Export Security Command Center data, including assets, findings, and security marks. Security Command Center enables you to export data using the Security Command Center API, or by using the Google Cloud Console.
Before you begin
To export Security Command Center data, you need the following:
- An Identity and Access Management (IAM) role that includes the permissions of the Security Center Admin Viewer role.
- A Google Cloud project in which you can create a Cloud Storage bucket and write the export data.
Export data using the Cloud Console
This section describes how to export Security Command Center data to a JSON file using the Cloud Console. When you click Export in the Security Command Center dashboard, Security Command Center gets credentials or permissions to write to the Cloud Storage bucket automatically.
To export a JSON file to a Cloud Storage bucket, follow the steps below. If you don't already have a Cloud Storage bucket you want to use, you can create one during the export process.
Finding and Asset data are exported in separate operations. If you want to filter the exported data, select the filters you want to use on the Assets or Findings tab before you export.
- Go to the Security Command Center in the
Go to the Security Command Center
- Select the Assets tab or the Findings tab, and then click Export.
- On the Export page that appears, configure the export:
- On the Entity Type drop-down list, select the kind of data that you want to export.
- On the Group Results By drop-down list, select how you want to
group the export data.
- The Filters list displays the filters you have selected for the entity type, if any.
- Under Display Results From, select the timestamp of the data you want to export.
- Under Export to, select the project to which you want to export the data.
- In the Export Path box, click Browse.
- On the Select object panel that appears, select an existing
Cloud Storage bucket or click Create new bucket.
- To create a bucket, enter a filename to save the data to in the File name box.
- After you select or create a bucket, click Select.
- When you're finished configuring the export, click Export JSON. If you
selected an existing file in the bucket, the Confirm Overwrite dialog
- To overwrite the existing file, click Confirm.
- To change the file you're writing to, click Cancel, then click Browse in the Export Path box and select or create a different file.
The configured data is saved to the Cloud Storage bucket you specified.
Downloading exported data
To download the exported JSON data, follow the steps below:
- Go to the Cloud Storage bucket:
- On the Cloud Console, click the Export Notification. notifications OR
- Go to the Cloud Console Storage Browser page and select the project and bucket to which you exported data.
- To download the JSON file, click the filename you entered when you exported the data.
- On the Save File dialog that appears, select the location where you want to save the JSON, and then click Save.
The JSON file is downloaded to the location you specified.
Export data using the Security Command Center API
You can export assets, findings, and marks to a Cloud Storage bucket or your local workstation using Security Command Center API.
Assets and findings are listed using several methods:
If you specify a value in the
groupBy field, then the
GroupFindings method is used. If you don't specify a
groupBy value, then the
ListFindings method is used. The
GroupFindings methods filter an organization's assets or findings and group
them by their specified properties.
These APIs return assets or findings with their full set of properties, attributes, and associated marks in JSON format. If your application requires data to be in a different format, you need to write custom code to convert the JSON output.
To export API output to a Cloud Storage bucket, use Cloud Shell to list assets or findings, write the output to a file, and copy that file to your selected storage bucket.
- Open Cloud Shell.
Go to Cloud Shell
The sample code below lists findings for a specific source, filtered by severity level, and stores the output in a text file named "my-findings.txt". Add your organization ID and the source ID for your selected finding. Learn how to get a provider's source ID.
# ORGANIZATION_ID=organization-id # SOURCE_ID="source-id" FILTER="category=\"MEDIUM_RISK_ONE\"" gcloud scc findings list $ORGANIZATION_ID --source=$SOURCE_ID \ --filter="$FILTER" > my-findings.txt
Copy "my-findings.txt" to your Cloud Storage bucket. Change "my-bucket" to your bucket name.
gsutil cp my-findings.txt gs://my-bucket
To save "my-findings.txt" to your local workstation instead of a Cloud Storage bucket, run the code below and follow the dialog prompts.
cloudshell download my-findings.txt