This page explains how to automatically send Security Command Center findings, assets, audit logs, and security sources to ServiceNow. It also describes how to manage the exported data.
ServiceNow provides technical management support, including helpdesk functionality. Its management system helps automate task-intensive IT processes and events using digital workflows and employee service portals.
You can send Security Command Center information to ServiceNow IT Server Management (ITSM) or ServiceNow Security Incident Response (SIR).
Before you begin
This guide assumes that you are using the ServiceNow versions named Rome, San Diego, or Tokyo and that you are using either ServiceNow ITSM or ServiceNow SIR. To get started with ServiceNow, see Get Started.
You must be a ServiceNow system admin to complete some of the tasks in this guide. The remaining tasks require you to create other users, as described in Create users for the app.
Before connecting to ServiceNow, you need to create an Identity and Access Management (IAM) service account and grant the account both the organization-level and project-level IAM roles that the Google SCC SIR app or Google SCC ITSM app needs.
Create a service account and grant IAM roles
The following steps use the Google Cloud console. For other methods, see the links at the end of this section.
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
- In the same project in which you create your Pub/Sub topics, use the Service Accounts page in the Google Cloud console to create a service account. For instructions, see Creating and managing service accounts.
Grant the service account the following role:
- Pub/Sub Editor (
roles/pubsub.editor)
- Pub/Sub Editor (
Copy the name of the service account that you just created.
Use the project selector in the Google Cloud console to switch to the organization level.
Open the IAM page for the organization:
On the IAM page, click Grant access. The grant access panel opens.
In the Grant access panel, complete the following steps:
- In the Add principals section in the New principals field, paste the name of the service account.
In the Assign roles section, use the Role field to grant the following IAM roles to the service account:
- Security Center Admin Editor (
roles/securitycenter.adminEditor) - Security Center Notification Configurations Editor
(
roles/securitycenter.notificationConfigEditor) - Organization Viewer (
roles/resourcemanager.organizationViewer) - Cloud Asset Viewer (
roles/cloudasset.viewer)
- Security Center Admin Editor (
Click Save. The security account appears on the Permissions tab of the IAM page under View by principals.
By inheritance, the service account also becomes a principal in all child projects of the organization and the roles that are applicable at the project level are listed as inherited roles.
For more information about creating service accounts and granting roles, see the following topics:
Provide the credentials to ServiceNow
To provide IAM credentials to ServiceNow, create a service account key. You will need the service account key in JSON format to complete this guide. If you are using multiple Google Cloud organizations, add this service account to the other organizations and grant it the IAM roles that are described in steps 5 to 7 of Create a service account and grant IAM roles.
To learn about best practices for storing your service account keys securely, see Best practices for managing service account keys.
Configure notifications
Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.
Set up finding notifications as follows:
- Enable the Security Command Center API.
- Create a filter to export desired findings and assets.
Enable the Cloud Asset API for your project.
Create feeds for your assets. You must create two feeds in the same Pub/Sub topic, one for your resources and another for your Identity and Access Management (IAM) policies.
- The Pub/Sub topic for assets must be different than the one used for findings.
For the feed for your resources, use the following filter:
content-type=resourceFor the IAM policies feed, use the following filter:
content-type=iam-policy --asset-types="cloudresourcemanager.googleapis.com/Project"
Create a destination sink for the audit logs. This integration uses a Pub/Sub topic as the destination.
You will need your organization IDs and Pub/Sub subscription names to configure ServiceNow.
Install the app for ServiceNow
You must be a ServiceNow system admin to complete this task.
Go to the ServiceNow store and search for one of the following apps:
If you are running ServiceNow ITSM, Google SCC ITSM
If you are running ServiceNow SIR, Google SCC SIR
Click the app and click Get.
Enter your ServiceNow ID credentials and proceed through the login process.
In the ServiceNow console, in the All tab, search for System Applications and click All Available Applications > All.
Select Not installed. A list of applications appears.
Select the Google SCC ITSM or Google SCC SIR app and click Install.
Configure the app for ServiceNow
In this section, you create the required users, configure connectivity, and set up ServiceNow to retrieve Security Command Center data.
Create users for the app
You must create two users for the Google SCC ITSM or Google SCC SIR app and assign them the appropriate roles.
You must be a ServiceNow system admin to complete this task.
In the ServiceNow console, search for Organization.
Click Organization > Users.
Click New.
Enter the information for the administrator account for the Google SCC ITSM app or Google SCC SIR app. For example, in the User ID field, enter
google_scc_itsm_adminfor Google SCC ITSM orgoogle_scc_sir_adminfor Google SCC SIR.Click Submit.
Repeat steps 3 to 5 to create a user account for the Google SCC ITSM app or Google SCC SIR app. For example, in the User ID field, enter
google_scc_itsm_userfor Google SCC ITSM orgoogle_scc_sir_userfor Google SCC SIR.In the Users list, click the name of one of the accounts that you just created.
Under Roles, click Edit.
Add the roles that apply to the account:
Username Roles Google SCC ITSM admin (google_scc_itsm_admin) - x_goog_scc_itsm.Google_SCC_ITSM_Admin
- itil
- itil_admin
- personalize_dictionary
- oauth_admin
Google SCC ITSM User (google_scc_itsm_user) - x_goog_scc_itsm.Google_SCC_ITSM_User
- itil
Google SCC SIR admin (google_scc_sir_admin) - x_goog_scc_sir.Google_SCC_SIR_Admin
- sn_si.admin
- oauth_admin
Google SCC SIR user (google_scc_sir_user) - x_goog_scc_sir.Google_SCC_SIR_User
- sn_si.analyst
Click Save.
Repeat steps 7 to 10 to assign roles to the other account.
Log out with your account and log in with the accounts that you just created to verify passwords.
Configure authentication with Security Command Center
Complete these steps to set up connectivity between Security Command Center and ServiceNow. To support multiple organizations, complete this section for each organization.
You must be a ServiceNow system admin to complete this task.
Create a Java Keystore certificate from the JSON file that contains your service account key. For instructions, see Create a Java KeyStore certificate (Rome) or Create a Java KeyStore certificate (Tokyo).
In to the ServiceNow console, in the All tab, search for Google SCC ITSM or Google SCC SIR and click Guided Setup.
Click Get Started.
In Authentication Configuration, click Get Started.
On the tasks page, in Create X.509 Certificate, click Configure.
Enter the following information:
Name: a unique name for this certificate
Format:
PEMType: Java Key Store
Click the Manage Attachments icon and add the Java Keystore certificate (.jks format) that you generated in Step 1.
Click the Close icon.
Click Submit.
On the tasks page, in Create X.509 Certificate, click Mark as Complete.
On the tasks page, in Create JWT Key, click Configure.
Enter the following information:
Name: a unique name for this key
Signing Keystore: the certificate name that you specified in step 7
Signing Algorithm:
RSA 256Signing Key: the password for the .jks file that you created in step 1
Click Submit.
On the tasks page, in Create JWT Key, click Mark as Complete.
On the tasks page, in Create JWT Provider, click Configure.
Enter the following information:
Name: a unique name for this provider
Expiry Interval (sec):
60Signing Configuration: the JWT key name that you specified in step 13
Click Submit.
On the tasks page, in Create JWT Provider, click Mark as Complete.
On the tasks page, in Create Authentication Configuration, click Configure.
Enter the following information:
Name: a unique name for this configuration
Organization ID: the ID for your organization in Google Cloud
Base URL: the URL for the Security Command Center API, typically
https://securitycenter.googleapis.comClient Email: the email address for the IAM credentials
JWT Provider: the JWT provider name that you specified in step 17
Click Submit. An Authentication Successful message appears.
Close the Create Authentication Configuration window.
On the tasks page, in Create Authentication Configuration, click Mark as Complete.
Configure incident management for Security Command Center
Complete these steps to enable data collection from Security Command Center. To support multiple organizations, complete this section for each organization.
You must be a ServiceNow system admin to complete this task.
In to the ServiceNow console, in the All tab, search for Google SCC ITSM or Google SCC SIR and click Guided Setup.
Click Get Started.
In Incident Configuration, click Get Started.
To identify existing configuration items (such as assets) that you want to add to incidents that you create from the Security Command Center findings, use CI Lookup Rules. Complete the following:
On the tasks page, in CI Lookup Rule, click Configure.
Click New.
Enter the following information:
Name: a unique name for this lookup rule
Lookup method: either Field Matching or Script
Order: the order that this rule is evaluated in, relative to other rules
Source Field: the field in the findings data that is the input for this rule
Search On Table: if matching on a field, the table to find the field
Search On Field: if matching on a field, the field to match with the Source Field
Script: if using a script, enter the script
Active: select to enable this lookup rule
Click Submit.
Repeat this step for additional configuration items, as required.
On the tasks page, in CI Lockup Rule, click Mark as Complete.
On the tasks page, in Ingestion Configuration, click Configure.
Click New.
Enter the following information:
Field Description Name A unique name for this record Google SCC Configuration The authentication configuration that you created in Configure authentication with Security Command Center. You require one ingestion configuration for each authentication that you configured. Recurring Data Collection Select to allow regular data ingestion from Security Command Center Interval(second) The time interval between data updates from Security Command Center One Time Data Collection Select to allow data ingestion from Security Command Center. One-time data collection doesn't support audit logs. Collection Start Time The date to start data ingestion from Security Command Center Do not select Active until you have completed the remaining steps in this section.
To add findings, complete these steps:
In the Findings tab, select Enabled. When you enable findings, you also enable assets and sources automatically.
Enter the following information:
Field Description Findings Subscription Id For recurring data collections, the name of the Pub/Sub subscription for findings Google SCC Finding Name The name of the incident field to populate with the finding name (for example, Description) Google SCC Finding State The name of the incident field to populate with the finding state (for example, Description) Google SCC Finding Indicator The name of the incident field to populate with the finding indicator (for example, Description) Google SCC Finding Resource Name The name of the incident field to populate with the resource name for the finding (for example, Description) Google SCC Finding External URI The name of the incident field to populate with the URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. Apply Filters Available for one-time data collection, select to specify which projects, state, severity, or categories to include Project Name The name of the project that you want to retrieve findings from, when Apply Filters is selected State Whether the findings are active or inactive, when Apply Filters is selected Severity The severity of the findings, when Apply Filters is selected Category The category that you want to retrieve findings from, when Apply Filters is selected
To add assets, complete these steps:
In the Assets tab, select Enabled.
In the Asset Subscription Id field, for recurring data collections, enter the name of the Pub/Sub subscription for assets.
To add security sources, in the Sources tab, select Enabled.
To add audit logs, complete these steps:
In the Audit Logs tab, select Enabled.
In the Audit Logs Subscription Id field, for recurring data collections, enter the name of the Pub/Sub subscription for audit logs.
Click Submit.
If you get the message that the configuration is inactive, click OK. You activate the configuration later in this procedure.
On the tasks page, in Ingestion Configuration, click Mark as Complete.
If you want incidents created from findings, complete these steps:
On the tasks page, in Incident Creation Criteria (for Google SCC for ITSM) or Security Incident Creation Criteria (for Google SCC for SIR), click Configure.
Click the name of the incident configuration that you created.
In the Ingestion Configuration page, scroll down and click the Incident Creation Criteria List (for (Google SCC for ITSM) or Security Incident Creation Criteria (for Google SCC for SIR) tab.
Click New.
Enter the following information:
Condition: the dynamic condition under which an incident is created, based on field. For example, you can create incidents for findings with the Severity field set to High.
Order: the order for this condition, relative to other conditions.
Click Submit.
Repeat step d through step f for each condition that you want incidents created for.
Close the Ingestion Configuration page.
On the tasks page, in Incident Creation Criteria (for Google SCC for ITSM) or Security Incident Creation Criteria (for Google SCC for SIR), click Mark as complete.
If you want to assign incidents to a group, complete these steps:
On the tasks page, in Assignment Group Criteria, click Configure.
Click the name of the incident configuration that you created.
In the Ingestion Configuration page, scroll down and click the Assignment Group Criteria List tab.
Click New.
Enter the following information:
Assignment Group: the group that the incidents will be assigned to.
Condition: the dynamic condition under which an incident is assigned, based on the field that you specify. For example, you can assign incidents for findings with the Finding Class field set to Misconfiguration.
Order: the order for this condition, relative to other conditions.
Click Submit.
Repeat step d through step f for each group that you want to assign incidents to.
Close the Ingestion Configuration page.
On the tasks page, in Assignment Group Criteria, click Mark as complete.
On the tasks page, in Activate Ingestion Configuration, click Configure.
Click the name of the incident configuration that you created.
Select Active.
To start collecting data, click Collect Data.
Click Update.
On the tasks page, in Activate Ingestion Configuration, click Mark as Complete.
Verify your configuration
Complete these steps to verify that ServiceNow is retrieving data from Security Command Center.
You must be a ServiceNow system admin to complete this task.
In the ServiceNow console, click the All tab.
Search for Google SCC ITSM or Google SCC SIR and click Ingestion Configuration.
Check the state to verify that the data is being collected.
Search for Google SCC ITSM or Google SCC SIR and click one of Assets, Findings, Sources, or Audit Logs. You should see records being added to each data that you enabled. If you configured automatic incident creation, in the Findings configuration, you should see incidents related to each finding that matches the criteria that you specified.
View the dashboards
The Google SCC ITSM app lets you visualize the data from Security Command Center. It includes five dashboards: Overview, Sources, Findings, Assets, and Audit Logs.
You can access these dashboards in the ServiceNow console, from the All > Google SCC ITSM > Dashboards or the All > Google SCC SIR > Dashboards page.
Overview dashboard
The Overview dashboard contains a series of charts that displays the total number of findings in your organization by severity level, category, and state. Findings are compiled from Security Command Center's built-in services, such as Security Health Analytics, Web Security Scanner, Event Threat Detection, and Container Threat Detection and any integrated services you enable.
To filter content, you can set the time range and organization ID.
Additional charts show which categories, projects, and assets are generating the most findings.
Assets dashboard
The Assets dashboard displays a chart of Google Cloud assets, categorized by asset type.
You can filter asset data by organization ID.
Audit logs dashboard
The Audit logs dashboard displays a series of charts and tables that show audit log information. The audit logs that are included in the dashboard are the administrator activity, data access, system events, and policy denied audit logs. The table includes the time, log name, severity, service name, resource name, and resource type.
You can filter the data by time range and organization ID.
Findings dashboard
The Findings dashboard includes a table of the 1000 most recent findings. The table column includes items such as category, asset name, source name, security marks, finding class, and severity.
You can filter the data by time range, organization ID, severity, state, or finding class. If you set up automatic incident creation, the dashboard includes a link to the incident.
Sources dashboard
The Sources dashboard shows a table of all your security sources. Table columns include name, display name, and description.
To filter content, you can set the organization ID.
Create an incident manually
Log in to the ServiceNow console as the Google SCC ITSM or Google SCC SIR admin.
In the All tab, search for Google SCC ITSM or Google SCC SIR and click Findings.
Click the finding that you want to create an incident for.
In the findings page, for Google SCC ITSM, click Create Incident and for Google SCC SIR, click Create Security Incident.
Change a findings state
You can change a findings state from active to inactive or from inactive to active.
In to the ServiceNow console, in the All tab, search for Google SCC ITSM or Google SCC SIR and click Findings.
Click the finding that you want to change the state for.
In the findings page, click Active Finding or Inactive Finding.
Click OK.
Uninstall the apps
You must be a ServiceNow system admin to complete this task.
In to the ServiceNow console, in the All tab, search for System Applications and click All Available Applications > All.
Select Installed.
Select Google SCC ITSM or Google SCC SIR and click Uninstall.
Limitations
This section describes the limitations related to this integration.
The maximum number of assets, findings, sources, or audit logs that can be fetched per API call is 1000.
If the Findings API call response is one of 429/5XX, the application will retry after 60 seconds for 3 attempts. If it still fails, the process fails. To change the response time, complete the following:
Log in to the ServiceNow console as the Google SCC ITSM or Google SCC SIR admin.
In the All tab, search for Google SCC ITSM or Google SCC SIR and click System Properties.
Set the Number of max retries for an invalid response from Google SCC (in numbers) field to a number that is greater than 3.
Click Save.
View application logs
To view the logs for the app, complete the following:
Log in to the ServiceNow console as the Google SCC ITSM or Google SCC SIR admin.
In the All tab, search for Google SCC ITSM or Google SCC SIR and click Administration > Application Logs.
Troubleshooting
Cannot install the app from the ServiceNow Store
Verify that you are logged in as the ServiceNow system admin.
In the All tab, search for System Applications and click All Available Applications > All.
Check whether the app appears in the Installed tab.
Cannot create a new user
If you are using the Rome release version, review Create a user for instructions.
Cannot fetch data
This issue might occur when fetching findings, assets, sources, or audit logs and the "Starting data ingestion for profile: PROFILE_NAME" message appears.
Log in to the ServiceNow console as the Google SCC ITSM or Google SCC SIR admin.
In the All tab, search for Google SCC ITSM or Google SCC SIR and click Administration > System Properties.
Verify that the following fields aren't empty:
Number of max retries for an invalid response from Google SCC (in numbers)
Time window to wait before making another request after reaching request limit (in milliseconds)
If the fields are empty, set the values as follows:
Set Number of max retries for an invalid response from Google SCC (in numbers) field to
3.Set Time window to wait before making another request after reaching request limit (in milliseconds) to
60000.
Click Save.
Cannot add more than 250 worknotes or activities to an incident
Log in to the ServiceNow console as a system admin.
In the navigation bar, search for sys_properties.list.
In the System Proprties window, create a filter Name is glide.history.max_entries.
Click Run.
In the property window, set Value to a number that is greater than 250.
Click Update.
Attachment isn't supported
Log in to the ServiceNow console as a system admin.
In the All tab, search for System Applications and click Security.
In the Security System Properties page, verify the extension list in the List of file extensions (comma-separated) that can be attached to documents via the attachment dialog. Extensions should not include the dot (.) e.g. xls,xlsx,doc,docx. Leave blank to allow all extensions. field.
Maximum execution time exceeded
You receive this message when you attempt to access the dashboards.
For a resolution, see "Widget cancelled - Maximum execution time exceeded" message appearing on homepage.
What's next
Learn more about setting up finding notifications in Security Command Center.
Read about filtering finding notifications in Security Command Center.