Skip to main content

Google Cloud SCC

Download With Dependencies

This pack leverages the features of Google Cloud Security to provide an organization-wide framework for detection and response.



Google Cloud Security Command Center


Google Cloud SCC XSOAR integration

Overview

Google Cloud Security Command Center is a platform that offers deep visibility into cloud infrastructure.
It identifies security threats, and provides proactive measures to mitigate risks.
It consolidates security-related data, offers real-time monitoring and alerts, enables continuous security assessment, and provides recommendations to improve cloud security posture.



Google Cloud Security Command Center


Overview

Google Cloud Security Command Center is a platform that offers deep visibility into cloud infrastructure.
It identifies security threats, and provides proactive measures to mitigate risks.
It consolidates security-related data, offers real-time monitoring and alerts, enables continuous security assessment, and provides recommendations to improve cloud security posture.

What does this pack do?

The Google Cloud Security Command Center content pack helps organizations to monitor, identify and prevent security events on Google Cloud Platform, detects vulnerabilities on Google Cloud environments and provides instructions and recommendations to improve cloud security.


Log normalization supports the following data:

Finding — A record of a threat, vulnerability, or misconfiguration that a certain service was found in a Google Cloud environment.
Findings show the issue that was detected, the resource that is affected by the issue, and guidance on how you can address the issue.




For Google Cloud audit logs normalization , follow this procedure:

Ingest logs and data from a GCP Pub/Sub

1. Go to Marketplace and search for Google Cloud Logging.
2. Install Google Cloud Logging.
3. Go to Data Sources and Add New Instance.
4. Connect the Google Cloud Platform data source.
5. Insert subscription name.
6. Insert credentials file.
7. Select Flow or Audit Logs.
8. Go to the Query builder and use the dataset - google_cloud_logging_raw.

Note

To include audit logs related to Google Cloud Security Command Center only, you need to add an inclusion filter on the log router sink.
Add the filter protoPayload.serviceName="securitycenter.googleapis.com"
as describe in section 2.c.




For sample use cases click here.

Use Cases

1. Vulnerability findings - Public bucket ACL: When a cloud storage bucket is detected as publicly accessible (that means that anyone can read/ edit the content of the bucket) the user will be notified about this event and will get a recommendation on how to act regarding this issue.
Usually for this type of event, you will need to remove users from the bucket's members list.

2. Vulnerability findings - Open RDP Port: When a firewall configuration is set to have an open RDP port that allows connections from all IP addresses on TCP | UDP port 3389.
The recommendation will be to restrict firewall rules.


Configure Google Cloud Security Command Center

To configure ingestion of data from Google Cloud Security Command Center follow the procedure in:
Ingest logs and data from a GCP Pub/Sub


Configure Cortex XSIAM

1. Go to Marketplace and install the Google Cloud SCC pack.
2. Go to Data Sources and Add New Instance.
3. Connect the Google Cloud Platform data source.
4. Insert the subscription name (Ingest logs and data from a GCP Pub/Sub section 3).
5. Insert the credentials file (Ingest logs and data from a GCP Pub/Sub section 4).
6. Select Log Type Generic.
7. Select Log Format JSON.
8. Insert Vendor = Google and Product = SCC.


Notes

* To configure Google Cloud Security Command Center you must be a user with the corresponding permissions, for example:
1. Pub/ Sub Admin.
2. Security Center Admin Viewer.
3. View Service Accounts.
* To create Continuous Exports, go to Security -> Settings -> CONTINUOUS EXPORTS -> CREATE PUB/ SUB EXPORT
After naming the continuous Exports and describing it (optional) select or create the topic.
The default Finding query returns all findings in the active state and that are not muted (mute - hides finding from default view).
For more Finding Query information, see this documentation
* For general Google Cloud audit logs ingestion, you might need additional or a different configuration on Google Cloud Platform Pub/Sub.



PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByPartner
CreatedMarch 31, 2021
Last ReleaseAugust 27, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.