Google Security Command Center
Google's Security Command Center service provides visibility and insights into your Google Cloud environment. You can bring bucket, compute instance, firewall, and security data from Google Cloud into Brinqa to construct a unified view of your attack surface and enhance your ability to mitigate potential risks.
This document details the information you must provide for the connector to authenticate with Google Cloud and how to obtain that information from Google Cloud. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Security Command Center from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Google Cloud with Brinqa:
-
Scope: The relative name of the root asset in your Google Cloud environment. Only the following formats are supported:
-
An organization number, e.g.: "organizations/123".
-
A project ID, e.g.: "projects/my-project-id".
-
A project number, e.g.: "projects/12345".
noteProviding an organization number enables collecting assets from all associated projects, including any new projects added after you have set up the integration. But the credentials you provide must have organization level permissions. Follow the rest of this document for instructions.
-
-
Credentials: The full content of the JSON file that contains your service account key.
Enable the Cloud Asset API
The Security Command Center connector requires that you enable the Cloud Asset API on the specified scope.
Create a custom role for Brinqa
Google Cloud uses service accounts to authenticate and authorize API calls, but you can only create service accounts within a project. For the Security Command Center connector to collect assets from multiple projects, you must grant the service account organization level permissions through a custom Identity and Access Management (IAM) role.
To create a custom role with organization level permissions, follow these steps:
-
Log in to the Google Cloud Console.
-
Select the organization where you want the connector to collect assets.
-
In the Navigation menu, select IAM & Admin > Roles.
-
Click Create Role.
-
Enter a name and description for your role.
-
Click Add Permissions and add the following read-only permissions required by the connector:
-
cloudasset.viewer -
securitycenter.findingsViewer
-
-
Click Create.
Create a service account and grant organization level permissions
Since the service account must have organization level permissions for the Security Command Center connector to collect assets from all the projects within the organization, Brinqa recommends that you create a service account specifically for the connector.
To create a service account and grant the appropriate permissions, follow these steps:
-
Log in to the Google Cloud Console.
-
Select the project where you want to create the service account.
-
In the Navigation menu, select IAM & Admin > Service Accounts.
-
Click Create Service Account.
-
Enter a name and description for the service account.
-
Skip the optional steps and click Done.
-
View the service account details and save the email address for later use.
-
Select the organization where you have created the custom role.
-
In the Navigation menu, select IAM & Admin.
-
Click Grant Access.
-
Click New principals and paste in the email taken from the service account details page.
-
Click Select a role and select the custom role created previously.
-
Click Save.
Obtain your service account key
If you have completed the previous steps successfully, your service account should have the minimum permissions that the Security Command Center connector needs to collect assets from all the projects within your organization.
To obtain the service account key, follow these steps:
-
Log in to the Google Cloud Console.
-
Select your project where the service account resides.
-
In the Navigation menu, select IAM & Admin > Service Accounts.
-
Select the service account and click the Keys tab.
-
Click Add Key > Create new key.
-
Keep JSON as key type and click Create.
The generated private key file is saved to your computer automatically.
Additional settings
The Security Command Center connector contains an additional option for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
Types of data to retrieve
The Security Command Center connector can retrieve the following types of data from Google Cloud:
Table 1: Data retrieved from Google Cloud
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Bucket | Yes | Cloud Resource |
| Compute Instance | Yes | Host |
| Finding | Yes | Violation |
| Finding Definition | Yes | Violation Definition |
| Firewall | Yes | Cloud Resource |
For detailed steps on how to view the data retrieved from Google Cloud in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
Bucket
Table 2: Bucket attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ACL | Local variable |
| ancestors | Local variable |
| BILLING | Local variable |
| DEFAULT_OBJECT_ACL | Local variable |
| ENCRYPTION | Local variable |
| ETAG | tags, Local variable |
| iamConfiguration.bucketPolicyOnly | Local variable |
| iamConfiguration.publicAccessPrevention | Local variable |
| iamConfiguration.uniformBucketLevelAccess | Local variable |
| KIND | categories |
| LABELS | tags, Local variable |
| LAST_MODIFIED | sourceLastModified |
| LIFESTYLE | Local variable |
| LOCATION | location |
| LOCATION_TYPE | Local variable |
| LOGGING | Local variable |
| NAME | name |
| OWNER | Local variable |
| RETENTION_POLICY | Local variable |
| STORAGE_CLASS | Local variable |
| SYS_ID | uid |
| timeCreated | firstSeen |
| VERSIONING | Local variable |
| version | currentVersion |
| WEBSITE | references, name |
| ZONE_AFFINITY | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Compute Instance
Table 3: Compute Instance attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ancestors | Local variable |
| assetType | categories |
| AUTO_RESTART | Local variable |
| CAN_IP_FORWARD | Local variable |
| confidentialInstanceConfig | Local variable |
| consumeReservationType | Local variable |
| CPU_PLATFORM | Local variable |
| creationTimestamp | firstSeen |
| DELETE_PROTECTION | Local variable |
| deletionProtection | Local variable |
| DESCRIPTION | description |
| disks | Local variable |
| enableDisplay | Local variable |
| enableIntegrityMonitoring | Local variable |
| enableSecureBoot | Local variable |
| enableVtpm | Local variable |
| INSTANCE_ID | instanceId |
| lastStartTimestamp | Local variable |
| lastStopTimestamp | Local variable |
| MACHINE_TYPE | Local variable |
| NAME | name |
| NAT_IP | Local variable |
| networkInterfaces.fingerprint | Local variable |
| networkInterfaces.stackType | Local variable |
| NETWORK | Local variable |
| NETWORK_IP | ipAddresses, publicIpAddresses, privateIpAddresses |
| NETWORK_TAGS | tags, Local variable |
| NETWORK_TIER | Local variable |
| onHostMaintenance | Local variable |
| PREEMPTIBLE | Local variable |
| provisioningModel | Local variable |
| selfLink | url |
| serviceAccounts.email | Local variable |
| startRestricted | Local variable |
| STATUS | status, sourceStatus |
| SUBNET | Local variable |
| SYS_ID | uid |
| version | currentVersion |
| ZONE | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Finding
Table 4: Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ACTIVATION_TRIGGER | Local variable |
| AFFECTED_ASSET | targets, Local variable |
| CATEGORY | type |
| CREATED_AT | sourceCreatedDate |
| EVENT_TIME | Local variable |
| PROJECT | projects |
| RESOURCE_PATH | path |
| STATE | status, sourceStatus, statusCategory |
| SYS_ID | uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Finding Definition
Table 5: Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORY | uid |
| DESCRIPTION | description |
| EXCEPTION_INSTRUCTIONS | Local variable |
| REMEDIATION | recommendation |
| SCANNER_NAME | Local variable |
| SEVERITY | severity, sourceSeverity, severityScore |
| TITLE | name |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Firewall
Table 6: Firewall attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| allowed.ports | Local variable |
| allowed.IPProtocol | protocol |
| ancestors | Local variable |
| assetType | categories |
| creationTimestamp | firstSeen |
| DESCRIPTION | description |
| DISABLED | Local variable |
| DIRECTION | Local variable |
| LAST_MODIFIED | sourceLastModified |
| LOG_CONFIG | Local variable |
| NAME | name |
| NETWORK | Local variable |
| PRIORITY | Local variable |
| selfLink | url |
| SOURCE_RANGES | Local variable |
| SYS_ID | uid |
| targetTags | tags |
| version | currentVersion |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Security Command Center connector supports the following operation options. See connector operation options for information about how to apply them.
Table 7: Security Command Center connector operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Finding | category | Finding class unspecified, Misconfiguration, Observation, SCC Error, Threat, Vulnerability | Retrieve findings based on the specified category, as determined by Google. | Key: category Value: Threat. This key and value combination only retrieves findings that are threats. |
| severity | Unspecified, Low, Medium, High, Critical | A comma-separated list of finding severities. Retrieve findings based on the specified severity, as determined by Google. | Key: severity Value: Critical. This key and value combination only retrieves critical findings. | |
| state | Active, Inactive | A comma-separated list of finding states. Retrieve findings based on the specified state, as determined by Google. | Key: state Value: Active. This key and value combination only retrieves active findings. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Security Command Center connector uses the Cloud Asset Inventory client libraries and Security Command Center API to interact with Google Security Command Center. Specifically, it uses the following client libraries:
Bucket
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// Add asset type "storage.googleapis.com/Bucket" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Computer Instance
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// Add asset type "compute.googleapis.com/Instance" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Finding
SecurityCenterClient client = SecurityCenterClient.create();
ListFindingsRequest.Builder request =
ListFindingsRequest.newBuilder().setParent(sourceName.toString()).setFilter(filter);
// Call the listFindings API.
ListFindingsPagedResponse response = client.listFindings(request.build());
Finding Definition
SecurityCenterClient client = SecurityCenterClient.create();
GroupFindingsRequest.Builder bld =
GroupFindingsRequest.newBuilder().setParent(sourceName.toString()).setGroupBy("category").setPageSize(1000);
// Call the GroupFinding API.
GroupFindingsPagedResponse response = client.groupFindings(bld.build());
// Categories are listed from GroupFindingsPagedResponse.
// Then set category as filter on listFindings API
ListFindingsPagedResponse response = client.listFindings(request.build());
Firewall
AssetServiceClient client = createAssetServiceClient();
ListAssetsRequest.Builder bld = ListAssetsRequest.newBuilder()
.setParent(scope)
.setPageSize(pageSize)
.setContentType(ContentType.RESOURCE)
.addAssetTypes(assetType);
// Add asset type "compute.googleapis.com/Firewall" to filter
// Call listAssets API with assetType filter
ListAssetsPagedResponse response = client.listAssets(bld.build());
Changelog
The Security Command Center connector has undergone the following changes:
3.1.3
- No change.
3.1.2
- No change.
3.1.1
- Added the CVE_IDS and CVE_RECORDS attributes to the Finding object to retrieve CVE information.
3.1.0
- Initial Integration+ release.