Exporting Security Command Center data

This page describes two methods for exporting Security Command Center data, including assets, findings, and security marks:

• One-time exports for current findings, assets, and security marks
• Continuous exports that automatically export new findings to Pub/Sub

Security Command Center lets you export data using the Security Command Center API or the Google Cloud console.

Alternatively, you can export findings to BigQuery.

One-time exports

One-time exports let you manually transfer and download current and historical findings and assets.

For findings, you can transfer data to a Cloud Storage bucket and download it to your local workstation. You can also export data to a CSV file.

For assets, you can download the data from the Google Cloud console to your local workstation as a CSV file.

Permissions

To perform one-time exports, you need the following:

• The Identity and Access Management (IAM) role Security Center Admin Viewer (roles/securitycenter.adminViewer), or any role that has the following permissions:

  • resourcemanager.organizations.get (required only for organization-level activations of Security Command Center)
  • resourcemanager.projects.get (required for project-level activations of Security Command Center)
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.userinterfacemetadata.get

• The Storage Admin role, which lets you store data in Cloud Storage buckets.

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Export data using the Google Cloud console

Using the Google Cloud console, you can do the following:

• Export findings to a Cloud Storage bucket
• Export assets to a CSV file
• Export findings to a CSV file

Export findings to a Cloud Storage bucket

This section describes how to export Security Command Center data to a Cloud Storage bucket. When you click Export on the Findings page in the Google Cloud console, Security Command Center automatically gets credentials or permissions to write to the Cloud Storage bucket.

Findings are exported in separate operations. You can export a JSON or JSONL file to an existing Cloud Storage bucket or create one during the export process.

You can export all current findings, or select the filters you want to use before you export.

1. Go to Findings page in the Google Cloud console.

   Go to Findings

2. Select the findings that you need to export by applying filters to the findings query. For more information about creating filters, see Create or edit a findings query in the Google Cloud console.

3. When you're done creating a filter, click Export, and then, under One-time, click Cloud storage.

4. On the Export page, configure the export:

   1. On the Group results by drop-down list, select how you want to group the export data.
   2. On the Format drop-down list, select JSON or JSONL.
   3. The Filters field displays the values for attributes in the filter. To change the filter, return to the Findings page.
   4. In the Display results from box, select the timestamp of the data you want to export.
   5. In the Export to box, select the project where you want to export the data.
   6. In the Export path box, click Browse.
   7. On the Select object panel, select an existing Cloud Storage bucket or create a storage bucket.
   8. After you select or create a bucket, under Filename, enter a name for the export file.
   9. Click Select.

5. When you're finished configuring the export, click Export.

   If you selected an existing file in the bucket, the Confirm Overwrite dialog displays.

   • To overwrite the existing file, click Confirm.
   • To change the file you're writing to, click Cancel, then click Browse in the Export path box and select or create a different file.

The configured data is saved to the Cloud Storage bucket you specified.

Download exported data from a Cloud Storage bucket

To download the exported JSON or JSONL data, perform the following steps:

1. Go to the Storage browser page in the Google Cloud console.

   Go to Storage browser

2. Select your project, and then click the bucket to which you exported data.

3. Select the checkbox next to the export file, and then click Download.

4. On the Save File dialog, select the location where you want to save the file, and then click Save.

The JSON or JSONL file is downloaded to the location you specified.

Export assets to a CSV file

You can download asset data to a CSV file from the Assets page in the Google Cloud console.

To download asset data to a CSV file, follow these steps:

1. Go to the Assets page:

   Go to Assets

2. Use the Quick filters panel or the Filter field of the asset results panel to select the assets you need to export. For more information about filtering assets, see Filtering assets.

3. Above the displayed assets, click Export and then Download CSV. The data for the assets in the results panel are downloaded to your workstation.

Export findings to a CSV file

To configure the export, you can filter findings by category, severity, and other properties. All findings that match the filter are included in the CSV file. You can export up to 3,500,000 findings at a time.

The finding records are exported with a default set of columns, which might not match what you see in the Google Cloud console. That is, hiding or unhiding columns using the view_week Column display options doesn't change which columns are exported. Similarly, changing the Rows per page value has no effect on the exported content.

To export findings to a CSV file, perform the following steps:

1. On the Security Command Center page of the Google Cloud console, go to the Findings page.

   Go to Findings

2. On the toolbar, click the arrow_drop_down project selector, and select your project, folder, or organization.

   To use this feature, you must be on the redesigned Findings page. For more information, see Upgrade to the Findings Workflow Improvements.

3. Optional: To narrow down the findings to be exported, apply a filter.

4. Click download Export, and click CSV. Security Command Center begins exporting the findings.

   When the export is complete, a notification appears on the toolbar.

5. On the toolbar, click the notification icon.

6. On the Saved export as CSV notification, click Download. The CSV file is downloaded to your local workstation.

Export data using API methods

You can export assets, findings, and security marks to a Cloud Storage bucket or your local workstation by using the Security Command Center API.

Export asset data using API methods

To export or list asset data, use the Cloud Asset Inventory API. For more information, see Export asset history and metadata.

The asset methods and fields of the Security Command Center API are deprecated and will be removed on or after June 26, 2024.

Until they are removed, users who activated Security Command Center before June 26, 2023 can use the asset methods of the Security Command Center API to list and export asset data, but these methods support only the assets that Security Command Center supports.

For information about using the deprecated asset API methods, see listing assets.

Export finding data using the Security Command Center API

To export findings with the Security Command Center API, follow the guide for listing security findings and then download or export the API responses.

To list findings with any attached security marks, you can use the following API methods:

• organizations.sources.findings/list
• folders.sources.findings/list
• project.sources.findings/list

The methods return findings with their full set of properties, attributes, and associated marks in JSON format. If your application requires data to be in a different format, you need to write custom code to convert the JSON output.

If you specify a value in the groupBy field, you can use the following methods:

• organizations.sources.findings/group
• folders.sources.findings/list
• projects.sources.findings/group

The GroupFindings method returns a list of an organization's findings, grouped by specified properties.

To export API output to a Cloud Storage bucket, you can use Cloud Shell to list findings. Then, write the output to a file, and then copy that file to your selected storage bucket.

1. Open Cloud Shell.

   Go to Cloud Shell

2. To write findings to a file, add an output string to the gcloud CLI commands for listing findings.

   For example, the following command stores listed findings in a text file named FINDINGS.txt.

    gcloud scc findings list PARENT_ID --source=SOURCE_ID \
      --filter="FILTER" > FINDINGS.txt
   

   Replace the following:

   • FILTER: An optional expression to limit the list of findings printed to those that match the filter expression.

   • PARENT_ID: the ID of any of the following parent resources:

     • Organization, specified as organizations/ORGANIZATION_ID or ORGANIZATION_ID
     • Folder, specified as folders/FOLDER_ID
     • Project, specified as projects/PROJECT_ID

   • SOURCE_ID: the source ID for the finding provider. To find a source ID, see Getting the source ID.

   • FINDINGS.txt: the name and extension of a target file to store the list of findings.

3. Copy FINDINGS.txt to your Cloud Storage bucket.

   gsutil cp FINDINGS.txt gs://BUCKET_NAME

   Replace BUCKET_NAME with the name of your bucket.

4. To save FINDINGS.txt to your local workstation instead of a Cloud Storage bucket, run the following command:

   cloudshell download FINDINGS.txt

Continuous exports

Continuous exports simplify the process of automatically exporting Security Command Center findings into Pub/Sub. When new findings are written, they are automatically exported to designated Pub/Sub topics in near-real time, letting you integrate them into your existing workflow.

To learn more about Pub/Sub, see What is Pub/Sub?

Continuous exports versus finding notifications

Security Command Center lets you set up finding notifications for Pub/Sub using the Security Command Center API. The API requires you to use Google Cloud CLI to set up Pub/Sub topics, create finding filters, and create NotificationConfigs, files that contain configuration settings to send notifications. Continuous exports offer the same functionality, but creating exports is simplified by using the Google Cloud console.

Permissions

To create and manage continuous exports, you need one of the following roles.

• roles/securitycenter.adminEditor
• roles/securitycenter.adminViewer

You can also use any role that has the following permissions:

• To view or publish Pub/Sub topics:

  • pubsub.topics.publish
  • pubsub.topics.list

• To view the continuous exports page:

  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list

• To manage continuous exports:

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.update
  • securitycenter.notificationconfig.delete

To learn more about Security Command Center roles, see Access control.

Configuring Pub/Sub exports

Continuous exports let you automate the export of all future findings to Pub/Sub or create filters to export future findings that meet specific criteria. You can filter findings by category, source, asset type, security marks, severity, state, and other variables.

Creating continuous exports

Your organization can create a maximum of 500 continuous exports. To create an export for Pub/Sub, do the following:

1. Go to the Security Command Center Findings page in the Google Cloud console.

   Go to Findings

2. In the Findings query results field, select the findings to export by using either of the following methods:

   • By clicking Add Filter to select the properties of the findings you need to export.

     The Select filter dialog lets you choose supported finding attributes and values.

     1. Select a finding attribute or type its name in the Search finding attributes box. A list of the available sub-attributes displays.
     2. Select a sub-attribute. A selection field for your evaluation options displays above a list of the sub-attribute values found in the findings in the Findings query results panel.
     3. Select an evaluation option for the values of the selected sub-attribute. For more information about the evaluation options and the operators and functions that they use, see Query operators in the Add filters menu.
     4. Select Apply.

        The dialog closes and your query is updated.

     5. Repeat until the findings query contains all the attributes you want.

   • By manually coding the finding query in the query editor. You can use standard SQL operators AND,OR, equals (=), has (:), and not (-) to specify the finding properties and values of the findings you need to export.

     As you type in your query, an autocomplete menu appears, where you can select filter names and functions.

     For example, the following query mutes low-severity and medium-severity anomalous IAM grant findings in prod-project, and excludes resource types where the name has the substring compute:

     severity="LOW" OR severity="MEDIUM" AND category="Persistence:
     IAM Anomalous Grant" AND resource.project_display_name="prod-project"
     AND -resource.type:"compute"
     

     For more examples on filtering findings, see Filtering notifications.

3. Review the resulting query for accuracy. To make changes, delete or add properties and filter values as needed.

4. Click Refresh matching findings. A table displays findings that match your query. For more information about querying findings, see Edit a findings query in the Google Cloud console.

5. Click Export, and then, under Continuous, click Pub/Sub.

6. Review your filter to ensure it's correct and, if necessary, return to the Findings page to modify it.

7. Under Continuous export name, enter a name for the export.

8. Under Continuous export description, enter a description for the export.

9. Under Export to, select a project for your export. You can't create a project on this page. To create a new project, see Creating a project.

10. Under Pub/Sub topic, select the topic where you want to export findings. To create a topic, do the following:

    1. Select Create a topic.
    2. Enter a Topic ID, and then select other options as needed:
       1. Learn about Creating and managing schemas.
       2. Learn about using customer-managed encryption keys (CMEK) with Pub/Sub.
    3. Click Create Topic.

11. Click Save. You see a confirmation and are returned to the findings page.

12. Follow the guide to create a subscription for your Pub/Sub topic.

The Pub/Sub export configuration is complete. To publish notifications, a service account is created for you in the form of service-org-ORGANIZATION_ID@gcp-sa-scc-notification.iam.gserviceaccount.com. This service account is automatically granted the securitycenter.notificationServiceAgent role at the organization level. This service account role is required for notifications to function.

Testing continuous exports

To confirm that an export is working, perform the following steps to toggle findings between active and inactive states.

1. Go to the Security Command Center Findings page in the Google Cloud console.

   Go to Findings

2. Click the Edit query button. The Query editor opens.

3. Edit the query so that both so that both active and inactive findings are displayed. The following query omits the state property to display all findings except those that are muted:

   NOT mute="MUTED"

4. If necessary, use the Query editor to re-enter filter variables that match the export filter you're testing.

5. Click the box next to the name of a finding.

6. Select Change Active State, and then select Inactive.

7. Re-select the finding that you marked inactive.

8. Select Change Active State, and then select Active. A notification is sent for the newly active finding.

9. Go to the Pub/Sub page in the Google Cloud console.

   Go to Pub/Sub

10. In the list of topics, click the name of your topic.

11. Select remove_red_eye View Messages.

12. In the Messages panel, select your subscription from the drop-down list to see the finding notification. If necessary, click Pull to refresh messages.

Managing continuous exports

To view, edit, or delete exports, do the following:

1. Go to the Settings page in Security Command Center.

   Go to Settings

2. If necessary, select your project, folder, or organization.

3. Select Continuous exports. You see a list of continuous exports for your project, folder, or organization.

From this page, you can take the following actions:

Viewing related findings

To see findings that match an export filter, do the following:

1. On the Continuous exports page, next to the name of an export, select More more_vert, and then click View related filters.
2. The Findings page loads with findings that match the export filter.

Editing continuous exports

1. On the Continuous exports page, click the name of the export you want to view or modify, or click More more_vert.
2. Select Edit.
3. Enter a new description, change the project that exports are saved to, or enter a new Pub/Sub topic.
4. When done, click Save.

Deleting continuous exports

1. On the Continuous exports page, click the name of the export you want to delete.
2. Click delete Delete.
3. In the dialog, click Delete. The export is deleted.

What's next

Learn more about finding notifications.