and assets in your Security Command Center environment. Some of the instructions on this page are compiled from Cortex XSOAR's integrations guide on GitHub.
Before you begin
This guide assumes you have a working version of Cortex XSOAR. To get started with Cortex XSOAR, sign up.
Configure authentication and authorization
Before connecting to Security Command Center to Cortex XSOAR, you need to create an Identity and Access Management (IAM) service account in each Google Cloud organization and grant that account both the organization-level and project-level IAM roles that Cortex XSOAR needs.
Create a service account and grant IAM roles
The following steps use the Google Cloud console. For other methods, see the links at the end of this section.
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
- In the same project in which you create your Pub/Sub topics, use the Service Accounts page in the Google Cloud console to create a service account. For instructions, see Creating and managing service accounts.
Grant the service account the following role:
- Pub/Sub Editor (
roles/pubsub.editor)
- Pub/Sub Editor (
Copy the name of the service account that you just created.
Use the project selector in the Google Cloud console to switch to the organization level.
Open the IAM page for the organization:
On the IAM page, click Grant access. The grant access panel opens.
In the Grant access panel, complete the following steps:
- In the Add principals section in the New principals field, paste the name of the service account.
In the Assign roles section, use the Role field to grant the following IAM roles to the service account:
- Security Center Admin Editor (
roles/securitycenter.adminEditor) - Security Center Notification Configurations Editor
(
roles/securitycenter.notificationConfigEditor) - Organization Viewer (
roles/resourcemanager.organizationViewer) - Cloud Asset Viewer (
roles/cloudasset.viewer)
- Security Center Admin Editor (
Click Save. The security account appears on the Permissions tab of the IAM page under View by principals.
By inheritance, the service account also becomes a principal in all child projects of the organization and the roles that are applicable at the project level are listed as inherited roles.
For more information about creating service accounts and granting roles, see the following topics:
Provide the credentials to Cortex XSOAR
Depending on where you are hosting Cortex XSOAR, how you provide the IAM credentials to Cortex XSOAR differs.
If you are hosting Cortex XSOAR in Google Cloud, the service account that you created and the organization level roles that you granted to it are available automatically by inheritance from the parent organization. If you are using multiple Google Cloud organizations, add this service account to the other organizations and grant it the IAM roles that are described in steps 5 to 7 of Create a service account and grant IAM roles.
If you are hosting Cortex XSOAR in your on-premises environment, create a service account key for each Google Cloud organization. You will need the service account keys in JSON format to complete this guide.
To learn about best practices for storing your service account keys securely, see Best practices for managing service account keys.
If you are hosting Cortex XSOAR in Microsoft Azure or Amazon Web Services, configure workload identity federation and download the credentials configuration files. If you are using multiple Google Cloud organizations, add this service account to the other organizations and grant it the IAM roles that are described in steps 5 to 7 of Create a service account and grant IAM roles.
Configure notifications
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
Set up finding notifications as follows:
- Enable the Security Command Center API.
- Create a filter to export findings.
- Create a Pub/Sub topic for findings.
The
NotificationConfigmust use the Pub/Sub topic you create for findings.
Enable the Cloud Asset API for your project.
You will need your organization ID, project ID, and the Pub/Sub subscription ID from this task to configure Cortex XSOAR. To retrieve your organization ID and project ID, see Retrieving your organization ID and Identifying projects, respectively.
Configure Cortex XSOAR
When granted access, Cortex XSOAR will receive findings and assets updates in real time.
To use Security Command Center with Cortex XSOAR, perform the following steps:
Install the Google Cloud SCC content pack from the Cortex XSOAR Marketplace.
The content pack is a module maintained by Security Command Center that automates the process of scheduling Security Command Center API calls and regularly retrieves Security Command Center data for use in Cortext XSOAR.
In the Cortex XSOAR application menu, navigate to Settings, and then click Integrations.
Under Integrations, select Servers & Services.
Search for and select GoogleCloudSCC.
To create and configure a new integration instance, click Add instance.
Enter information into the following fields as needed:
Parameter Description Required Service Account Configuration One of the following, as described in Before you begin: - The contents of the Service Account JSON file, if you created a service account key
- The contents of the credential configuration file, if you are using workload identity federation
True Organization ID The ID for your organization True Fetch incidents Enables fetch incident False Project ID The ID of the project to use for fetching incidents; if empty, the ID of the project contained in the provided JSON file is used False Subscription ID The ID of your Pub/Sub subscription True Max Incidents The maximum number of incidents to fetch during each retrieval False Incident type The type of incident False Trust any certificate (not secure) Enables to trust on all certificates False Use system proxy settings Enables system proxy settings False Incidents Fetch Interval Time between retrievals for updated incident information False Log Level The log level for the content pack False Click Test.
If the configuration is valid, you see a "success" message. If invalid, you get an error message.
Click Save and exit.
Repeat steps 5 to 8 for each organization.
Cortex XSOAR automatically maps fields from Security Command Center findings to appropriate Cortex XSOAR fields. To override selections or learn more about Cortex XSOAR, read product documentation.
The configuration of Cortex XSOAR is complete. The Manage findings and assets section explains how to view and manage Security Command Center data in the service.
Upgrade the Google Cloud SCC content pack
This section describes how to upgrade from a previous version.
Access the latest version of Google Cloud SCC content pack from the Cortex XSOAR Marketplace.
Click Download with Dependencies.
Click Install.
Click Refresh content.
The upgrade maintains your previous configuration information. To use workload identity federation, add the configuration file, as described in Configure Cortex XSOAR.
Manage findings and assets
You can view and update assets and findings using Cortex XSOAR's command line interface (CLI). You can run commands as part of automated triaging and remediation, or in a playbook.
For names and descriptions of all supported methods and arguments for Cortex XSOAR's CLI, and output examples, see Commands.
Findings are compiled from Security Command Center's built-in services—Security Health Analytics, Web Security Scanner, Event Threat Detection, and Container Threat Detection—and any integrated services you enable.
List assets
To list your organization's assets, use Cortex XSOAR's
google-cloud-scc-asset-list method. For example, the following command lists
assets where lifecycleState is Active and limits the response to three
assets:
!google-cloud-scc-asset-list pageSize="3" activeAssetsOnly=TRUE
The exclamation symbol (!) in code samples is a required symbol to start
commands in Cortex XSOAR. It doesn't represent negation or NOT.
View asset resources
To list assets contained in parent resources, such as projects, use Cortex
XSOAR's google-cloud-scc-asset-resource-list command. For example, the
following command lists assets with an assetType of
compute.googleapis.com/Disk and limits the response to two assets:
!google-cloud-scc-asset-resource-list assetType="compute.googleapis.com/Disk" pageSize=2
Wildcards and regular expressions are supported. For example,
assetType=".*Instance" lists assets where the asset type ends with "instance."
View findings
To list findings for your organization or a security source, use Cortex XSOAR's
google-cloud-scc-finding-list command. For example, the following command
lists active findings with critical severity for all sources and limits the
response to three findings:
!google-cloud-scc-finding-list severity="CRITICAL" sourceTypeId="-" pageSize="3" state="ACTIVE"
You can filter your findings as well. The following command lists any findings that are classified as threats:
!google-cloud-scc-finding-list filter="findingClass=\"THREAT\""
Update findings
You can update a finding by using Cortex XSOAR's
google-cloud-scc-finding-update command. You must provide the name, or
relative resource name, of the finding, using the following format:
organizations/ORGANIZATION_ID/sources/SOURCE_ID</var>/finding/FINDING_ID.
For example, the following command updates the severity of a finding:
!google-cloud-scc-finding-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" severity="CRITICAL"
Replace the following:
<var>ORGANIZATION_ID</var>with your organization ID. To retrieve your organization ID and project ID, see Retrieving your organization ID.<var>SOURCE_ID</var>with the ID of the security source. To find a source ID, see Getting the source ID.<var>FINDING_ID</var>with the finding ID that is included in finding details.
Update finding status
You can update the status of a finding by using Cortex XSOAR's
google-cloud-scc-finding-status-update command. You must provide the name, or
relative resource name, of the finding, using the following format:
organizations/ORGANIZATION_ID/sources/SOURCE_ID/finding/FINDING_ID.
For example, the following command sets the finding status to active:
!google-cloud-scc-finding-status-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" state="ACTIVE"
Replace the following:
<var>ORGANIZATION_ID</var>with your organization ID. To retrieve your organization ID and project ID, see Retrieving your organization ID.<var>SOURCE_ID</var>with the ID of the security source. To find a source ID, see Getting the source ID.<var>FINDING_ID</var>with the finding ID that is included in finding details.
Get asset owners
To list the owners of an asset, use Cortex XSOAR's
google-cloud-scc-asset-owner-get command. You must provide the project name in
the form of projects/PROJECT_NUMBER. For
example, the following command lists the owner of the provided project.
!google-cloud-scc-asset-owner-get projectName="projects/PROJECT_NUMBER"
To add multiple projects to the command, use a comma separator, for example,
projectName="projects/123456789, projects/987654321"
What's next
Learn more about setting up finding notifications in Security Command Center.
Read about filtering finding notifications in Security Command Center.