Google Security Command Center
Google's Security Command Center service provides visibility and insights into your Google Cloud environment. You can bring bucket, compute instance, firewall, and security data from Google Cloud into Brinqa to construct a unified view of your attack surface and enhance your ability to mitigate potential risks.
This document details the information you must provide for the connector to authenticate with Google Cloud and how to obtain that information from Google Cloud. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Security Command Center from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Google Cloud with Brinqa:
-
Scope: The relative name of the root asset in your Google Cloud environment. Only the following formats are supported:
-
An organization number, e.g.: "organizations/123".
-
A project ID, e.g.: "projects/my-project-id".
-
A project number, e.g.: "projects/12345".
noteProviding an organization number enables collecting assets from all associated projects, including any new projects added after you have set up the integration. But the credentials you provide must have organization level permissions. Follow the rest of this document for instructions.
-
-
Credentials: The full content of the JSON file that contains your service account key.
Enable the Cloud Asset API
The Security Command Center connector requires that you enable the Cloud Asset API on the specified scope.
Create a custom role for Brinqa
Google Cloud uses service accounts to authenticate and authorize API calls, but you can only create service accounts within a project. For the Security Command Center connector to collect assets from multiple projects, you must grant the service account organization level permissions through a custom Identity and Access Management (IAM) role.
To create a custom role with organization level permissions, follow these steps:
-
Log in to the Google Cloud Console.
-
Select the organization where you want the connector to collect assets.
-
In the Navigation menu, select IAM & Admin > Roles.
-
Click Create Role.
-
Enter a name and description for your role.
-
Click Add Permissions and add the following read-only permissions required by the connector:
-
cloudasset.viewer -
securitycenter.findingsViewer
-
-
Click Create.
Create a service account and grant organization level permissions
Since the service account must have organization level permissions for the Security Command Center connector to collect assets from all the projects within the organization, Brinqa recommends that you create a service account specifically for the connector.
To create a service account and grant the appropriate permissions, follow these steps:
-
Log in to the Google Cloud Console.
-
Select the project where you want to create the service account.
-
In the Navigation menu, select IAM & Admin > Service Accounts.
-
Click Create Service Account.
-
Enter a name and description for the service account.
-
Skip the optional steps and click Done.
-
View the service account details and save the email address for later use.
-
Select the organization where you have created the custom role.
-
In the Navigation menu, select IAM & Admin.
-
Click Grant Access.
-
Click New principals and paste in the email taken from the service account details page.
-
Click Select a role and select the custom role created previously.
-
Click Save.
Obtain your service account key
If you have completed the previous steps successfully, your service account should have the minimum permissions that the Security Command Center connector needs to collect assets from all the projects within your organization.
To obtain the service account key, follow these steps:
-
Log in to the Google Cloud Console.
-
Select your project where the service account resides.
-
In the Navigation menu, select IAM & Admin > Service Accounts.
-
Select the service account and click the Keys tab.
-
Click Add Key > Create new key.
-
Keep JSON as key type and click Create.
The generated private key file is saved to your computer automatically.
Additional settings
The Security Command Center connector contains an additional option for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
Types of data to retrieve
The Security Command Center connector can retrieve the following types of data from Google Cloud:
Table 1: Data retrieved from Google Cloud
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Alert | Yes | Alert |
| Alert Definition | Yes | Alert Definition |
| Bucket | Yes | Cloud Resource |
| Compute Instance | Yes | Host |
| Firewall | Yes | Cloud Resource |
| GKE Cluster | Yes | Cloud Resource |
| Project | Yes | Cloud Resource |
| Service Account | Yes | Cloud Resource |
| Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from Google Cloud in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Alert
Table 2: Alert attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| category | type |
| createTime | sourceCreatedDate |
| eventTime | Local variable |
| getResourceName | targets, Local variable |
| name | uid |
| SourceProperties.ActivationTrigger | Local variable |
| SourceProperties.ProjectId | projects |
| SourceProperties.ResourcePath | path |
| State | status, sourceStatus, statusCategory |
Alert Definition
Table 3: Alert Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| category | uid, name |
| findingClass | Local variable |
| severity | severity, sourceSeverity, severityScore |
| SourceProperties.ExceptionInstructions | Local variable |
| SourceProperties.Explanation | description |
| SourceProperties.Recommendation | recommendation |
| SourceProperties.ScannerName | Local variable |
Bucket
Table 4: Bucket attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ACL | Local variable |
| ancestors | Local variable |
| BILLING | Local variable |
| DEFAULT_OBJECT_ACL | Local variable |
| ENCRYPTION | Local variable |
| ETAG | tags, Local variable |
| iamConfiguration.bucketPolicyOnly | Local variable |
| iamConfiguration.publicAccessPrevention | Local variable |
| iamConfiguration.uniformBucketLevelAccess | Local variable |
| KIND | categories |
| LABELS | tags, Local variable |
| LAST_MODIFIED | sourceLastModified |
| LIFESTYLE | Local variable |
| LOCATION | location |
| LOCATION_TYPE | Local variable |
| LOGGING | Local variable |
| NAME | name |
| OWNER | Local variable |
| RETENTION_POLICY | Local variable |
| STORAGE_CLASS | Local variable |
| SYS_ID | uid |
| timeCreated | firstSeen |
| VERSIONING | Local variable |
| version | currentVersion |
| WEBSITE | references, name |
| ZONE_AFFINITY | Local variable |
Compute Instance
Table 5: Compute Instance attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ancestors | Local variable |
| assetType | categories |
| AUTO_RESTART | Local variable |
| CAN_IP_FORWARD | Local variable |
| confidentialInstanceConfig | Local variable |
| consumeReservationType | Local variable |
| CPU_PLATFORM | Local variable |
| creationTimestamp | firstSeen |
| DELETE_PROTECTION | Local variable |
| deletionProtection | Local variable |
| DESCRIPTION | description |
| disks | Local variable |
| enableDisplay | Local variable |
| enableIntegrityMonitoring | Local variable |
| enableSecureBoot | Local variable |
| enableVtpm | Local variable |
| INSTANCE_ID | instanceId |
| lastStartTimestamp | Local variable |
| lastStopTimestamp | Local variable |
| MACHINE_TYPE | Local variable |
| NAME | name |
| NAT_IP | Local variable |
| networkInterfaces.fingerprint | Local variable |
| networkInterfaces.stackType | Local variable |
| NETWORK | Local variable |
| NETWORK_IP | ipAddresses, publicIpAddresses, privateIpAddresses |
| NETWORK_TAGS | tags, Local variable |
| NETWORK_TIER | Local variable |
| onHostMaintenance | Local variable |
| PREEMPTIBLE | Local variable |
| provisioningModel | Local variable |
| selfLink | url |
| serviceAccounts.email | Local variable |
| startRestricted | Local variable |
| STATUS | status, sourceStatus |
| SUBNET | Local variable |
| SYS_ID | uid |
| version | currentVersion |
| ZONE | Local variable |
Firewall
Table 6: Firewall attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| allowed.ports | Local variable |
| allowed.IPProtocol | protocol |
| ancestors | Local variable |
| assetType | categories |
| creationTimestamp | firstSeen |
| DESCRIPTION | description |
| DISABLED | Local variable |
| DIRECTION | Local variable |
| LAST_MODIFIED | sourceLastModified |
| LOG_CONFIG | Local variable |
| NAME | name |
| NETWORK | Local variable |
| PRIORITY | Local variable |
| selfLink | url |
| SOURCE_RANGES | Local variable |
| SYS_ID | uid |
| targetTags | tags |
| version | currentVersion |
GKE Cluster
Table 7:GKE Cluster attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ancestors | Local variable |
| assetType | categories |
| clusterIpv4Cidr | Local variable |
| createTime | firstSeen |
| currentMasterVersion | Local variable |
| currentNodeCount | Local variable |
| currentNodeVersion | Local variable |
| description | description |
| enableKubernetesAlpha | Local variable |
| enableTpu | Local variable |
| endpoint | Local variable |
| etag | tags |
| expireTime | Local variable |
| id / name | uid |
| initialClusterVersion | Local variable |
| initialNodeCount | Local variable |
| instanceGroupUrls | Local variable |
| labelFingerprint | Local variable |
| location | Local variable |
| loggingService | Local variable |
| monitoringService | Local variable |
| name | name |
| network | Local variable |
| nodeIpv4CidrSize | Local variable |
| satisfiesPzi | Local variable |
| satisfiesPzs | Local variable |
| selflink | url |
| servicesIpv4Cidr | Local variable |
| status | sourceStatus, status |
| statusMessage | Local variable |
| subnetwork | Local variable |
| update_time | sourceLastModified |
| version | Local variable |
| zone | Local variable |
Project
Table 8: Project attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ancestors | Local variable |
| assetType | categories |
| createTime | firstSeen |
| data.name | Local variable |
| labels | tags |
| lifecycleState | status |
| parent.id | Local variable |
| parent.type | Local variable |
| projectId | Local variable |
| projectNumber | uid, name |
| updateTime | sourceLastModified |
| version | currentVersion |
Service Account
Table 9: Service Account attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ancestors | Local variable |
| asset_type | categories |
| clientID | Local variable |
| description | description |
| disabled | Local variable |
| displayName | Local variable |
| Local variable | |
| etag | tags, Local variable |
| id / name | uid |
| name | name |
| projectId | Local variable |
| uniqueId | Local variable |
| update_time | sourceLastModified |
| version | currentVersion |
Violation
Table 10: Violation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ACTIVATION_TRIGGER | Local variable |
| AFFECTED_ASSET | targets, Local variable |
| CATEGORY | type |
| CREATED_AT | sourceCreatedDate |
| EVENT_TIME | Local variable |
| PROJECT | projects |
| RESOURCE_PATH | path |
| STATE | status, sourceStatus, statusCategory |
| SYS_ID | uid |
Violation Definition
Table 11: Violation Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORY | uid |
| DESCRIPTION | description |
| EXCEPTION_INSTRUCTIONS | Local variable |
| REMEDIATION | recommendation |
| SCANNER_NAME | Local variable |
| SEVERITY | severity, sourceSeverity, severityScore |
| TITLE | name |
Vulnerability
Table 12: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| State | status, sourceStatus, statusCategory |
| SourceProperties.ActivationTrigger | Local variable |
| SourceProperties.ProjectId | projects |
| SourceProperties.ResourcePath | path |
| createTime | sourceCreatedDate |
| cve.id | cveIds, cveRecords, type, uid, name |
| eventTime | Local variable |
| getResourceName | targets, Local variable |
| name | uid |
Vulnerability Definition
Table 13: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| category | categories |
| cve.cvssv3.attack_vector | cvssV3Av |
| cve.cvssv3.base_score | cvssV3BaseScore |
| cve.cvssv3.confidentiality_impact | cvssV3Ci |
| cve.cvssv3.integrity_impact | cvssV3Ii |
| cve.id | cveIds, cveRecords, type, uid, name |
| cve.references.uri | references |
| cve.upstream_fix_available | fixable |
| description | recommendation |
| findingClass | Local variable |
| severity | severity, sourceSeverity, severityScore |
| SourceProperties.Description | description |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Security Command Center connector supports the following operation options. See connector operation options for information about how to apply them.
Table 14: Security Command Center connector operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Alert, Alert Definition, Violation, Violation Definition, Vulnerability, Vulnerability Definition | findingClass | FINDING_CLASS_UNSPECIFIED, MISCONFIGURATION, OBSERVATION, SCC_ERROR, THREAT, VULNERABILITY | A comma-separated list of finding classes or categories. Retrieve findings based on the specified class, as determined by Google. | Key: findingClass Value: SCC_ERROR,THREAT. This key and value combination only retrieves findings that are classified as SCC errors or threats. |
| severity | Unspecified, Low, Medium, High, Critical | A comma-separated list of finding severities. Retrieve findings based on the specified severity, as determined by Google. | Key: severity Value: High,Critical. This key and value combination only retrieves high and critical findings. | |
| state | ACTIVE, INACTIVE | Retrieve findings based on the specified state, as determined by Google. | Key: state Value: ACTIVE. This key and value combination only retrieves active findings. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Security Command Center connector uses the Cloud Asset Inventory client libraries and Security Command Center API to interact with Google Security Command Center. Specifically, it uses the following client libraries:
Alert
SecurityCenterClient client = SecurityCenterClient.create();
ListFindingsRequest.Builder request =
ListFindingsRequest.newBuilder().setParent(sourceName.toString()).setFilter(filter);
// Call the API.
ListFindingsPagedResponse response = client.listFindings(request.build());
Alert Definition
SecurityCenterClient client = SecurityCenterClient.create();
ListFindingsRequest.Builder request =
ListFindingsRequest.newBuilder().setParent(sourceName.toString()).setFilter(filter);
// Call the API.
ListFindingsPagedResponse response = client.listFindings(request.build());
Bucket
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// Add asset type "storage.googleapis.com/Bucket" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Compute Instance
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// Add asset type "compute.googleapis.com/Instance" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Firewall
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// Add asset type "compute.googleapis.com/Firewall" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
GKE Cluster
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// add asset type "container.googleapis.com/Cluster" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Project
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// add asset type "cloudresourcemanager.googleapis.com/Project" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Service Account
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// add asset type "iam.googleapis.com/ServiceAccount" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Violation
SecurityCenterClient client = SecurityCenterClient.create();
ListFindingsRequest.Builder request =
ListFindingsRequest.newBuilder().setParent(sourceName.toString()).setFilter(filter);
// Call the listFindings API.
ListFindingsPagedResponse response = client.listFindings(request.build());
Violation Definition
SecurityCenterClient client = SecurityCenterClient.create();
GroupFindingsRequest.Builder bld =
GroupFindingsRequest.newBuilder().setParent(sourceName.toString()).setGroupBy("category").setPageSize(1000);
// Call the GroupFinding API.
GroupFindingsPagedResponse response = client.groupFindings(bld.build());
// Categories are listed from GroupFindingsPagedResponse.
// Then set category as filter on listFindings API
ListFindingsPagedResponse response = client.listFindings(request.build());
Vulnerability
SecurityCenterClient client = SecurityCenterClient.create();
ListFindingsRequest.Builder request =
ListFindingsRequest.newBuilder().setParent(sourceName.toString()).setFilter(filter);
// Call the API.
ListFindingsPagedResponse response = client.listFindings(request.build());
Vulnerability Definition
SecurityCenterClient client = SecurityCenterClient.create();
ListFindingsRequest.Builder request =
ListFindingsRequest.newBuilder().setParent(sourceName.toString()).setFilter(filter);
// Call the API.
ListFindingsPagedResponse response = client.listFindings(request.build());
Changelog
The Security Command Center connector has undergone the following changes:
Table 15: Security Command Center connector changelog
| Version | Description |
|---|---|
| 3.2.1 | - The connector now retrieves the following objects from Google: Alert, Alert Definition, GKE Cluster, Project, Service Account, Vulnerability, and Vulnerability Definition. - Renamed the Finding and Finding Definition objects to Violation and Violation Definition to more accurately reflect the type of misconfiguration and policy violations being ingested. - Findings classified as vulnerabilities now consolidate to the Vulnerability and Vulnerability Definition data models and all other categories consolidate to Violation and Violation Definition. - Added the FINDING_CLASS attribute to Violation and Violation Definition objects. - Added a new operation option for filtering by finding class: findingClass. - Updated the logic to use a more precise UID generation method to prevent duplicates. - Fixed attribute mappings for severity fields, including Severity, Severity Score, and Source Severity. - Added the TAGS attribute to Bucket and Compute Instance objects by combining data from the tags and labels fields. |
| 3.2.0 | Code clean up and general maintenance. |
| 3.1.3 | No change. |
| 3.1.2 | No change. |
| 3.1.1 | Added the CVE_IDS and CVE_RECORDS attributes to the Finding object to retrieve CVE information. |
| 3.1.0 | Initial Integration+ release. |