Send Security Command Center data to Cortex XSOAR

This page explains how to automatically send Security Command Center findings, assets, and security sources to Cortex XSOAR. It also describes how to manage the exported data. Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform that ingests security data from one or more sources and lets security teams manage responses to incidents. You can use Cortex XSOAR to view your Security Command Center findings and assets, and to update findings when issues are resolved.

In this guide, you ensure that the required Security Command Center and Google Cloud services are properly configured, and enable Cortex XSOAR to access findings and assets in your Security Command Center environment. Some of the instructions on this page are compiled from Cortex XSOAR's integrations guide on GitHub.

Before you begin

This guide assumes you have a working version of Cortex XSOAR. To get started with Cortex XSOAR, sign up.

Configure authentication and authorization

Before connecting to Security Command Center to Cortex XSOAR, you need to create an Identity and Access Management (IAM) service account in each Google Cloud organization and grant that account both the organization-level and project-level IAM roles that Cortex XSOAR needs.

Create a service account and grant IAM roles

The following steps use the Google Cloud console. For other methods, see the links at the end of this section.

Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.

  1. In the same project in which you create your Pub/Sub topics, use the Service Accounts page in the Google Cloud console to create a service account. For instructions, see Creating and managing service accounts.
  2. Grant the service account the following role:

    • Pub/Sub Editor (roles/pubsub.editor)
  3. Copy the name of the service account that you just created.

  4. Use the project selector in the Google Cloud console to switch to the organization level.

  5. Open the IAM page for the organization:

    Go to IAM

  6. On the IAM page, click Grant access. The grant access panel opens.

  7. In the Grant access panel, complete the following steps:

    1. In the Add principals section in the New principals field, paste the name of the service account.
    2. In the Assign roles section, use the Role field to grant the following IAM roles to the service account:

    3. Security Center Admin Editor (roles/securitycenter.adminEditor)
    4. Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor)
    5. Organization Viewer (roles/resourcemanager.organizationViewer)
    6. Cloud Asset Viewer (roles/cloudasset.viewer)
    7. Click Save. The service account appears on the Permissions tab of the IAM page under View by principals.

      By inheritance, the service account also becomes a principal in all child projects of the organization. The roles that are applicable at the project level are listed as inherited roles.

For more information about creating service accounts and granting roles, see the following topics:

Provide the credentials to Cortex XSOAR

Depending on where you are hosting Cortex XSOAR, how you provide the IAM credentials to Cortex XSOAR differs.

Configure notifications

Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.

  1. Set up finding notifications as follows:

    1. Enable the Security Command Center API.
    2. Create a filter to export findings.
    3. Create a Pub/Sub topic for findings. The NotificationConfig must use the Pub/Sub topic you create for findings.
  2. Enable the Cloud Asset API for your project.

You will need your organization ID, project ID, and the Pub/Sub subscription ID from this task to configure Cortex XSOAR. To retrieve your organization ID and project ID, see Retrieving your organization ID and Identifying projects, respectively.

Configure Cortex XSOAR

When granted access, Cortex XSOAR will receive findings and assets updates in real time.

To use Security Command Center with Cortex XSOAR, perform the following steps:

  1. Install the Google Cloud SCC content pack from the Cortex XSOAR Marketplace.

    The content pack is a module maintained by Security Command Center that automates the process of scheduling Security Command Center API calls and regularly retrieves Security Command Center data for use in Cortext XSOAR.

  2. In the Cortex XSOAR application menu, navigate to Settings, and then click Integrations.

  3. Under Integrations, select Servers & Services.

  4. Search for and select GoogleCloudSCC.

  5. To create and configure a new integration instance, click Add instance.

  6. Enter information into the following fields as needed:

    Parameter Description Required
    Service Account Configuration One of the following, as described in Before you begin:
    • The contents of the Service Account JSON file, if you created a service account key
    • The contents of the credential configuration file, if you are using workload identity federation
    True
    Organization ID The ID for your organization True
    Fetch incidents Enables fetch incident False
    Project ID The ID of the project to use for fetching incidents; if empty, the ID of the project contained in the provided JSON file is used False
    Subscription ID The ID of your Pub/Sub subscription True
    Max Incidents The maximum number of incidents to fetch during each retrieval False
    Incident type The type of incident False
    Trust any certificate (not secure) Enables to trust on all certificates False
    Use system proxy settings Enables system proxy settings False
    Incidents Fetch Interval Time between retrievals for updated incident information False
    Log Level The log level for the content pack False

  7. Click Test.

    If the configuration is valid, you see a "success" message. If invalid, you get an error message.

  8. Click Save and exit.

  9. Repeat steps 5 to 8 for each organization.

Cortex XSOAR automatically maps fields from Security Command Center findings to appropriate Cortex XSOAR fields. To override selections or learn more about Cortex XSOAR, read product documentation.

The configuration of Cortex XSOAR is complete. The Manage findings and assets section explains how to view and manage Security Command Center data in the service.

Upgrade the Google Cloud SCC content pack

This section describes how to upgrade from a previous version.

  1. Access the latest version of Google Cloud SCC content pack from the Cortex XSOAR Marketplace.

  2. Click Download with Dependencies.

  3. Click Install.

  4. Click Refresh content.

The upgrade maintains your previous configuration information. To use workload identity federation, add the configuration file, as described in Configure Cortex XSOAR.

Manage findings and assets

You can view and update assets and findings using Cortex XSOAR's command line interface (CLI). You can run commands as part of automated triaging and remediation, or in a playbook.

For names and descriptions of all supported methods and arguments for Cortex XSOAR's CLI, and output examples, see Commands.

Findings are compiled from Security Command Center's built-in services—Security Health Analytics, Web Security Scanner, Event Threat Detection, and Container Threat Detection—and any integrated services you enable.

List assets

To list your organization's assets, use Cortex XSOAR's google-cloud-scc-asset-list method. For example, the following command lists assets where lifecycleState is Active and limits the response to three assets:

!google-cloud-scc-asset-list pageSize="3" activeAssetsOnly=TRUE

The exclamation symbol (!) in code samples is a required symbol to start commands in Cortex XSOAR. It doesn't represent negation or NOT.

View asset resources

To list assets contained in parent resources, such as projects, use Cortex XSOAR's google-cloud-scc-asset-resource-list command. For example, the following command lists assets with an assetType of compute.googleapis.com/Disk and limits the response to two assets:

!google-cloud-scc-asset-resource-list assetType="compute.googleapis.com/Disk" pageSize=2

Wildcards and regular expressions are supported. For example, assetType=".*Instance" lists assets where the asset type ends with "instance."

View findings

To list findings for your organization or a security source, use Cortex XSOAR's google-cloud-scc-finding-list command. For example, the following command lists active findings with critical severity for all sources and limits the response to three findings:

!google-cloud-scc-finding-list severity="CRITICAL" sourceTypeId="-" pageSize="3" state="ACTIVE"

You can filter your findings as well. The following command lists any findings that are classified as threats:

!google-cloud-scc-finding-list filter="findingClass=\"THREAT\""

Update findings

You can update a finding by using Cortex XSOAR's google-cloud-scc-finding-update command. You must provide the name, or relative resource name, of the finding, using the following format: organizations/ORGANIZATION_ID/sources/SOURCE_ID</var>/finding/FINDING_ID.

For example, the following command updates the severity of a finding:

!google-cloud-scc-finding-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" severity="CRITICAL"

Replace the following:

  • <var>ORGANIZATION_ID</var> with your organization ID. To retrieve your organization ID and project ID, see Retrieving your organization ID.
  • <var>SOURCE_ID</var> with the ID of the security source. To find a source ID, see Getting the source ID.
  • <var>FINDING_ID</var> with the finding ID that is included in finding details.

Update finding status

You can update the status of a finding by using Cortex XSOAR's google-cloud-scc-finding-status-update command. You must provide the name, or relative resource name, of the finding, using the following format: organizations/ORGANIZATION_ID/sources/SOURCE_ID/finding/FINDING_ID.

For example, the following command sets the finding status to active:

!google-cloud-scc-finding-status-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" state="ACTIVE"

Replace the following:

  • <var>ORGANIZATION_ID</var> with your organization ID. To retrieve your organization ID and project ID, see Retrieving your organization ID.
  • <var>SOURCE_ID</var> with the ID of the security source. To find a source ID, see Getting the source ID.
  • <var>FINDING_ID</var> with the finding ID that is included in finding details.

Get asset owners

To list the owners of an asset, use Cortex XSOAR's google-cloud-scc-asset-owner-get command. You must provide the project name in the form of projects/PROJECT_NUMBER. For example, the following command lists the owner of the provided project.

!google-cloud-scc-asset-owner-get projectName="projects/PROJECT_NUMBER"

To add multiple projects to the command, use a comma separator, for example, projectName="projects/123456789, projects/987654321"

What's next