Enable case data synchronization

This document explains what case data synchronization is and how to enable it in the Enterprise tier of Security Command Center.

The cases, connectors, playbooks, and jobs capabilities are powered by Google Security Operations.

Overview

After you enable case data synchronization, it keeps cases and their corresponding tickets up to date. The synchronization process lets you track updates made to cases and tickets, such as comments and the change of status, priority, and assignee.

Synchronization jobs are internal automatic processes that synchronize case data within Security Command Center and between Security Command Center and integrated ticketing systems. These jobs are disabled by default, and run automatically after you enable them. For more details about enabling jobs, see Enable synchronization for cases.

The following jobs are responsible for the synchronization process:

• SCC Enterprise - Sync SCC Data
• Sync SCC-Jira Tickets
• Sync SCC-ServiceNow Tickets

These jobs depend on information in playbooks to keep cases and tickets synchronized with each other. The default playbooks available in Security Command Center provide required values in a specific tag and attach it to the case. If you choose to create a custom playbook, make sure that it contains a step for creating and attaching a tag to the case.

How synchronization jobs work

The SCC Enterprise - Sync SCC Data job checks the state of findings in cases. By default, if all findings in a case are inactive, the synchronization job closes the case automatically. If at least one finding in a case is active, the system attaches a comment to the case and displays the finding state in the SCC - Findings State case widget.

The Sync SCC-Jira Tickets and Sync SCC-ServiceNow Tickets jobs are bidirectional to track and synchronize the following parameters:

• For the Security Command Center to ticketing systems flow: comments, case priority (mapped to the ticket severity in Jira or ServiceNow), and case status.

• For the ticketing systems to Security Command Center flow: comments, changes to the ticket status, the assignee, and the ticket priority.

Internally, the jobs also synchronize the information about the latest findings statuses and severities.

When the case is closed, the ticket is closed with the Resolved status. When the ticket is resolved in Jira or ServiceNow, the synchronization jobs trigger Security Command Center to close the case too.

How playbooks trigger data synchronization

By default, Security Command Center doesn't use ticketing systems like Jira or ServiceNow to create tickets for cases and only requires that the INTERNAL-SCC-TICKET-INFO tag attached to cases to synchronize the case data using the SCC Enterprise - Sync SCC Data job.

If you integrate with a ticketing system, the playbook attaches the required EXTERNAL-SCC-TICKET-INFO tag to a case only after the playbook successfully creates a ticket in your ticketing system. To synchronize case data with ticketing systems correctly, in addition to the SCC Enterprise - Urgent Posture Findings Connector connector and the SCC Enterprise - Sync SCC Data job, enable either the Sync SCC-Jira Tickets or the Sync SCC-ServiceNow Tickets job. For more details about how to enable a connector and synchronization jobs, see the following section.

Enable synchronization for cases

By default, case data synchronization is disabled.

Before you begin

You can synchronize case data after activating the Security Command Center Enterprise tier.

To enable case synchronization, you must be granted any of the following SOC roles in the Security Operations console:

• Administrator
• Vulnerability Manager
• Threat Manager

For more details about SOC roles in the Security Operations console and permissions required for users, see Control access to features in the Security Operations console.

Enable synchronization for the default configuration

To enable synchronization, complete the following steps:

1. In the Security Operations console, go to Settings > Ingestion > Connectors.

2. Select SCC Enterprise - Urgent Posture Findings Connector.

3. Switch the toggle to enable the connector.

4. Click Save.

5. In the Security Operations console, go to Response > Job Scheduler.

6. Select SCC Enterprise - Sync SCC Data job.

7. Switch the toggle to enable the job.

8. Click Save to complete the configuration for a default flow (with no ticketing system).

If you use a ticketing system like Jira or ServiceNow, proceed to the following section.

Enable synchronization for ticketing systems

After you integrate with ticketing systems, enable the synchronization between Security Command Center Enterprise and your ticketing system by completing the following steps:

1. In the Security Operations console, go to Response > Job Scheduler.

2. Choose the correct synchronization job:

   • If you integrated with Jira, select Sync SCC-Jira Tickets job.

   • If you integrated with ServiceNow, select Sync SCC-ServiceNow Tickets job.

3. Switch the toggle to enable the selected job.

4. Click Save.

Troubleshooting

This section lists troubleshooting steps that might be helpful if you experience the following synchronization problems in Security Command Center.

The number of cases differ in the Security Operations console and Google Cloud console

You can experience a mismatch between the number of posture cases that you see in the Security Operations console and Google Cloud console. This issue can appear when the synchronization process hasn't completed yet due to ingesting a large number of created cases for the first synchronization run. Wait for the initial synchronization run to complete, and then check the numbers again.

Case comments aren't synchronized with tickets

If you use a ticketing system, you might experience instances when case comments aren't synchronized or changes related to tickets aren't tracked and reflected in case comments. This issue can occur when not all of the synchronization jobs are active. In addition to the SCC Enterprise - Sync SCC Data job, make sure to enable either the Sync SCC-Jira Tickets or Sync SCC-ServiceNow Tickets job. For more details about how to enable jobs, see Enable synchronization for cases.

The case timestamps display the Unix epoch arbitrary date

In Google Cloud console, the summary of a finding can display the External system update time, Case SLA, and Update time parameter values as January 1, 1970 at 00:00:00 GMT+0000. This issue can occur for the following reasons:

• One of the synchronization jobs returned an error.

  A job can return an error when the information used by the job is invalid or there is a misconfiguration. This error can occur, for example, when the job couldn't update the EXTERNAL-SCC-TICKET-INFO value that you configured or you added the EXTERNAL-SCC-TICKET-INFO tag to a case that doesn't have a ticket yet. To obtain details about an error, complete the following steps:

  1. In the Security Operations console, go to Response > Job Scheduler.

  2. Select a synchronization job.

  3. In the History section, check the logs with the Failed job status.

• You use a custom playbook that doesn't synchronize cases.

  Make sure that your custom playbook contains either the POSTURE - JIRA - CREATE TICKET or the POSTURE - SNOW - CREATE TICKET block with the configured required parameters for the synchronization to work.

Threat case data is not synchronized with ticketing systems

Only cases and tickets for vulnerabilities, misconfigurations, and posture violations are automatically synchronized. Cases for threats are not automatically synchronized.

By default, Security Command Center doesn't create tickets for threats. That's why even when you customize threat response playbooks to create tickets, the synchronization might not work as expected.

What's next

• Learn more about cases.
• Learn how you can assign tickets based on posture cases.