Integrate Security Command Center Enterprise with ticketing systems

This document explains how to integrate the Enterprise tier of Security Command Center with the ticketing systems after configuring the security orchestration, automation and response (SOAR) functionality powered by Google Security Operations.

Integrating with ticketing systems is optional and requires manual configuration. If you use the default Security Command Center Enterprise configuration, you don't need to perform this procedure. You can integrate with a ticketing system later at any time.

Overview

You can track findings using the console and APIs with the default Security Command Center Enterprise configuration. If your organization uses ticketing systems to track issues, integrate with Jira or ServiceNow after you have configured your Google Security Operations instance.

Upon receiving findings for resources, the SCC Enterprise - Urgent Posture Findings Connector analyzes and filters findings during ingestion, and groups them into new or existing cases, depending on the finding type.

If you integrate with a ticketing system, Security Command Center creates a new ticket every time it creates a new case for findings. Security Command Center automatically updates the related ticket whenever a case is updated.

A single case can contain multiple findings. Security Command Center creates one ticket for each case and synchronizes the case content and information with the corresponding ticket to let ticket assignees know what to remediate.

The synchronization between a case and its ticket works both ways:

• Changes within a case, such as a status update or new comment, are automatically reflected in the associated ticket.

• Similarly, ticket details synchronize back to the case, enriching it with information from the ticketing system.

Before you begin

Before configuring Jira or ServiceNow, provide a valid email address for the Fallback Owner parameter in the SCC Enterprise - Urgent Posture Findings Connector, and make sure that this email is assignable in your ticketing system.

Integrate with Jira

Make sure to complete all integration steps to synchronize the case updates with Jira issues and ensure the correct playbook flow.

A case priority is reflected in the Jira issue severity.

Create a new project in Jira

To create a new project in Jira for the Security Command Center Enterprise issues called SCC Enterprise Project (SCCE), run a manual action in the case. You can use any existing case or simulate one. For more information about simulating cases, refer to the Simulate cases page in the Google SecOps documentation.

Creating a new Jira project requires Jira admin-level credentials.

To create a new Jira project, complete the following steps:

1. In the Security Operations console, go to Cases.
2. Select an existing case or the one you've simulated.
3. In the Case Overview tab, click Manual Action.
4. In the manual action Search field, enter Create SCC Enterprise.
5. In search results under the SCCEnterprise integration, select the Create SCC Enterprise Cloud Posture Ticket Type Jira action. The dialog window opens.

6. To configure the API Root parameter, enter the API root of your Jira instance, such as https://YOUR_DOMAIN_NAME.atlassian.net

7. To configure the Username parameter, enter the username that you use to sign in to Jira as an administrator.

8. To configure the Password parameter, enter the password that you use to sign in to Jira as an administrator.

9. To configure the API Token parameter, enter the API token of your Atlassian admin account that was generated in the Jira console.

10. Click Execute. Wait until the action is completed.

Optional: Configure custom Jira issue layout

1. Sign in to Jira as an administrator.
2. Go to Projects > SCC Enterprise Project (SCCE).
3. Adjust and reorder issue fields. For more details about managing issue fields, see Configuring issue field layout in Jira documentation.

Configure Jira integration

1. In the Security Operations console, go to Response > Integrations Setup.
2. Select the Default Environment.
3. In the integration Search field, enter Jira. The Jira integration returns as a search result.
4. Click settings Configure Instance. The dialog window opens.

5. To configure the API Root parameter, enter the API root of your Jira instance, such as https://YOUR_DOMAIN_NAME.atlassian.net

6. To configure the Username parameter, enter the username that you use to sign in to Jira. Don't use your admin credentials.

7. To configure the API Token parameter, enter the API token of your non-admin Atlassian account that was generated in the Jira console.

8. Click Save.

9. To test your configuration, click Test.

Enable the Posture Findings With Jira playbook

1. In the Security Operations console, go to Response > Playbooks.
2. In the Playbook Search bar, enter Generic.
3. Select the Posture Findings - Generic playbook. This playbook is enabled by default.
4. Switch the toggle to disable the playbook.
5. Click Save.
6. In the Playbook Search bar, enter Jira.
7. Select the Posture Findings With Jira playbook. This playbook is disabled by default.
8. Switch the toggle to enable the playbook.
9. Click Save.

Integrate with ServiceNow

Make sure to complete all integration steps to synchronize the updates of Google SecOps cases with ServiceNow tickets and ensure the correct playbook flow.

Create and configure ServiceNow custom ticket type

Make sure to create and configure the ServiceNow custom ticket type enable the Activities tab in the ServiceNow UI and avoid using the erroneous ticket layout.

Create ServiceNow custom ticket type

Creating a custom ServiceNow ticket type requires ServiceNow admin-level credentials.

To create a custom ticket type, complete the following steps:

1. In the Security Operations console, go to Cases.
2. Select an existing case or the one you've simulated.
3. In the Case Overview tab, click Manual Action.
4. In the manual action Search field, enter Create SCC Enterprise.
5. In search results under the SCCEnterprise integration, select the Create SCC Enterprise Cloud Posture Ticket Type SNOW action. The dialog window opens.

6. To configure the API Root parameter, enter the API root of your ServiceNow instance, such as https://INSTANCE_NAME.service-now.com/api/now/v1/

7. To configure the Username parameter, enter the username that you use to sign in to ServiceNow as an administrator.

8. To configure the Password parameter, enter the password that you use to sign in to ServiceNow as an administrator.

9. To configure the Table Role parameter, leave the field empty or provide a value if you have one. This parameter only accepts one role value.

   By default, the Table Role field is empty to create a new custom role in ServiceNow to specifically manage the Security Command Center Enterprise tickets. Only ServiceNow users granted this new custom role have access to the Security Command Center Enterprise tickets.

   If you already have a dedicated role for users who manage incidents in ServiceNow and you'd like to use this role for managing the Security Command Center Enterprise findings, enter the existing ServiceNow role name in the Table Role field. For example, if you provide the existing incident_handler_role value, all users granted the incident_handler_role role in ServiceNow can access the Security Command Center Enterprise tickets.

10. Click Execute. Wait until the action is completed.

Configure ServiceNow custom ticket layout

To ensure that the ServiceNow UI accurately displays the updates related to cases and case comments, complete the following steps:

1. In your ServiceNow administrator account, go to the All tab.
2. In the Search field, enter SCC Enterprise.
3. In the drop-down list, select the SCC Enterprise Cloud Posture Ticket and run a search.
4. Select the Posture Test Ticket. The ServiceNow ticket layout page opens.
5. At the ServiceNow ticket layout page, go to Additional actions > Configure > Form Layout.
6. Go to the Form view and section section.
7. In the Section field, select u_scc_enterprise_cloud_posture_ticket.
8. Click Save. After the page updates, the ticket template has fields distributed into two columns.
9. Go to Additional actions > Configure > Form Layout.
10. Go to the Form view and section section.
11. In the Section field, select Summary.
12. Click Save. After the page updates, the ticket template has the new Summary structure.

Configure ServiceNow integration

1. In the Security Operations console, go to Response > Integrations Setup.
2. Select the Default Environment.
3. In the integration Search field, enter ServiceNow. The ServiceNow integration returns as a search result.
4. Click settings Configure Instance. The dialog window opens.

5. To configure the API Root parameter, enter the API root of your ServiceNow instance, such as https://INSTANCE_NAME.service-now.com/api/now/v1/

6. To configure the Username parameter, enter the username that you use to sign in to ServiceNow. Don't use your admin credentials.

7. To configure the Password parameter, enter the password that you use to sign in to ServiceNow. Don't use your admin credentials.

8. Click Save.

9. To test your configuration, click Test.

Enable the Posture Findings With SNOW playbook

1. In the Security Operations console, go to Response > Playbooks.
2. In the Playbook Search bar, enter Generic.
3. Select the Posture Findings - Generic playbook. This playbook is enabled by default.
4. Switch the toggle to disable the playbook.
5. Click Save.
6. In the Playbook Search bar, enter SNOW.
7. Select the Posture Findings With SNOW playbook. This playbook is disabled by default.
8. Switch the toggle to enable the playbook.
9. Click Save.

Enable case data synchronization

Security Command Center automatically synchronizes the information between a case and its corresponding ticket, ensuring matching priority, status, comments, and other relevant data between a case and its ticket.

To synchronize case data, Security Command Center uses internal automatic processes called synchronization jobs. The Sync SCC-Jira Tickets and Sync SCC-ServiceNow Tickets jobs synchronize case data between Security Command Center and integrated ticketing systems. Both jobs are initially disabled and require you to enable them to initiate automatic case data synchronization.

Closing a case automatically resolves the corresponding ticket. Resolving a ticket in Jira or ServiceNow triggers the synchronization jobs to close the case too.

Before you begin

To enable case synchronization, you must be granted any of the following SOC roles in the Security Operations console:

• Administrator
• Vulnerability Manager
• Threat Manager

For more details about SOC roles in the Security Operations console and permissions required for users, see Control access to features in the Security Operations console.

Enable synchronization for ticketing systems

To ensure that the information in cases and tickets is automatically synchronized, enable the synchronization job that is relevant to the ticketing system that you integrated with.

To enable the synchronization job, complete the following steps:

1. In the Security Operations console, go to Response > Job Scheduler.

2. Choose the correct synchronization job:

   • If you integrated with Jira, select Sync SCC-Jira Tickets job.

   • If you integrated with ServiceNow, select Sync SCC-ServiceNow Tickets job.

3. Switch the toggle to enable the selected job.

4. Click Save to enable Security Command Center automatically synchronize case data with a ticketing system.

Create tickets for existing cases

Security Command Center automatically creates tickets only for cases opened after you have integrated with a ticketing system and does not retroactively attach new playbooks to existing alerts. To create tickets for cases opened before integrating with a ticketing system, use one of the following approaches:

• Close a case that has no ticket and wait until SCC reingests findings and assigns a new playbook to the case alerts.

• Manually add a playbook to any alert in a case that was opened before you integrated with a ticketing system.

Close a case with no ticket

To close a case that has no ticket, complete the following steps:

1. In the Security Operations console, go to Cases.

2. Click Open Filter. The Case queue filter panel opens.

3. In the Case queue filter, specify the following:

   1. In the Time Frame field, specify time period for open cases.
   2. Set Logical operator to AND.
   3. For the first value under Logical operator, select Tags.
   4. Set the condition to IS.
   5. For the second value, select Internal-SCC-Ticket-Info.
   6. Click Apply to update cases in the case queue and show only the cases that match the filter you specified.

4. From the case queue, select the case.

5. In the Case view, select Close Case. The Close Case window opens.

6. In the Close Case window, specify the following:

   1. Select a value for the Reason field to state the reason for closing the case.

   2. Select a value for the Root Cause field to state the cause for closing the case.

   3. Optional: Add a comment.

   4. Click Close to close the case. Security Command Center then reingests findings into a new case and automatically attaches a correct playbook to them.

Manually add a playbook to an alert

To manually attach a playbook to an alert in an existing case, complete the following steps:

1. In the Security Operations console, go to Cases.

2. Click Open Filter. The Case queue filter panel opens.

3. In the Case queue filter, specify the following:

   1. In the Time Frame field, specify time period for open cases.
   2. Set Logical operator to AND.
   3. For the first value under Logical operator, select Tags.
   4. Set the condition to IS.
   5. For the second value, select Internal-SCC-Ticket-Info.
   6. Click Apply to update cases in the case queue and show only the cases that match the filter you specified.

4. From the case queue, select the case.

5. Select any alert contained in a case.

6. In an alert view, go to the Playbooks tab.

7. Click add Add Playbook. The Add a Playbook window with a list of available playbooks appears.

8. In the search field of the Add a Playbook window, enter Posture Findings.

   • If you integrated with Jira, select the Posture Findings With Jira playbook.
   • If you integrated with ServiceNow, select the Posture Findings With SNOW playbook.

9. Click Add to add a playbook to an alert.

Upon completion, the playbook creates a ticket for a case and automatically populates the ticket with information from the case.

Adding a playbook to a single alert within a case is sufficient to create a ticket and trigger data synchronization.

What's next

• Learn how to determine ownership for posture findings.

• Learn how to group findings in cases.

• Learn how to assign tickets based on posture cases.